Wednesday, May 1, 2013

A Computer Att-Hack Is a Very Real and Not-So-Rare Crisis

Denial gets in the way of crisis communications planning. Organization leaders like to pretend they will never experience a crisis; not as long as they are in charge. They will never have a fire, workplace violence, a fatality, someone cooking the books, a natural disaster, or an employee whistleblower.

And no one would ever get through all our defenses and hack into our computer system.

Verizon has published a 2013 Data Breach Investigations Report. ( "Am I a target of espionage? Some may already know the answer to this question by firsthand experience. Many others assume they aren’t or haven’t thought much about it. Despite the growing number of disclosures and sometimes alarmist news coverage, many still see espionage as a problem relevant only to the Googles of the world. Unfortunately, this is simply not true."

 Verizon's report stresses that all organizations regardless of size are equally vulnerable to an electronic attack, based on 2012 data. The business you are in, however, does make a difference. The top 10 industries to be hacked last year are:
  1. Retail
  2. Manufacturing
  3. Information
  4. Food Services
  5. Professional
  6. Finance
  7. Transportation
  8. Public
  9. Other Services
  10. Utilities


of breaches affected financial organizations (+)

Victims in this report span restaurants, retailers, media companies, banks, utilities, engineering firms, multi-national corporations, security providers, defense contractors, government agencies, and more across the globe. A definite relationship exists between industry and attack motive, which is most likely a byproduct of the data targeted (e.g., stealing payment cards from retailers and intellectual property [IP] from manufacturers).

 • A plus (+) sign indicates either a 10% or greater increase from the previous year’s report

• A minus (-) sign indicates either a 10% or greater decrease from the previous year’s report


of breaches occurred in retail environments and restaurants (-)



of network intrusions involved manufacturing, transportation, and utilities (+)


of network intrusions hit information and professional services firms (+) 

of breaches impacted larger organizations (+)


different countries are represented

How Do Breaches Occur?

used some form of hacking (-)
The one-two combo of hacking and malware struck less often this round, but definitely isn’t down for the count.
Filtering out the large number of physical ATM skimming incidents shows exploitation of weak and stolen credentials still standing in the ring.

The proportion of breaches incorporating social tactics like phishing was four times higher in 2012.
Credit the rise of this challenger to its widespread use in targeted espionage campaigns.
Correlated with the 14% of breaches tied to insiders, privilege misuse weighs in at 13%.
Insider actions ranged from simple card skimming to far more complicated plots to smuggle corporate IP to competitors.

of network intrusions exploited weak or stolen credentials (-)


incorporated malware (-)


involved physical attacks (+)


leveraged social tactics (+)


resulted from privilege misuse and abuse

"All of the above takes forever and a day to discover, and that discovery is rarely made by the victim."

What can we do about it?
  • Eliminate unnecessary data; keep tabs on what’s left.
  • Ensure essential controls are met; regularly check that they remain so.
  • Collect, analyze and share incident data to create a rich data source that can drive security program effectiveness.
  • Collect, analyze, and share tactical threat intelligence, especially Indicators of Compromise (IOCs), that can greatly aid defense and detection.
  • Without deemphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.
  • Regularly measure things like "number of compromised systems" and "mean time to detection" in networks. Use them to drive security practices.
  • Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a "one-size fits all" approach to security.
  • If you’re a target of espionage, don’t underestimate the tenacity of your adversary. Nor should you underestimate the intelligence and tools at your disposal.
I'll add one to Verizon's list. Have a crisis communications plan that includes a section about computer hacking. Who are your primary audiences? What are your initial messages, and have they been approved ahead of time by Legal? Which members of the crisis team need called in? When do you first make public disclosure? And there are more questions you need to answer in advance.

When data in your system has been compromised, it's too late to write a crisis communications plan. Get started. If you're not sure how, it isn't too late to sign up for the Institute for Crisis Management's two-day Certification Course. The next one is May 14-15. See for more information.

No comments: