Mid-Market Companies Increasingly Attacked by Online Crooks

Boo!

TJX.

Does that scare you?

It doesn’t? How come? Is it because TJX, which got hacked in December and then got raked over the coals in the press in January is big and you’re…well, smaller?

No. You’re smart. It does scare you. It scares the pants off you.

And it should.

If you’re a CIO at a mid-market company, you know you’ve got a problem. It gnaws at you and keeps you up at night. You know that hackers, fraudsters and even organized crime are increasingly targeting your company’s systems and applications. They’re going after personal data, customer accounts and trade secrets. The bad guys are purchasing goods with stolen credit cards. They’re working hard (perhaps harder than you are to stop them) to get their hands on anything of yours that may be of value to them.

The truth is, you’re so worried about your security posture that you don’t even want to talk about it. You certainly don’t want to talk to CIO, even anonymously. But we know (because experts tell us) that compared with CIOs at large corporations, you mid-market CIOs don’t have the budget, the sophisticated IT skills on your staff or the time to take away from core IT operations to build better defenses. You’re wide open, and right now you’re just hoping you’ll get lucky enough to duck something terrible coming at you from an unknown direction.

Increasingly, the neighborhood you live and work in has become a dangerous place.

“A lot of attacks are being made on the mid-level companies because it’s a smaller hill to climb,” says Robert Richardson, director of the Computer Security Institute in San Francisco.

“That’s just a plain fact.”

Big Scary Numbers

There’s no doubt that the 4,000-plus mid-market companies in the United States are extremely vulnerable. About 43 percent of mid-market companies have annual security budgets below $100,000, while about the same proportion of large companies (40 percent) have security budgets that exceed $1 million, according to the 2006 “Global State of Information Security” survey conducted annually by CIO and PricewaterhouseCoopers. (To see all the data, go to www.cio.com/091506.) On top of that, mid-market companies typically don’t have a security expert on staff. Only about 20 percent employ a CISO compared with 42 percent of large corporations. Finally, mid-market CIOs don’t have the tools to identify their weaknesses. Fewer than a third use vulnerability scanning software to find holes in their systems, while 46 percent of their larger counterparts do.

Until recently, the security gap between mid- and large-market companies hasn’t been an issue. The percentage of mid-market CIOs reporting successful cyberattacks last year was about the same as the percentage of large companies. But security experts agree that the number of cyberattacks on mid-market companies began rising last fall and continues to do so. The trend is clear.

“Smaller corporations are where the problems are today,” says Paul Kocher, president of Cryptography Research, a security services firm. “[Attackers] know these companies don’t have the budgets or expertise to have strong security.”

But you’re not helpless. We have collected some security fixes and technologies that experts say will harden your systems without draining your budget or requiring you to extend the day past 24 hours. While these fixes and tools will not make your systems attackproof, they can make life more difficult for the cyberscum. And that’s what cybersecurity is all about, says Tom Sullivan, head of e-commerce risk for online travel site Expedia and also chair of the Merchant Risk Council, a nonprofit group that represents online retailers. Like crooks of any stripe, cyberthieves are looking for easy targets. If they come up against a site that’s even marginally more difficult to hack than others, in most case they’ll move on to easier prey.

“That site may be your competitor…or it may be you,” Sullivan says.“You hope it’s not you.”

The Changing Threat

Last year was a relatively quiet one on the security front. No major viruses struck down entire networks, and the percentage of corporations hit by viruses has been on a steady decline, from 95 percent of all U.S. organizations reporting virus attacks in 2001 to just 65 percent last year, according to the 2006 computer crime and security survey conducted annually by the Computer Security Institute (CSI) and the FBI.

But what that report doesn’t address, says Richardson, who oversees the report for the CSI, is the changing nature of the attacks and their targets. No longer are attackers trying to bring down large networks for hacker bragging rights; cyberattackers are now in it for the money. “Hackers and fraudsters are deliberately staying under the radar now,” Richardson says. “They’re going undetected until they do what they want to do. And even then, sometimes you don’t know until the money is long gone.” Consequently, many attacks go unreported.

“[Survey respondents] will talk about getting hit by widespread viruses, but they won’t talk about how they got completely cleaned out by a targeted attack,” says Richardson.

It’s time to talk about it before you’re a victim.

And here’s what you should be talking about.

Assess, Then Patch

Cyberthieves look for the path of least resistance. That means they’re looking for known vulnerabilities in applications and networks—those holes that have been published online and for which vendors may or may not have provided patches. That’s why security experts say patching known vulnerabilities is the most effective defense against cyberattacks, reducing your risk by at least half, if not more, they say.

We know, you’ve heard this before, ad nauseam. But the fact is, a large portion of CIOs simply don’t do it. Fewer than half of all mid-market CIOs say they have deployed some kind of patch management tool, according to CIO’s global security survey. (CIOs at large corporations are only slightly better, with 55 percent saying they have deployed a patch management tool.) No wonder hackers continue to find plenty of opportunities.

So why not patch, and patch often? CIOs are not being purposely negligent, says Jeff Williams, chair of the Open Web Application Security Project (OWASP) Foundation, a nonprofit online community disseminating Web security best practices. Keeping up to date on the release of patches and determining which ones apply to your applications and networks is a time-consuming task, he says. In addition, applying the patch, testing whether it affects the performance of the application or network, and then deploying it enterprisewide requires even more time and could slow your systems down.

