Cyber Security can make or break business

Iowa State (US)--Many organizations fail to make cybersecurity a strategic priority, but experts say it's time for that philosophy to change.

"The way organizations use information technology is critical to the success of a company. If you're not doing it well, it doesn't matter how great your product or service is, that can be enough to shut down a business."



Hackers have attacked news organizations, social media sites, major corporations, and government agencies, accessing private documents and personal information. Corporations must develop a proactive strategy so they are not forced to react when there is a threat or a security breach, say the researchers.

The cost to a corporation or the customer if hackers gain access to secure information is one factor to consider. With the growing demand for digitally shared data and information, security can no longer be viewed as just a necessary cost of business, says Anthony Townsend, an associate professor of supply chain and information systems at Iowa State University's College of Business.

"If you have an active and aggressive security team in the organization, you don't have to get hacked," Townsend says. "It's like leaving your door unlocked. If a burglar comes to your house and can just walk in the door, well that's easy for him. But if he has to jimmy the lock and there's good security, he'll go someplace else."

Companies are certainly not just sitting idly by, but too often those making the decisions about security lack information technology expertise, says Samuel DeMarie, an associate professor of management. If an organization waits to test the effectiveness of its cybersecurity until there is a problem, it's too late.

"On a more global perspective, there needs to be more IT expertise at the very top of corporations," DeMarie says.

"The way organizations use information technology is critical to the success of a company. If you're not doing it well, it doesn't matter how great your product or service is, that can be enough to shut down a business."

The risk in connectivity

Connecting instantaneously with other firms is a necessity for businesses to share information quickly and efficiently. Unfortunately, it increases the security risk, says Brian Mennecke, an associate professor of supply chain and information systems.

He expect businesses, especially small-to-midsize businesses, to outsource security as the threats to information systems become more complex.

"I think increasingly that's what we're going to see with organizations moving more of the sensitive operations that are vulnerable to attack, to platforms where they can trust a vendor to provide a higher level of security than they would be able to provide themselves," Mennecke says.

On an individual level, Mennecke compares outsourcing security to the decision to purchase a bank lock box. It is a way to protect important documents that you fear cannot be kept safe at home.

“There’s a cost involved, but there’s a greater good to achieve by making sure important documents and resources are maintained as secure,” Mennecke says.

Of course, there is also an inherent risk in outsourcing such a critical function as security. There is no 100 percent guarantee and it is difficult to repair the damage if a third party violates an agreement. The case of Edward Snowden, a former National Security Agency contractor who leaked confidential documents to a journalist, is just one example of what can happen when that trust is broken.

Security as advantage

Making cybersecurity a priority within a firm’s operational plans is more than an investment; it’s a shift in the organizational culture. DeMarie says a company must weigh that investment with the potential costs and loss of business if hackers successfully shut down its information system.

“A cyber attack could be devastating to some companies,” DeMarie says. “Millions of dollars could be lost if they were shut down. I think a lot of companies just feel like they’ve got it covered. They hope their IT guys know what they’re doing.”

But DeMarie, Townsend, and Mennecke see a strong cybersecurity system as a competitive edge to attract new clients and customers.

“A proactive and well-managed security function in the organization means your customer credit card numbers are safe. You’re not in the newspaper because you got hacked recently. It actually appears to convey a specific advantage in terms of customer retention and satisfaction with the firm knowing that you have decent security. It’s not an afterthought,” Townsend says.

Security will increasingly become a greater priority for customers and clients as more business functions are handled online and digitally. Townsend says the organization with the stronger security presence will have the advantage.

The three researchers will present their paper in August at the Americas Conference on Information Systems in Chicago.

http://www.futurity.org/society-culture/cyber-security-can-make-or-break-business/

Obama urged to warn Chinese leader on cyber-security

(Photo: Susan Walsh, AP)

WASHINGTON — One senior Democratic lawmaker is calling on President Obama to make it clear to China's President Xi Jinping that the United States is ready to "impose real costs" on China if they continue to steal American intellectual property.

Sen. Carl Levin, D-Mich., suggested that Obama, who is scheduled to a hold two days of meetings with Xi next week in California, underscore to the newly installed Chinese president that the Senate is moving forward with legislation that would create a watch list of foreign countries that engage in economic or industrial espionage in cyberspace.

