Published by Al Saikali

Last August, I wrote about a survey by Corporate Board Member and FTI Consulting, Inc., showing that data security was the top legal risk for corporate directors and general counsel.

That same survey was taken again in 2013, and the results were released last week in a report entitled “Law in the Boardroom.” The gist of the report is that “the newest area of major concern continues a trend noted in last year’s study:  data security and IT risk is one of the most significant issues for both directors and general counsel.”

Here are some other significant findings in the survey:

  • More than one-quarter of director and general counsel respondents earmarked cyber risk as an area that will require their attention in 2013.
  • The average annualized cost of cybercrime jumped 6% to $8.9 million in 2012.
  • Interestingly, general counsel do not seem to think directors will be spending as much time on this topic as the legal department itself will.
  • Only one-third of general counsel felt “very confident” in their company’s ability to respond, and less than one-quarter of directors agree.   Only 51% of GCs are at least somewhat confident in their company’s ability to handle a breach.

In short, a company’s preparation for and response to cyber threats remain top concerns for general counsel and directors alike.  Fortunately, more companies are taking proactive measures, like mapping or inventorying data to apply the most stringent security safeguards to the most sensitive information.  Other proactive measures companies should consider include reviewing and revising information security policies, evaluating how to more effectively incorporate privacy and security concerns into the corporate culture, and refreshing employees on the risks and best practices in collecting, storing, using, and disposing of sensitive consumer and proprietary information.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

One of the leading annual studies analyzing the causes of data breaches was released earlier today.  The 2013 Verizon Data Breach Investigations Report analyzes what is causing data breaches, how the breaches are occurring, who are the hackers and the victims, and what trends can be gleaned from this information.  The report has become a “must read” for those in the data security industry and is often cited in board meetings, presentations, and by the media (the NY Times has already published a story about it). Those who do not have time to review the report may want to check out the Executive Summary.

The report studied 621 confirmed data breaches and more than 47,000 security incidents from all over the world.  Here is a summary of the most important findings:

  • Who is perpetrating the breaches?  A large majority (92%) of breaches are perpetrated by outsiders, and one out of every five are attributed to state-affiliated actors (95% of the state-affiliated espionage attacks relied on phishing in some way).  When breaches are perpetrated by insiders, more than 50% are a result of former employees taking advantage of their old accounts or backdoors that weren’t disabled, and more than 70% are committed within 30 days of resignation.
  • Who are the victims of breaches?  Larger organizations are increasingly becoming victims of breaches., and they are not isolated to any particular industry.  Manufacturing (33%), transportation (15%), professional (24%), and a variety of other industries (28%) are the targets of espionage attacks.
  • What assets are perpetrators targeting?  The most vulnerable assets are ATMs (30%), desktop computers (25%), file servers (22%), and laptops (22%).
  • How are breaches happening?  With respect to cyber breaches, they usually (76%) occur as a result of exploited weak or stolen credentials
  • Why are breaches happening?  The attackers are primarily seeking financial gain (75%), they are opportunistic (75%), and they prefer intrusions that are low in difficulty (78%).
  • How and when are breaches being discovered?  69% of breaches are discovered by an external party (9% are discovered by customers).  Perhaps more scary is the fact that 66% of breaches take months or years to discover, which is longer than it has taken to discover breaches in previous years.

The report provides some recommendations for what organizations can do to minimize some of the risks, some of which are commonly accepted best practices.  I noticed the emphasis in these recommendations on detection more so than prevention.  The report is driven by the (realistic) assumption that organizations are already operating in a compromised environment.  While organizations should continue trying to prevent breaches from occurring in the first place, they cannot entirely eliminate them.  Therefore, organizations should focus more of their efforts and resources on the detection of intrusions and protection of assets.

