Kevin Dougherty has seen his share of spam and phishing scams, as has any IT leader in the financial services industry. But the sender’s name on this particular e-mail sent a shudder down his spine: It was from one of his board members at the Central Florida Educators’ Federal Credit Union (CFEFCU).
The e-mail claimed in convincing detail that there was a problem with the migration to a new Visa credit card that the board member was promoting to the credit union’s customers. The fraudulent message urged customers to click on a link—to a phony website set up by criminals—and enter their account information to fix the problem.
More On Cybercrime
But what happened later that Friday afternoon—after Dougherty, who is senior vice president of IT and marketing, had wiped the credit card migration information off the website and put up an alert warning customers of the scam—really scared him. Around 2 p.m., the site suddenly went dark, like someone had hit it with a baseball bat.
That’s when Dougherty realized that he was dealing with something he hadn’t seen before. And he couldn’t describe it with conventional terms like phishing or spamming. This was an organized criminal conspiracy targeting his bank. “This wasn’t random,” he says. “They saw what we were doing with the credit card and came at us hard.”
Dougherty’s website lay in a coma from a devastating distributed denial-of-service (DDoS) attack that, at its peak, shot more than 600,000 packets per second of bogus service requests at his servers from a coordinated firing squad of compromised computers around the globe. That the criminals had the skill and foresight to launch a two-pronged attack against Dougherty and his customers was a clear indication of how far online crime, which is now a $2.8 billion business according to research company Gartner, has come in the past few years.
Though this dark business largely targets financial services companies, there are signs that criminals are beginning to covet new victims. Since January, phishers have been documented going after “many types of websites not typically targeted,” such as social networking and gambling sites, according to the Anti-Phishing Working Group, a research group.
As cybercrime enters this second wave, criminals with no programming experience can buy illegal packaged software to carry out sophisticated attacks, and information security can no longer be addressed merely with a firewall. It has become not just an IT risk, but a business risk. The threat extends beyond systems, affecting everything from marketing and the customer relationship to government compliance, insurance costs and legal liability. Beyond IT and a trusted cadre of security vendors and consultants, information security requires understanding, involvement and consensus from all parts of the business at all levels, right up to the board, before problems occur. Security to combat cybercrime needs to be part of a company’s disaster and business continuity plans, with security spending based on the overall threat cybercrime poses.
If security is viewed simply as an IT cost and responsibility, companies will never be truly ready for the risks they face. “If you do have an attack, it’s never just the data that you lose or the customers who are victimized, it’s [also] the larger effects that the attack has on everything else,” says Ian Patterson, CIO at online brokerage Scottrade. “It’s the marketing effects, the customer service effects, the business effects.”
How Cybercrime Is Changing
The crooks are still after the money, but they are developing more sophisticated ways of getting at it. They’re willing to hang around longer and in places where the money isn’t immediately available. For example, the breach disclosed earlier this year at retailer TJX unfolded during more than a year, as criminals accessed the system multiple times to extract customer credit card numbers, using technology that has, “to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” according to TJX’s annual report filed with the Securities and Exchange Commission. (For a possible way the TJX breach was accomplished, see How Organized Crime Uses Technology to Make Money.) “The new paradigm is to not make big, noisy attacks,” says Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the U.S. Department of Justice.
Phishing attacks increasingly use subtle ways of gleaning information that are not apparent to even the most educated computer users. As the sophistication of the attacks continues to improve, the percentage of consumers who click where they shouldn’t has risen from 18.6 percent in 2004 to 24.9 percent last year, according to Gartner. Online crime “will spread from financial services as the use of indirect attacking grows,” says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University. “For example, perhaps you go to a funny cartoon website where it asks for information that mimics what’s needed to impersonate you on eBay.”
That threat is mounting every day. The number of people who believe or know they received phishing attacks doubled between 2004 and 2006, from 57 million to 109 million, according to Gartner. Although fewer victims are losing money, the losses per victim have more than quadrupled since 2005 and the percentage of that money recovered has dropped from 80 percent in 2005 to 54 percent in 2006. Even if victims don’t lose money, there is a cost. The Federal Trade Commission estimates that it takes consumers an average of 30 to 60 hours to clean up a credit history damaged by identity theft.
