Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why you're not investing enough in IT security

Rodney Byfield | Jan. 16, 2017
Companies choose to invest in the certainty of operational or sales driven initiatives over the relatively unknown realms of information security

They trust what they know and what they can see. Unfortunately, this lack of attention and investment in digital security has a direct correlation to the drastic increase in cyber hacks and data breaches.

To put it into laymen terms, CEOs and boards have spent a lot of time and money enticing customers in the front door and making sure the front end of the business works efficiently, all the while leaving the back door wide open for criminals to come in and take what they want.

This was the exact situation Target found itself in back in 2013, when a data breach exposed payment information for 40 million customers. The business decided to have ‘ad-hoc operational cyber security services under a strict contract budget’ only.

During a breach, hackers uploaded malware disguised as existing data centre products. While malware detection software caught each of the uploads and escalated the warning alerts, there was no one within the Target business tasked with reacting to the notifications.

It took Target 16 days to respond and eradicate the malware attack, by which time the hackers had gained access to 40 million credit cards and personal information for a further 70 million customers.

There are a couple of things of particular interest in this case. Firstly, the breach came through a third-party supplier with an external network connection – a small heating and air conditioning company that worked with Target. The malware hack was delivered to them via email.

Secondly, Target had outsourced the vast majority of its security as a managed service to third parties. These companies warned Target of the attack but the lines of authority and responsibility were blurred, confusing Target’s ability to respond.

Forgive the pun, but Target made itself an ‘easy target’. Its decision to save at the front end on digital security resulted in over 90 lawsuits and a legal spend of US$61 million to date. Not exactly a smart saving.

Target is, by no means, alone. In 2015, the Qatar National Bank suffered a data breach that exposed customer passwords, pin numbers, financial transactions and personal information for more than 100,000 customers. An investigation revealed that hackers accessed the system through an SQL injection flaw in the bank’s website. Sony suffered a number of similar attacks through its web portal, compromising tens of thousands of account holders’ personal details.

In all of these examples, the problem arose because the company outsourced the responsibility and control of their information security to third party providers.

Now, by no means am I saying that outsourcing is evil. When used wisely and within fit-for-purpose activities, outsourcing can save companies a great deal of money and give access to skills and advice that cannot always be supplied internally.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.