Here is a list of recommended practices from the report:

  • Eliminate unnecessary data; keep tabs on what’s left
  • Ensure essential controls are met; regularly check that they remain so
  • Collect, analyze, and share incident data to create a rich data source that can drive security program effectiveness
  • Collect, analyze, and share tactical threat intelligence, especially indicators of compromise, that can greatly aid defense and detection
  • Without deemphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology
  • Regularly measure things like “number of compromised systems” and “mean time to detection” in networks.  Use them to drive security practices
  • Evaluate the threat landscape to prioritize a treatment strategy.  Don’t bury into a one-size-fits-all approach to security
  • If you’re a target of espionage, don’t underestimate the tenacity of your adversary.  Nor should you underestimate the intelligence and tools at your disposal.

These statistics, findings, and recommended practices should be considered by any organization that collects, uses, stores, and disposes sensitive information.  The threats to that information are real, they affect companies in all industries, and they are difficult to prevent.  Companies should evaluate and be prepared to respond to these increasing risks by adopting proactive administrative, technical, and physical security safeguards.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Cyber attacks and cyber espionage have been the focus of media attention (again) lately. In addition to the news of Apple, Facebook, the New York Times, the Wall Street Journal, and Twitter all suffering cyber attacks,  two important documents were released this past week.  The first, a report by the data forensic investigation firm, Mandiant, is an in-depth analysis of the threats that Advanced Persistent Threats (APTs) pose to major U.S. companies.  The report received a significant amount of media attention, including this very good New York Times article.  The second document released this week was a report by the Obama administration outlining its strategy in response to the APT threats and the individuals/governments who engage in theft of U.S. trade secrets and cyber espionage.

Mandiant’s Report on Chinese Cyber Attacks

On February 18th, Mandiant issued a report in which it accused the Chinese military of years of cyber attacks (APTs) against over 140 companies, a majority of them American.  The report’s conclusions were based on hundreds of investigations Mandiant conducted, which convinced Mandiant that the groups engaging in these security breaches are based primarily in China and are known by the Chinese government.

Mandiant tracks dozens of APT groups around the world.  APT1 is the most prolific of these groups in terms of quantity of information stolen and has engaged in a cyber espionage campaign against an array of victims since 2006.  APT1 is able to wage such a sustained and extensive cyber espionage campaign because it receives direct government support, Mandiant found.

Here are some other conclusions from Mandiant’s report:

  • APT1 is believed to be a part of the Chinese People’s Liberation Army identified as Unit 61398, which is staffed by hundreds or thousands of people.  The personnel in this unit are trained in computer security and computer network operations.  APT1’s activity has been traced to four large networks in Shanghai.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations in 20 major industries, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
  • APT1 maintained access to victims’ networks for an average of 356 days, with the longest time period being four years and ten months.
  • APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.  APT1’s targets are industries that China has identified as strategic to their growth.
  • APT1 maintains an extensive infrastructure of computer systems around the world, with 937 command and control servers hosted on 849 distinct IP addresses in 13 countries.  The majority of these IP addresses are registered to Chinese organizations.
  • Mandiant has released more than 3,000 indicators (domain names, IP addresses, and MD5 hashes of malware) to help victims and potential victims bolster their defenses against APT1 operations.  These defenses can be downloaded here.

Why did Mandiant expose APT1?  Even though exposing APT1 would likely interfere with Mandiant’s ability to secretly collect intelligence on that particular group, Mandiant claims that it exposed APT1 in an effort to arm and prepare security professionals to combat the threat effectively and provide information that would lead to increased understanding and coordinated action in countering APT network breaches generally.  Mandiant “expect[s] reprisals from China as well as an onslaught of criticism” as a result of the report.