For businesses, the unseen costs are even higher. For 56 organizations studied by the Ponemon Institute that experienced the loss or theft of customers’ personal data, the loss of business resulting from the breach eclipsed by nearly $400,000 the combined cost of detecting an attack, notifying customers and helping them work through any resulting problems (on average, $128 per compromised record and $2.6 million in total).
Meanwhile, the administrative savings that make the online channel so attractive for businesses are being eaten up by consumer fear and avoidance. A recent Gartner survey found that 23 percent of online banking consumers have fled the channel because of security concerns. Nearly 24 million people won’t even consider online banking because of them. “That means you have people doing transactions at the bank that cost $15 each when they could be doing it online for pennies,” says Tim Renshaw, vice president of product solutions for TriCipher, a security software company. In addition, plummeting trust in e-mail has made it a dicey customer communications vehicle. More than 85 percent of respondents to the Gartner survey said they delete suspect e-mail without opening it. Dougherty says CFEFCU has abandoned e-mail altogether. “We have had to go back to snail mail,” he says, noting that it’s about 90 percent more expensive and much slower and less flexible than e-mail.
What Happens When You’re Unprepared
Dougherty faced these broad risks on that awful Friday afternoon last August, when a criminal website intent on stealing the identities of Dougherty’s members was his only operating face to the world on the Web.
Obviously, the first thing Dougherty had to do was stop the attack. He had to hurriedly assemble a coalition of vendors and consultants to help him, and then he had to convince his CEO that drastic steps were needed—steps that would temporarily cut off customers from any possibility of getting to their accounts online until the problems were completely eradicated. (To find out why companies rely more on vendors than on law enforcement for help, see CIOs Look Beyond Cops for Help Fighting Cybercrime.)
Dougherty wanted to have the site temporarily blacklisted with his telecom provider, BellSouth, to deflect the attack, thereby reducing pressure on the site and giving him the time and flexibility to make protective changes. But his CEO resisted—as might anyone who has not experienced an attack. “He wanted to keep it up so we could service the members,” says Dougherty.
At 11 p.m., after a long night of battling the attackers and plotting strategy, Dougherty finally convinced his CEO to have the site blacklisted and to take a break until morning. Continuing in a tired and emotional state would have played into the attackers’ hands. “It’s a mind game,” says Dougherty.
By Saturday morning, Dougherty had RSA, a security vendor he called in when the attacks began, working to set up a “take-down” service that seeks out and dispatches criminal websites (in this case, more than 30) with its own cyber baseball bat. Meanwhile, BellSouth began beefing up security around the credit union site to try to thwart attacks. Dougherty also began planning with RSA to build multifactor authentication into the website. As these solutions emerged, the CEO became comfortable with Dougherty’s blacklisting decision. “We built heightened awareness with the board and the executive management team,” says Dougherty. The site was back up by Saturday evening. In the end, 22 customers gave up their information to the thieves and the total losses were “less than five figures,” says Dougherty. (To learn why it’s hard to prevent customers from falling for phishing scams, see Stop End-Users Before They Click Again on Risky Websites.) Though the credit union had averted disaster, “it was a rude awakening,” he says.
Firewalls Aren’t Enough
Dougherty also woke up to the fact that he needed to communicate more with his executives and the board about IT security and its link with the bank’s risk and security strategies. Now he scans banking conference agendas for security content and encourages his executives and board members to attend. Sometimes he accompanies them. “I was with our chairman at a conference and there was a security presentation and so I said, Why don’t you come down and we’ll go to this together? Then, when he had questions, I was there to answer them. Sometimes the technology scares them and you have to get them comfortable with it.”
Every month, Dougherty also sends three or four security articles to executives and the board that he encourages them to read. He has subscribed to a fraud intelligence information service from RSA that gives updates on the latest threats and suggested responses, and he passes that information along too. “It’s vital to have data to relay to my management team,” he says.
Dougherty is also in charge of all training for employees and has broadened that educational effort to include security. He now demands that at least one security article go in each edition of the bank’s quarterly newsletter.
