Information security professionals say greedy e-thugs are lashing out with increasing force and speed. No longer satisfied with bragging rights, many now lead highly organized, low-overhead outfits that meticulously research, develop and then unleash attacks into cyberspace.
"It's all about getting access to critical data, personal information and ultimately trying to make money off of what's going on," says Allen Scalise, president of Great Lakes Networks LLC in Rochester and of the Information Systems Security Association's local chapter.
Keeping information safe nowadays goes well beyond building firewalls, says Julie Buehler, deputy chief information officer at the University of Rochester.
Written policies and procedures, awareness and responsible usage campaigns, peer consultation, collaborations with government, physical security for information and violation enforcement figure into UR's defense strategies.
Bausch & Lomb Inc. also takes a multilayered approach to information security. The global eye-care company now is streamlining its management system for security patches and recently updated its incident reporting and response procedures, says David Jollow, director of IT security and IT compliance. Expanded use of encryption for sensitive information also has gone into effect recently.
Given cyber crime's pervasiveness, organizations should not act like lone warriors when defending themselves, UR's Buehler says.
Nor should they deny the risks. Cracks in data security have the potential to cripple daily operations, trigger costly damage-control plans and tarnish an organization's reputation among customers, partners and investors.
Even small firms with a modest online presence are not immune to digital threats, given that computers on their networks may fall victim and become "zombies" surreptitiously controlled by hackers.
"Assuming a business is too small (to be vulnerable) isn't good at all," Scalise says.
Firms of all sizes need to consider the cost of not being able to invoice or ship products, he adds.
According to the FBI, cyber crime accounted for $67.2 billion in losses for U.S. organizations in 2005. The bureau no longer tracks the economic impact of such crimes, but experts assume it amounts to hundreds of millions or even billions of dollars a year.
The Computer Security Institute, a national industry group, found in a survey last year that the average e-crime loss per incident among 522 responding U.S. organizations was $288,618.
The resources poured into keeping information safe show no sign of waning. International market researcher Global Industry Analysts Inc. estimates that direct information technology security expenditures will reach $79 billion worldwide in 2010.
Yet many challenges remain in the war against cyber crime. According to the U.S. Government Accountability Office, some organizations do not report being victimized by e-crime because of concerns about reputation, litigation and publicity. Even when they learn of the crimes, law enforcement agencies struggle to retain highly skilled cyber forensic investigators, who often prefer to work in the private sector.
Battling cyber crime is made harder by the borderless environment in which the attacks occur. Multiple jurisdictions' laws and legal procedures quickly bog down investigations.
Bolder cyber perpetrators also present challenges for defenders. Facebook and Twitter went down temporarily this month, interrupting service to 45 million Twitter users alone, in an assault linked to the tensions between Russia and Georgia.
"The hackers are really thinking about, 'Where can I get the biggest bang for my buck if I want to go after and get the (biggest) number of names or e-mail addresses or credit card information or birthdates or things like that?'" Scalise says.
To make computing more secure, some researchers propose scrapping the current Internet altogether. To that end, Stanford University has launched the Clean Slate Design for the Internet project, charged with creating a blueprint for a new Internet that depends on transparency and trust.
UR's data security measures are bolstered by advice and information from government agencies, security companies and vendors. It also is involved in Educause, a national non-profit organization that promotes the intelligent use of information technology. Through its security special-interest group, officials in higher education share tips and information.
UR also promotes data-security best practices, Buehler says. Students, for example, are routinely urged to download files legally, log off communal computers, backup data and safeguard personal information.
"The thing about security is that we need every participant in the university community to be aware of the threat," Bueh-ler says.
UR also has an IT acceptable-use policy that spells out violation punishments. In an effort to deter wrongdoers, UR has recently become more open about the actions taken against violators, Buehler says.
The recession likely has fanned cyber crime's flames, Great Lakes Networks' Scalise says, since disgruntled or anxiety-ridden staffers may be more apt to destroy or copy data. Honest mistakes and bona-fide equipment failure also can comprise information access and security, making a multilayered defense a necessity.
Information- and knowledge-based environments such as universities must strike a balance between usability and control, Buehler says. Data security should not quash the sharing of new ideas.
Weighing information security's cost versus the benefits often depends on the threat level, Buehler contends.
"And it's not as neat as a financial equation," she says. "I wish it was."
Bausch & Lomb's Jollow says projecting losses from cyber assaults is possible only to a point, since the circumstances of such incidents vary.
Given that many cyber attacks take advantage of known vulnerabilities, organizations must have the latest security patches and virus protections, Jollow adds. Other data security "golden rules" include allowing only authorized staffers to have access to sensitive information, ensuring that information is physically secure and using passwords that are not shared or easily guessed.
Frequent testing of security controls can help in the war against cyber crime, Jollow says. With a multilayered approach to security, one control may fail but the next will work.
Data security professionals will not be hanging up their weapons anytime soon, Jollow says.
"As long as there's the potential to make money off of information, security programs will be important to companies," he says.
Sheila Livadas is a Rochester-area freelance writer.
08/28/09 (C) Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303.