Sophisticated cyber criminals have followed businesses into the online world; they now can steal everything from intellectual property to credit cards en masse. And that's just the start! Add social security numbers, addresses, and other personally identifying information to the list and you can essentially reconstruct and hijack entire identities. What's worse is that cybercriminals benefit from anonymity: They can compromise entire databases of sensitive information and leave only a masked IP address behind as a trail—and that trail often ends in a foreign country where both jurisdiction and law enforcement are limited.
Regulators Focus On Large Enterprises
As cyber criminals successfully raided corporate databases and siphoned away credit card, tax, banking, healthcare and other consumer information, regulators took notice. In an effort to protect consumers, governments and industry consortiums imposed regulations and mandates like Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry (PCI) standard. The initial round of enforcement and deadlines, however, was mostly targeted at large enterprises. Thus it is not surprising that over the last few years, large enterprises have made significant investments in cyber security and have at least increased the barrier to such breaches.
When Cybercrime Moves Downstream
Undeterred, cybercriminals are finding it easier to move downstream and target small to medium businesses, which are increasingly online but do not have the necessary safeguards. The Privacy Rights Clearinghouse website lists a long chronology of breaches. Take a look and you'll find that while familiar names like ChoicePoint, the U.S. Department of Veterans Affairs, TJX, and Circuit City have endured highly publicized breaches, the majority of breaches actually occur at small to medium merchants.
Regardless of whether you are a small retailer, a credit union with a single location, or a doctor's office or clinic, you face the same problems as a global enterprise when a breach occurs: potential fines, bad press, class-action lawsuits and customer attrition. In fact, the costs of security breaches can be more devastating for a small enterprise that has fewer financial and other resources.
The squeeze doesn't end there. Regulations increasingly apply to small and medium-sized businesses, not just larger ones. The PCI Data Security Standard (PCI DSS) must now be met by any business that stores, processes, or transmits credit card information—regardless of annual transaction volume. Similarly, publicly traded companies with a market capitalization under $75 million must now comply with SOX. HIPAA, of course, applies to the smallest doctor's office and the largest hospitals and insurance firms.
Combating Cybercrime with the Hidden Trail
Just thinking about how to provide adequate security can seem overwhelming to a small business. But your business already has the information you need to detect breaches in a timely manner and to cost effectively address regulatory requirements. Every second of the day, your servers, laptops, applications, network infrastructure, and security devices leave a trail of activity behind in the form of logs. Everything from a login or logout to a badge swipe or file access is tracked in this hidden trail. Bring this information together and you have a powerful and cost-effective means to detect threats and protect your business.
Tips On How to Maximize Your Security Budget:
- Improve efficiency—consider approaches to security that require less hardware and effectively support consolidation and green initiatives.
- Manage clear visibility on the network—knowing where your internal/external threats and policy violations exist will eliminate or reduce the extraneous costs of a data breach, fraud, or cybercrime.
- Avoid the one size fits all solutions—look for multiple performance options and scalability to adapt to evolving security and compliance regulations.
- Understand the impact of automation—reserve limited and valuable IT resources for more strategic tasks.
- Integrate security as part of the business—leverage security solutions in more strategic ways by offer a clear path to ROI and productivity gains.
For organizations of any size, there's no doubt that battling cybercrime and meeting regulatory compliance will be a top business issue in 2009. However, given the state of security in today's economy, it will be important to measure the cost-comparisons between technology and IT resources used versus the costs associated with a data breach or cybercrime attack.
Ansh Patnaik is the director of product marketing at ArcSight. He is an ISSA and ISACA member and maintains the CISSP certification. Ansh has worked in the security space for over 10 years with companies such as BindView/Symantec and Omniva Policy Systems.