Jerry Maze, CIO of Royal Food Service, a $60 million enterprise that supplies produce to restaurant chains, is typical when it comes to the mid-market CIO’s view of patch management. Maze doesn’t follow a process other than to apply patches released by Microsoft and to make sure his vendor applies patches to the payroll system it operates. “I realize there are ways to make this happen automatically but we have not implemented that,” Maze says. “I’d like to, but there are too many other pressing issues right now.”

To make patch management less cumbersome, Williams suggests mid-market CIOs keep up to date on patches that are specific to the applications and systems that provide access to sensitive information. Firewalls that allow access to systems and data through a Web server should get more attention than, say, those connected to operating systems. To know which applications and systems are most critical, you will have to do a risk assessment or a threat-modeling exercise. That means knowing your business and where the most sensitive data is. Talk to business unit leaders to learn where sensitive data is stored and what applications are used to access it. That list then becomes your “patch watch list” and should get a high priority in your weekly agenda.

“You really have to think about this, but the time is well spent,” Williams says. “Nothing else you do will have such a big impact on security.”

How to Fight Retail Fraud

Patches may be a good way to fend off hackers. But what happens when the fraudsters masquerade as legitimate customers to steal account information, credit card numbers or to make fraudulent purchases? For mid-market merchants, this is rapidly becoming an epidemic. This kind of fraud “is moving farther downstream to the smaller and mid-size online merchants,” says Sullivan. “It’s becoming more sophisticated and organized.”

But how you secure systems against it doesn’t have to be sophisticated or costly. Any company that stores sensitive data can follow some basic and inexpensive processes to scan for fraud. Here are some steps security experts say you can take:

• Familiarize yourself with buying patterns.

An unusual increase in your company’s sales during a typically slow period could indicate fraud. But make sure you rule out other causes. Is the spike the result of an advertising campaign, the purchase of keywords on Google or some other promotion? “If not, I would be really nervous about the upswing,” Sullivan says.

• Know where the majority of your purchases come from.

If large orders are being sent to, say, Tulsa or Boise or other places where you rarely, if ever, do business, that could indicate fraud. Fraudsters have advertised on Monster.com and other job sites looking for people willing to work from home, make large purchases on websites and then send the goods to their home address.

• Check the quantity purchased.

If most customers purchase one or two of a particular item and you see a single purchase for much more, you may want to check out the buyer. Call the customer, and if he declines to provide information about the bank or credit card he used, Sullivan advises that you decline the purchase.

(Scanning purchases doesn’t have to take a lot of time and can be done quickly by downloading the files into an Excel spreadsheet and then searching appropriate columns for unusual numbers or addresses or patterns. And you don’t have to buy an expensive artificial intelligence application to do so. Kocher of Cryptography Research recommends mid-market companies hire a college student to sift through each order. “That can be remarkably effective,” he says. “Neural networks are no smarter than a smart college student.”)

• Compare the IP address with the physical address.

If the purchaser says he lives in Denver but the IP address is in Georgia, call the customer to verify credit card information.

• Don’t be a pack rat.

If you don’t need to store credit card numbers or any personal information, then don’t. Keep the information for as long as you have to for business purposes, such as during a billing cycle, and then delete it from all databases. If you don’t have personal information in your system, hackers can’t steal it.

The Enemy Within

Employees account for about 90 percent of all fraud and data theft in a company, according to a recent Ponemon Institute survey. Two-thirds of the survey’s respondents also cited temporary employees, as well as disgruntled and terminated employees, as posing the greatest security risks, according to the security and privacy advocacy group’s 2006 survey.

By building a profile of high-risk employees, you can know what systems to monitor and thereby lower your risk, says Ken DeJarnette, who specializes in security and data protection at Deloitte & Touche. For example, focus on temporary employees (typically hired during seasonally busy times) who have access to sensitive data. These employees have less loyalty to a company and are more susceptible to being opportuned to steal.

Call centers are a prime target for fraud. CIOs can reduce their risk there by following a couple of simple and inexpensive rules, says Brian Contos, author of the book Enemy at the Water Cooler and CSO of ArcSight, an information security firm. Benchmark what a typical call to the center looks like and then periodically scan the database for calls that do not fit that profile. For example, if a typical call requires a rep to access one file, you may want to flag any call in which a rep accesses three or four files. That’s what happened at a telephony company where private investigators working on divorce cases would call to ask for numerous phone records to use in their investigations. The information was protected by privacy laws. The CIO flagged those calls in which call center reps were accessing more than one file. As a result, as many as 14 call center reps were fired.

Pay Less Now or More Later

Security experts want to make sure that mid-market companies get one clear message: Common sense goes a long way.

CSI’s Richardson compares it with going into a dangerous part of town for dinner. You take simple precautions—parking on a well-lit street, locking your car—and you enjoy your meal.

Mid-market CIOs should approach security much the same way, following some basic precautions that will do a lot in protecting your systems even if it doesn’t build an impenetrable wall. Any statistician will tell you a 50 percent reduction in your risk is huge. These steps, if followed, can provide that reduction, security experts say. Not to do so, Kocher says, “is irrational. Those who have been attacked and lost almost everything always wish they’d at least done something.”

Anything.