By MATTHEW BRODSKY, senior editor/Web editor of Risk & Insurance®
The news on IT risk management is a steady drumbeat that conjures only dread and pessimism, like the rattle of the snare before the firing squad takes aim. The headlines from the new Global Fraud Report 2010/11 from risk management consulting company Kroll are no different.
The biggest news item is that for the first time ever, the theft of information and electronic data--some of the most precious goods an enterprise might have--became the No. 1 most common type of fraud. About 27.3 percent of respondents in the Kroll survey reported an occurrence of information theft in the 2010 survey, barely eclipsing physical asset theft (27.2 percent). Information theft was up substantially from 2009, though, when 18 percent of respondents reported an instance of information theft.
Perhaps the reason for this jump is that online data theft seems so easy. Today's "crimeware" (malware designed to steal money or information) can be bought and downloaded online as readily and easily as one can buy a new anti-virus program and download an mp3, according to Ray Dickenson, chief technology officer at the Palm Beach Gardens, Fla.-based data loss-prevention solutions provider SafeCentral Inc.
"What it means is to be an online fraudster, really, all you need now is the will," he said.
Dickenson pointed to another recent study--the Data Breach Investigations Report conducted by Verizon Business and the Secret Service--in which it was reported that 85 percent of cyberattacks were not considered "highly difficult."
So we're not even talking about the really good criminals yet, the organized gangs that the Verizon study said accounted for 98 percent of all data stolen.
But please, before you click away from this story, thinking that the cyberwar is hopeless, let's dig a little deeper into the Kroll report and other research.
Sure, Richard Plansky, managing director and head of Kroll's New York office, said, "Can you defend against everything to a 100 percent certainty? Probably not." But he added that there are rather simple steps organizations can take to mitigate the risk.
Plansky's keys are: understanding where your sensitive data are and who has access to them; recording access to that data and limiting it to only people who really need access; and putting a plan in place so the right employees know what to do should a breach occur.
None of which is onerously expensive, Plansky said, and together they are "going to get you a long way."
The Verizon report backs this up. About 96 percent of breaches in Verizon's records were avoidable through simple or intermediate controls.
"In keeping with this finding, we assessed that most breaches could have been avoided without difficult or expensive controls," the authors of the Verizon report wrote. "Yes, hindsight is 20/20 but the lesson holds true; the criminals are not hopelessly ahead in this game."
Can we then take the next logical step and say that business are not that far behind? Let's not go that far. In particular, businesses in certain sectors are perhaps slower in addressing this risk than others.
The Kroll report breaks down fraud risk by sector, and the "Technology, Media & Telecomms" sector fared the worst: scoring high for exposure and low for response. Keep in mind that the Kroll report looks at all types of fraud, but this sector in particular faces cyberfraud, perhaps more than others. Obviously, data is the lifeblood for these types of companies, and technology allows critical information to be more easily available for the organization and customers. The downside? Technology makes critical information more easily available for the bad guys too, said Plansky.
Many companies have been quicker to see the upside of technology than the downside, he said, which explains why fewer than half of the respondents in this sector reported increased spending on IT security.
"The bottom line is, as a user, if you're not aware and willing to take extra steps, then no technology in the world can help you," Dickenson said.
October 26, 2010
Copyright 2010© LRP Publications