TORONTO – A RCMP investigator is urging businesses to be more forthcoming with security breaches if they want to help put an end to them.
“If everyone keeps wanting to bury it, it’s not going to go away,” said Michael McCrory, an investigator with the integrated technological crime unit at the RCMP. McCrory, who spoke at a Xerox-sponsored security panel here on Wednesday, said having such events helps companies realize that everyone is vulnerable to these types of attacks.
“By talking about it, it can help people realize that they’re not the only one being victimized,” he said in an interview following Wednesday’s discussion.
Many organizations, however, choose to keep these situations quiet because of negative press, which, if they are a public company, could affect their stock price and shareholder confidence.
Security breaches are an ongoing problem that not only plague consumers as highly-publicized cases such as ChoicePoint have shown, but represent a real threat to the lifeblood of any business — its digital assets or trade secrets. Trade secrets are the most important asset a company owns because the company is driving economic value from the “secretness” of the asset, said Mark Halligan, principal of Welsh & Katz Ltd. and founder of Trade Secrets Law Committee.
“Companies are losing billions of dollars from the inadvertent disclosure of trade secrets,” said Halligan, giving the example of an employee from company X going over to company Y’s booth at a trade show and inquiring about a new product as if he were a purchaser rather than competitor.
The disclosure of these trade secrets is often happening right under the noses of CEOs and CSOs — at the employee level. Eighty per cent of computer-related attacks come from problem employees inside an organization, according to the U.S. Secret Service. With this number in mind, it is even more critical for businesses to keep better tabs on what digital assets are going in and out of their doors every day, the panelists said.
“Many organizations don’t know where their digital assets reside,” said Dan Verton, author, vice-president and executive editor of Homeland Defense Journal. Verton gave the example of a recent case where a technology vendor did a search of a major North American bank’s Web mail to see where its intellectual property was going. The search found an e-mail sent by an employee to someone outside the company, telling that person how he found a way to circumvent the bank’s new Web mail blocking tool.
Verton said this case highlights the importance of not only having security policies in place (legislation such as Sarbanes-Oxley in the U.S. and PIPEDA here requires that) but enforcing them.
“You need to be able to enforce your policies and procedures,” said Verton.
To help companies with keeping an eye on their employees, Verton said they can deploy either a hardware or software content filtering and monitoring system. The software uses a keyword searching tool while the hardware sits on the network and records data coming and out of it. The latter allows companies to do real-time searches of the data to determine where its going.
In addition to technology, Halligan said most people can be motivated by financial incentives such as bonus cuts to curb them from breaking their company’s policies. Verton, on the other hand, said he doesn’t agree with the incentive model and would rather see a CSO held responsible for the data breach.
“I want to see a CSO be publicly tarred and feathered for a security breach that could have been prevented,” he said.
McCrory said executives here don’t have to worry about being tarred and feathered. “When a crime is reported, it will be public,” he said. “Our court system is very public.”
Right now, the majority of trade secret cases in Canadad and the U.S. are civil rather than criminal. Halligan said these types of cases can cost upwards of millions of dollars to litigate in court. By the time a company gets an injunction against the infringer, it’s usually has lost a significant amount of money with trade secrets often having a short life span of six to 12 months.
With the hackers staying one step ahead of the security experts, all of the panelists agreed that security will continue to be an ongoing issue for the enterprise.