When it comes to the great holiday cyber heist of 2013, the bad news just keeps rolling in. Target (TGT) has expanded the number of payment cards potentially breached. The Neiman Marcus breach, which was initially thought to be relatively small, has climbed to well over 1 million breached cards, and was found to have started much earlier than first thought. Even arts and crafts store Michaels has gotten in on the game, apparently suffering a significant data breach as well.
Not good news.
When you dig a little deeper into the story and put it in proper context, a picture of a much more complicated and dangerous digital underworld comes to light. Taken as a whole, it leads to one sadly inescapable conclusion: every business is at risk, and failing to act is failure pure and simple.
Let’s start with the more recent news on the payment card cyberattacks. Several cybersecurity companies have pointed fingers at individuals in Russia as playing a key role in enabling the attack. One story has the malware being the creation of a 17 year old, while another alleges that a young man in his early 20s allegedly created a program that was mutated into the malware used for the attack.
Who is actually responsible is somewhat unimportant. More disturbing, in my mind, is the fact that the malware used was up for sale on the cyber black market and continues to be widely available. The figures on how much the malware cost (somewhere between $2,000 and $6,000, with a discount if a portion of the “proceeds” were shared with its creators) is equally disturbing.
In fact the FBI recently put out an alert on the situation, noting that there were at least 20 attacks directed at retailers in the past year that utilized malware similar to the Target attack. The FBI also expected more such crimes in the near, and warns that the attacks could also be difficult to defeat due to the fact that the criminals could remotely upgrade the malware to counter new security measures.
Criminals who offer a help desk: Not good.
A recent report from Cisco (CSCO) examines cybersecurity and attack trends for 2013, and offers some rather unpleasant findings. Cisco sampled 30 different networks of companies that are in the Fortune 500 list. It found that every single network examined was sending data to a website that hosts malware.
Let me repeat that. How many networks were breached and sending data to “bad” websites?
Every. Single. Company. Breached.
Notice a theme here? How about “It is painfully obvious that every company has a cybersecurity problem.”
The scale and scope of the cybersecurity challenge at this point is simply astounding. Cyberattacks hitting companies are no longer an “if” or even a “when” event, but rather a “when did it start” and a “how bad is it” problem.
This is not a reason, however, to get into the fetal position and ball up under the conference room table. Companies can protect themselves by being vigilant about threats and making sure to respond quickly when an attack is discovered.
The most important thing that has to happen is that companies and their executives have to accept this reality. Any business – much less its leadership – that thinks it is immune from cyberattacks is simply living in a fantasy world. If 30 major companies, all of which undoubtedly pour significant funds into cybersecurity programs, have all been breached, then every business has to assume they are under attack.
This sad new world is one we all have to confront and learn how to manage. Companies cannot rest on their laurels, assuming the latest technology purchase or recent exercise ensures their security. A good cybersecurity program will be flexible, ongoing, and dynamic. It will be a living, breathing, constantly adapting program because, after all, that’s what the criminals are doing.
Finally, to make this even simpler, there is a simple truth that every business and its respective leadership must prepare for: when the breach is discovered, somehow, some way, the lawyers are going to pound you. Every business is on “notice” of the cyber threat, and it now has to take action. Failing to do anything, much less anything approaching material increases in security, is going to result in some extremely painful litigation. Nobody wants that.
Reality has changed. Companies have to understand that cyber threats and losses are a fact of life, and must be addressed like any other systemic risk. Any company that tries to deal with this problem by sticking its head in the sand is just leaving the rest of its body exposed. My message here is straightforward: don’t be a sitting duck – get active and commit resources to managing the problem. It is a heck of a lot cheaper than just waiting for a knock on the door from the government telling you how bad your problem is.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.