Is cyber security a right? Are hackers lurking around every corner waiting to steal everything we hold dear? These issues were highlighted in a recent speech by David Goldstone at SecureWorld Expo.
Mr. Goldstone has vast expertise in the cybercrime world - from the prosecutor's side. His keynote speech provided an important perspective and some interesting insights on the world of cyber hacking crime and breaches, what government is doing about them, and what responsibilities businesses have in complying with the continuing legislation that is being enacted.
The first and most important point is that the law has changed. The enterprise is responsible for securing their database of customer and financial data. If there is a breach, they are the ones who have to report the issue, even if they have not uncovered the source. This is called the Security Breach Notification Law. Most states have had these laws for awhile now. In his talk, Mr. Goldstone provided lots of examples of those who are not compliant with breach notification finding themselves in a big pickle - not just with the law, but with civil suits, class action suits, etc. It seems that if you promptly report a breach, then prosecutors tend to be much easier on the firms that have issues. So although firms have reputational concerns and often don't want to announce these events, the consequences of not reporting breaches can be great.
So what are the biggest risks? Are they social misfit hackers sitting alone in dark rooms? It turns out, not so.
A recent case with ringleader Albert Gonzales who plead guilty to a string of high profile hacks (articles from Wired on these) revealed that he and his hacking ring were responsible for most of the high profile headline grabbers from Heartland, TJX, Hannaford Brothers and more. So, as Goldstone pointed out, though these were big events, the same group was responsible, not thousands of mini rings all over the world.
The real risk is employees
Most serious losses and cases of fraud are inside jobs. It is an HR issue to deal with disgruntled employees. Or spacey employees, like the employee who used her boyfriend's computer. Once he became the 'ex' he took the opportunity to retaliate, by hacking her company. So how employees are educated on information sharing and security is critical. Moreover, management must be educated to being on the alert for employees who diverge from their routines suddenly (if they may have been passed over for raises, or if they expected to be part of a lay-off, demotion or had other personal issues). Besides policy and education there is fraud detection software that can be used.
The government's big hacker attackers, says Goldstone, seem to be spies, terrorists and 14-year-old boys who are looking for a thrill. This reminds me of the 1983 movie, War Games with Matthew Broderick.
Listening to Mr. Goldstone, I felt marginally more comfortable as a business owner and online shopper, that there wasn't a hacker lurking around every corner waiting to invade my company.
However, he went on to discuss the legal requirements of companies going forward. The March 2010 law was enacted for any company doing business in Massachusetts (see the 201 CRM 17.00 Standards report.) And that is for small businesses, too. When Mr. Goldstone asked us about whether we were all complying with the new legislation, few hands were raised. This is a common issue; compliance is not a sexy topic in corporate America.
You can get Goodwin Procters' Privacy and Data Security Newsletter here.
To view other articles from this issue of the brief, click here.