The attacks, which originated in Europe and China, targeted major corporations and government agencies including pharmaceutical giants Merck & Co. and Cardinal Health.  The operation has affected some 75,000 computers in 196 countries.

Now is the time to examine your company’s business practices to make sure that your critical data and intellectual property are safe from complex electronic and socially initiated thefts.  Lapses in appropriate security measures can expose your company to major financial losses, both from theft and from civil lawsuits filed on behalf of clients or customers affected by the breach.

To protect your company and your shareholders from such losses or litigation, your company’s security practices must be up to date and in compliance with state and federal regulations.  Your IT security practices should also be part of your overall corporate governance, led by your general counsel so that this information is protected by attorney client privilege.

Information Defense Corporation and Interfor Inc. a leading global due diligence and investigations firm are partnered to offer our clients unique and comprehensive security solutions.  From physical security, asset recovery and crisis management to risk based and technical assessments of electronic assets and controls, the team is positioned to work with your company’s legal and combined security personnel to keep your assets, personnel, intellectual property and trade secrets safe or to help restore the integrity of your operations with incident response and forensics and other measures following a security breach.

For more information on the services offered by our team effort please use our contact pages here:  Contact Us

What your employees know about your business may be of strategic value and provide that competitive edge.  It may be the special sauce that took the company years to develop and it may walk out the door prior to any exit interview or tender of resignation.

Recent surveys, media reports, prosecutions, and our investigations show an alarming number of ex-employees stealing company data, including when changing jobs.  Compromised data may include customer lists, contact information, know how, and other forms of intellectual property.  The majority do so in order to benefit in some financial arrangement or assist with a new job.  A recent theft of a proprietary trading platform at a major Wall Street financial institution is under investigation.  The platform enabled the firm to generate millions of trading profits each year.

There is a growing pervasive sense of entitlement to works for hire. Access to computers and technology without appropriate controls makes such theft inviting and simple for those inclined. How these thefts occur and remain undetected for extended periods of time has much more to do with the lax protective measures in place within the organization then the skills of the perpetrator.

In our investigative experience we have seen far too many cases where there is employee theft, limited binding agreements, no procedural or technical controls or measures, and far too much blind faith and trust extended to those who are not trustworthy.

Forgive me if my experiences make me appear cynical but I have seen thieves rob charities, business owner’s life’s work compromised by over zealous employees, and organizations hobbled and made vulnerable by employees gone bad.

Too often the lack of detective measures, extended periods before suspicion and investigation, further compounded by the lack of protocol in disengaging employees compromises critical evidence.  Lacking sustentative evidence, it is increasingly complex and costly for the organization to pursue justice in what may have been otherwise a clearly defined case.

Organizations must take comprehensive controls and measures seriously to avoid a potentially devastating event precipitated by a individual to which the organization has extended its trust.  This starts with the appropriate legal, technical, and procedural controls from engagement through discharge, employer beware.

Was 9/11 not enough of a wake up call?  The events of that day cast doubt on the US government’s ability to protect its people.   Now we must question can the government protect our military secrets which enables our patriots to defend this country.    The worst part of all of this is that the cyber spies have apparently been stealing secrets for well over a year’s time undetected.

Information Defense sees this type of activity all of the time within corporate entities that have been compromised and need our help.    The organziations are certain they have the greatest tools in place and they are covered.  They find out after the fact they were not, this is perhaps somehow forgivable.

The Pentagon however must do a better job, these are supposed to be the best and brightest that protect these secrets.  I now truly realize how naive  I am.  There is no room for being asleep at the wheel or incompetence when it comes to national security.  We must do better and address responsibility and accountability.

To say that since data was encrypted they could not determined what was accessed is ridiculous.   The reason no one can say what was accessed or when is due to a lack of oversight and controls.  This is not an overly complex methodology I am talking about.  It’s more common sense than techno sense.  How is it that critical information flying out the back door is not important enough to be detected?   To say that differing security standards within the contracted vendors that work on these projects is how the compromise occurred is not an excuse I am willing to accept.   Who allowed those differing standards to exist without verifying their viability in protecting sensitive US secrets?

Our Legislators are ready to have a cyber czar tell US corporations what they must do to protect their information assets or face the consequences.   Who must we hold accountable for the lack of performance in these breaches?

I am certain we will soon hear the next brilliant idea, from the next want to be in the lime light politician.  Stay tuned.

It is my opinion that this is nothing more than window dressing and a platform for more big government and politicians to be politicians. Government networks are compromised on an ongoing basis and now we need the government to tell private industry how to protect themselves?  I find that interesting at best.

The bill proposes for a cyber czar to set compliance standards and monitor performance.  Lets get real, compliance and security are two different things.  How many PCI compliant or HIPAA compliant organizations have been compromised and lost consumer credit card info, social security numbers and other sensitive information?  The answer is far too many!   It does not matter that you were compliant when you have lost a million or more credit card numbers, social security numbers, or company specific proprietary data.

Unless there is a change in corporate culture and a genuine and informed approach to protecting critical data, theft of information, compromise of infrastructure and other malicious activity will continue.  Yes I agree whole heartedly cybersecurity is a major issue but its not all about technology.  When the CEO looks to his Chief Information Security Officer and say were covered, right?  And meanwhile HR is hiring criminals or employees find themselves in financial trouble and theft of company data viewed as a solution, the answer is not a chance!

