We’ve seen a tsunami of data breaches crashing over numerous large corporations lately, from Sony’s PlayStation Network and Google to Epsilon and, most recently, Citibank and the International Monetary Fund. It seems cybercriminals have been mighty active these last few months.
What such activity may indicate is anyone’s guess. And, there are plenty of industry folks looking to predict just who might be in the path of this still raging wave of online criminal activity, or just what types of information could be compromised next.
My thought: Pretty much everyone is a potential victim.
That’s obvious, right? Most institutions have proprietary information or customer data that is certainly desirable to cybercriminals. Still, there are companies and government agencies that seem to be targeted more than most.
Those leading the pack of most desirable prey include financial services companies like Citibank, customer data-driven organizations such as Epsilon, government contractors like Lockheed Martin, or three-letter federal agencies that have lots of juicy classified documentation for which the risk of getting caught is worth taking. Even, longstanding security organizations, such as EMC’s RSA division, have become likable quarry for hackers given that their solutions underpin the security programs of countless critical infrastructure companies (e.g., Lockheed and leading banks). In fact, that these well-heeled IT security companies have seen little in the way of large, publicized breaches is, really, a bit surprising.
So, in reviewing today’s cybercrime landscape, no organization – government or private, big or small – is immune.
That’s what makes the fact that Sony had no CISO in place prior to becoming the whipping boy for cybercriminal groups such a shock. Maybe I’m naïve, but I simply would have thought that a publicly traded, multinational conglomerate with total assets in the billions already would have had an information security lead. Instead, Sony was prompted to hire a CISO only after the loss of data of millions of customers, not to mention loads of bad press about its seemingly bungling reaction to multiple breaches.
And while most pros would agree with Executive Deputy President Kazuo Hirai’s comments that “no system is 100 percent safe,” its various networks being victimized by hackers in quick succession underscores just how lax its corporate security practices have been. Hirai acknowledged as a “realization” that his company, the world’s fifth largest media conglomerate, must undertake “constant monitoring and constant vigilance.” From my perspective, though, to have that realization after experiencing multiple breaches and counting is unacceptable.
As the company strives to rebuild both the integrity of its various systems and its reputation, other organizations are taking notice. According to Intel CISO Malcolm Harkins, who was recently quoted in a BankInfoSecurity.com news item, the many breaches that have prompted Sony to take some steady steps to restore its company name and IT infrastructures are reminders to other sectors’ information security leaders that they are potential foils for cybercrime groups. All the risks they face, therefore, must be managed diligently. And, as part of these deeply considered and well-planned mitigation efforts, both CISOs and their executive leaders must concede they eventually will see their infrastructures compromised.
Core to this long-existing reality, of course, is having a knowledgeable, tireless and resolute CISO on your payroll in the first place.