The Obama Administration’s Report On Trade Secret Theft

On February 20th, the U.S. Attorney General released a report entitled “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets”, which outlines the Obama Administration’s strategy to promote improved coordination within the U.S. government to protect U.S. trade secrets. The report sets forth the following five-pronged strategy:

  1. Focus diplomatic efforts to protect trade secrets overseas – the Obama administration promises to continue applying sustained and coordinated diplomatic pressure on foreign countries to discourage trade secret theft.
  2. Promote voluntary best practices by private industry to protect trade secrets – examples of areas where private industries could consider voluntary best practices include research and development compartmentalization, information security policies, physical security policies, and human resources policies.
  3. Enhance domestic law enforcement operations – the Department of Justice and FBI will prioritize investigations and prosecutions of corporate and state sponsored trade secret theft.  Law enforcement and intelligence will share information regarding the number and identity of foreign governments involved in trade secret misappropriation, the industrial sectors and types of information and technology targeted by such espionage, the methods used to conduct such espionage, and the dissemination, use, and associated impact of information lost in trade secret misappropriation.
  4. Improve domestic legislation – increasing the criminal penalties for those who engage in economic espionage and other trade secret crimes.
  5. Public awareness and stakeholder outreach – encouraging all stakeholders, including the general public, to be aware of the detrimental effects of misappropriation on trade secret owners and the U.S. economy.  To this end, the administration will conduct educational and outreach efforts through the internet, forums for the private sector, and public outreach by the FBI.

I highly recommend that in house counsel who are concerned about cyber espionage read the report in full.  It is filled with interesting vignettes of how major U.S. based companies have been the victims of cyber espionage, and it includes links to some very valuable resources including this one, which was one of the first major reports to outline the extent of cyber espionage affecting major companies in the U.S.  These resources can help your company learn more about the threats of cyber espionage and ways to minimize those risks.

The Takeaways

So what are the takeaways?  First, cyber espionage is an increasing threat to major U.S. companies, particularly those in the technology, science, pharmaceutical, and defense industries.  Second, a growing body of evidence shows us that the APT groups primarily responsible for cyber espionage are originating in China and may be supported directly by the Chinese government.  Perhaps most importantly, however, there are steps that companies can and must take proactively to limit the risks associated with APTs, including the adoption of administrative safeguards (policies, procedures, and employee training that limit the likelihood that APTs, particularly those that target social behavior, will penetrate a company’s network) and technical safeguards (like the resources provided by Mandiant in its report, the establishment of firewalls, and the installation of spam filtering, monitoring and anti-malware software).

Given the findings of the Mandiant report and the Obama administration’s steps towards fighting cyber espionage, businesses cannot close their eyes to this threat and hope it will go away or won’t happen to them.  They must begin defending themselves now.

UPDATE:  Demonstrating the timeliness of this subject, the NY Times just went to press with this important article about the political implications of this issue.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

A recent survey of corporate general counsel and directors by Corporate Board Member and FTI Consulting, Inc., provides some eye-opening findings about the importance of data security to U.S. companies and the ability of those companies to respond to a data breach.

On the one hand, the survey of approximately 13,400 corporate directors and general counsel found that data security was the top legal risk concern for both groups.  48% of corporate directors and 55% of general counsel identified data security as their top concern.  This level of concern about data security has doubled in the last four years.  In 2008, only 25% of directors and 23% of general counsel noted data security as an area of high concern.  The survey explains, “there is arguably no more insidious threat to a public company than that of cyber risk; it’s invisible, ever-changing, and pervasive—making it very difficult for boards to manage.  On top of that, it’s costly.”

Despite the increasingly high level of concern about data security, however, there is significant reason to believe that companies are not prepared to respond to a data breach.  For example, one-third of general counsel respondents stated that their boards are not effective at managing cyber risk.  Similarly, only 42% of directors said their company has a formal, written crisis management plan to manage a cyber breach or attack should one occur (27% said their company had no plan and 31% did not know whether their company even had a plan).  Yet 77% of directors and general counsel believe their company is prepared to detect a cyber attack.

In other words, a disconnect exists between the significance corporate entities are placing on data security and their lack of preparedness to respond to the risks associated with data security.  T.K. Kerstetter, President of Corporate Board Member believes that the disconnect between the lack of written plans and the perception of preparedness is cause for concern, and certainly an area to monitor in the years ahead.  Mr. Kerstetter stated (and I could not agree more) that “it is going to take several well-publicized security breaches before a supermajority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster.”

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.