While the sponsors of the bill talk about power being knocked out or traffic lights not working due to malicious activity, that is trivial to what could really happen.  The largest potential threat is data poisoning. I can assure you that a monetary system compromise poses a significantly greater risk than compromise of utilities. Compromise or poisoning of monetary transactions could certainly have global impacts especially if we consider most compromises are not detected when they occur but rather months later.

If our power is compromised we know it soon after because THE LIGHTS ARE OUT. Compromised financial transactions are not as readily detectable and could take months before being recognized.  The SEC has enough problems identifying white collar criminals and bogus transactions.  What if there were deliberate acts of data poisoning within the worlds monetary systems, how long might that take to identify and how would the issues be reconciled?

Having now said all this you tell me where the real threat is?  Establishing more compliance regulations only creates more misunderstanding.  Information security starts with culture and you can not regulate that.

According to RBS WorldPay in a press release the company states “Certain personal information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may have been accessed”.

Heartland in a statement to the public indicated that it contacted more that 150,000 merchant locations with information on the breach. Further statements by Heartland’s CEO indicate “A piece of malicious software planted on the company’s payment processing network recorded payment card data as it was being sent for processing to Heartland” He further stated it does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.

Certainly the consequences for both organizations will be severe between the costs of clean up, legal challenges, and brand impact. According to reports by the Boston Globe the cost of TJX data breach involving 45M credit cards was $256 million. Final costs in the TJX breach are estimated to top $500 million and possibly approach $1 billion according to Forrester Research analyst Khalid Kark. What organization can reasonably withstand such losses? What are the costs when proprietary data that corporations invest billions into creating is compromised? Most compromises never make the news as few are required by law to be reported.

The FBI lists its number 1 priority as “Protect the US from terrorist attack”, its 2nd priority as “Protect the US against foreign intelligence operations and espionage”; and its 3rd priority as “Protect the US against cyber-based attacks and high-technology crimes”. How is it that these issues are not top concerns of our business leaders which head corporations that produce sensitive information and systems or manage sensitive information and infrastructures? Such entities are subject to attempts of data poisoning from terrorists, targeted by foreign intelligence for intellectual property, and or organized crime groups for financial gain.

Corporate CEOs and business leaders need to wake up and face the reality of cyber crime, its sophisticated perpetrators, and its potential business consequences and national security impact. Most leaders that I speak to are in denial, believing that the issue is somehow technology related and covered by their unfortunate Chief Information Security Officer, or other technology professional.

Clearly this is a business issue which is the responsibility of the executive team and its directors. Many of the necessary protections exist outside of the technology group’s purview and technology solutions implemented to monitor breaches are largely ineffective.

I know from experience in having investigated a variety of data breaches that most organizations which suffer compromise remain unaware until such time as Federal authorities notify the organizations of their demise. Many times what lead to the compromise had little to do with technology and much more to do with people and process or the lack there of.

So what can be done? First business leaders must engage and see the problem for what it is. The criminal mind and crime have been around since the beginning of time, only the avenues of exploitation and targets change. Executives must be vigilant which begins with considering the value of assets, threats which exist, and direct the appropriate measures to mitigate the risks, and monitor activity.

There is significant ROI on establishing comprehensive security just ask those who have paid the ultimate cost having suffered theft of intellectual property or a mass scale compromise. That is if they are still in business.

While the use of Information Technology has enabled organizations to increase information sharing and collaboration, streamline operations, reduce time to market, and grow profit margins it has come at a cost, RISK; most specifically risk to proprietary information, a cornerstone of any business.

Connectivity to the internet and email in general have been catalysts in a variety of high profile information exploits including mass credit card theft, private and personal data loss, and many other information compromises.   Most exploits are carried out by well organized crime groups and government sponsored espionage focused on extracting and exploiting information for profit, political and technological advantage.

I have personally participated in investigating a variety of information compromises that have cost corporations millions to clean up, not including the value of the lost intellectual property and forward potential revenue.  These events are rarely reported unless required by law and most fall outside of such mandates.  Equally disturbing most are never prosecuted.

A new wave of social networking tools now presents increased risk to proprietary and competitive business information.  While we all have heard of personal social networking sites like Facebook and MySpace where people tell their life stories unedited (the good, bad, and very ugly), or have visited blogs hosted by Blogger or Technorati where the latest buzz is debated, similar forums are being utilized for “business discussions”.  Now I am fine with the “my dog is better than your dog” confrontations when it comes to social matters but this is strictly off limits when it comes to the heart of what my company is doing that provides specific business advantage be it product, process, or know how.

In order to address missteps on the part of its employees and partners, companies must establish acceptable use polices for the organization to limit the boundaries and forums in which company privileged data may be discussed.   Sites such as Yammer promote the posting and discussion of company proprietary data on their servers, governed within the confines of a company discussion group limited by email address and for company member eyes only.

While the integrity of such information is claimed to be secure is this the manner in which corporations should handle their proprietary data?  I think not but maybe I’m just old school.

If I produce it, I want my organization to drive the bus in order to prevent, monitor, and identify when protections break down and direct what we need to do to recover, something we call preventative, detective and corrective controls.

Corporate counsel and executive management must set limits on the use of such sites or may find that protections extended by law of their most critical asset proprietary information, is lost or eroded and perhaps their products or trade secrets in the hands of the competition.   Well intentioned employees and IT staff need to be guided by policy, procedures, security awareness and ongoing audit measures.  Remember “Loose Lips Sink Ships” and maybe companies too.