Is the sky falling, or did it already hit the ground two years ago and we are only now discovering the debris?
Many an Internet security article overlooks the lag in statistics about cybercrime. One article published by IEEE Spectrum in September 2008 cited a Verizon study of incidents occurring between 2004 and 2007. It landed on my desk in March, 2009.
Without a doubt, the statistics were startling. The financial services industry accounted for only 14 percent of data breaches while 20 percent occurred in the food and beverage industry. But that was at least two years ago, and our cyber crime problem is very different now.
In the fast-moving world of cybercrime, banking executives need to know what they’re facing today, what their customers are experiencing, and how their risk management teams are combating the danger. Stale statistics will actually misdirect efforts, preventing real solutions from landing where they’re needed.
The following resources will help us all know about current exploits and what’s being done about them:
The Internet Storm Center Hosted by the SANS (SysAdmin, Audit, Network, Security) Institute, this site publishes current threats and solutions. The site also holds the largest collection of research documents about various aspects of information security in the world. It’s all free on “http://www.sans.org”.
Brian Krebs’ Security Fix Blog Check out Brian’s top notch blog at “http://voices.washingtonpost.com/securityfix/.” This is where the Heartland Payments story broke, and the site continues its up-to-the-minute reporting of cyber crime and fixes with stories about unpatched flaws in Microsoft’s Excel, Adobe’s struggles to secure Acrobat files, and even a security hole in Twitter, the latest social network darling.
Internet Service Provider Reports Every Internet service provider should offer regular reports of threatening emails and web traffic. These reports will how many exploits landed on the institution’s doorstep, how many got through the door, and what happened to them after that. The reports could also show which computers were patched, and what tests were conducted to prove the system can withstand attack.
If only the public consulted these current resources for information about Internet security issues! Unfortunately, stale statistics and inflated headlines continue to rule the news.
For example, we recently read in CNET News that Internet-related crimes had soared 33 percent last year. This was based on an Internet Crime Complaint Center report which said its website had received 275,284 complaints last year, up from 206,884 the year before.
While the details of complaint referrals and costs to consumers are impressive (72,940 referrals, $264.6 million in losses, and a median dollar loss nearing $931 per complaint), the fact remains that this relatively small sample can’t describe the overall state of Internet-related crime.
The public will most likely ignore the subtleties of sample size and survey dates among the sensation-driven discussions of Internet security. The result is a distorted view of Internet security that has begun to justify public avoidance of the online channel according to current research.
Just suppose the general public knew that financial institutions already reduce their cyber risks by maintaining firewalls, turning off unneeded services, patching their systems, keeping their antivirus software current, educating their computer users, and enforcing good security policies. Even the very recent Conficker threat couldn’t penetrate that.
Knowing the current situation not only keeps the discussion honest; it focuses our attention on the threats that really matter. That will make the Internet safer for our customers as well as our financial institutions.