He doesn’t think he has a choice because the auditors have become tougher. In the wake of the attack, the bank strengthened its audits that tested for vulnerabilities, both online and off. One of those tests inside branches found that crooks didn’t need the Internet to gain access to data. “We had guys sling monitors over their backs and tell the tellers they needed to fix the computers. They got past our tellers in three branches,” Dougherty sighs. “But I would rather have the auditors find these things than someone else.”
With so much at stake, however, CIOs have to move beyond such traditional defensive strategies. They need a protection strategy for the data too. The threat of security breaches by rogue employees or contractors has always been higher than the threat from criminals outside. But now the outsider threat is increased due to the greater portability of data via mobile devices, says Joe Nackashi, CTO of Fidelity Information Services, which hosts data not just for Fidelity but for other financial services companies as well.
In 2004, Fidelity began encrypting all of its financial data, not just on its internal systems, but on any device that enters or exits the data center, including laptops, thumb drives and magnetic tapes for mainframes. This way, “even if you lose the data, it will be scrambled when someone tries to recover it,” says Nackashi.
But encryption is expensive (because of the effort involved to dress data in extra scrambling code) and complex, requiring processes for deciding what to encrypt when, where, why and by whom. Furthermore, encryption is only as strong as its weakest link. If business partners and contractors don’t follow the same processes and use the same encryption methods, all that scrambling is for naught. These difficulties probably account for why only 16 percent of organizations surveyed by the Ponemon Institute said they had an enterprisewide encryption strategy.
Yet more companies, including those outside of financial services, will need to consider encryption for their most sensitive data. The growth in mobile devices and the ability of employees to install and run their own software gives data legs to run around the firewall—what Nackashi calls “data in flight.”
Though Nackashi won’t say how much Fidelity spends on its encryption effort, it is evident in the amount of management time he has devoted to it. “Two years ago, it probably consumed 100 percent of my time because we were planning the strategy,” he says. “Today we’re in implementation mode, so it is probably 30 percent.” This despite the fact that Fidelity has a full-time chief information security officer who is Nackashi’s peer. Overall, Fidelity’s security staff has grown 30 percent over the past two years, he estimates. “This isn’t something you can compromise on from our perspective,” he says. “The nature of the business we operate in leaves us no luxury to play fast follower.”
Get C-Level Buy-In
Such dramatic increases in security staffing and spending are a barometer of cybercrime’s evolution from IT nuisance to business risk. Scottrade’s Patterson has quadrupled his security staff from two to eight since 2004, and he estimates it will more than double next year.
Anyone who resists this growth in security spending needs to consider the bigger picture, says Patterson. “What if a breach among a small number of customers caused us to lose 170,000 or 300,000 customers overall, what would be the business ramifications of that? Everyone has to be in agreement that whatever that number is, you build your ROI from that.”
As a way to give information security the billing it deserves, Patterson has pushed Scottrade to link it with the company’s disaster recovery and business continuity strategies. “We lost some of our branches in [Hurricane] Katrina,” says Patterson. “If you have a DDoS attack you have to do some of the same things. You have to reroute people and phones and make sure the communications about the situation are clear and concise.” Meanwhile, at CFEFCU, Dougherty has consultants to do a data breach business impact analysis that links to the organization’s disaster recovery strategies.
But CIOs can’t be left as the sole advocates of a broader risk strategy, or it will never happen. Executive committees and boards have to be involved in the decision making. “I put up a picture of the Kremlin when I present to the executive committee. Whatever it takes,” laughs Scottrade’s Patterson. The picture is a reference to Russia as a hotbed of cybercrime. “The business has to be just as aware of this as I am.”
One way he builds awareness is to present a set of security key performance indicators to his executive committee every month. For example, he gives an overall report on internal and external vulnerabilities by tracking intrusion alerts and monitoring the security patching efforts, broken down by data center and hardware at Scottrade’s corporate facilities as well as at its branches. Eighteen months ago, he says, “we were not tracking this information.”
Dougherty’s CEO and board now also are vested in security as a critical business metric. Perhaps the best evidence of this was when his site was attacked again later in the summer. The attack was neutralized within a few hours, says Dougherty, because of the new strategies he had in place, but also because there was no need to argue any of them with the CEO or the board. “They just need to understand what’s going on,” he says. “They need to know that responses are being made.”