If passed, the bill, which is co-sponsored by Levin, would require the president to block imports of certain goods from countries, if he determines they benefited from stolen U.S. technology or intellectual property.

"I thought you could refer to this bill in your meeting with President Xi as an example that the U.S. will indeed impose real costs on China should they continue to steal our intellectual property," Levin wrote in a letter to Obama that was released by the Michigan lawmaker's office Wednesday.

Levin's push comes as cyber-security has become a growing source of tension between the two countries.

This week, The Washington Post published parts of a confidential defense report accusing Chinese hackers of compromising some of the most sensitive and advanced U.S. weapons systems.

In March, Obama's national security adviser, Tom Donilon, called on China's government to take action to stop the theft of data from American computer networks and create global standards for cyber-security. Donilon visited Beijing this week and underscored U.S. concerns about cyber-security during wide-ranging talks with senior Chinese officials, according to the White House

White House spokesman Jay Carney said Wednesday that cyber-security would be one of several topics Obama would discuss with Xi, when they meet June 7 and 8 at the Sunnylands estate in Rancho Mirage, Calif.

"We've been clear in our concern about cyber-security, and our concern about the fact that there have been cyber-intrusions emanating from China," Carney said.

The two days of meetings between Obama and Xi will mark the first meeting between the two leaders since Xi took office in March.

http://www.usatoday.com/story/news/politics/2013/05/29/obama-warn-xi-cybersecurity/2370111/

University blocks Google docs to fight phishing

There has been a rise in the number of phishing emails sent to Oxford students’ accounts, causing the University to temporarily block Google Docs.

Disabling Google Docs, a website for storing documents online, was a measure taken to prevent emails which appear to be from University officials. Students are increasingly targeted by hackers seeking their account details as university accounts can be used to send spam emails and appear legitimate.

In a blog post on their website, OxCERT (Oxford University Computing Service) explained the decision to block Google Docs, saying, “Over the past few weeks there has been a marked increase in phishing activity against our users. Now, we may be home to some of the brightest minds in the nation. Unfortunately, their expertise in their chosen academic field does not necessarily make them an expert in dealing with such mundane matters as emails…It only takes a small proportion to respond for the attacks to be worthwhile.”

The blog post continued, “Almost all the recent attacks have used Google Docs URLs…We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.”

A Google spokesperson defended Google Docs, telling Cherwell, “Google actively works to protect our users from phishing attempts. Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes.”

Phishing through Google Docs is part of a wider increase in the practise within the University. In an email to Oxford students, Professor Paul Jeffreys, Oxford’s Director of IT Risk Management, warned, “You may recently have received fraudulent emails asking you to visit a website to supply your username and password, or requesting that you send them by email…There have been a very large number of such emails sent recently…Don’t be tricked into handing over your password as a result of these emails.”

Several undergraduates received phishing emails last week which claimed, “You will be unable to send and receive mails and your email account will be deleted from our server. To avoid this problem, you are advised to verify your email account by filling this maunal [sic.] information.” A link to a Google Doc for student usernames followed.

The amount of other spam emails reaching Oxford students has also increased. Undergraduates have received three emails from the websites ‘Lashzone’ and ‘Lashxone’, with the most recent being sent on Saturday 23rd February. Their website states, “We offer professional assistance on post-secondary homework, assignments, essays, lab reports, assignment revision...etc. You get the idea?”

A University spokesperson commented, “While Oxford University has extensive anti-spam defences in place, spammers are constantly adapting their tactics to evade our countermeasures.  IT Services have to balance the risks of spam attacks against the risks of disruption to legitimate email traffic.  Unfortunately this means that it is inevitable that some spam will get through the defences - this particular set of messages was just one of hundreds of spam runs that hit the University each day, and often many runs come from the same source.”

Regarding emails from Lashzone, the university stated, “IT Services have been in contact with the Proctors' Office regarding the mails from Lashzone.  We are satisfied that reasonable technical countermeasures are in place, but these are continually reviewed in view of evolving threats.”

When pressed about criticism from universities, a Lashzone spokesperson commented, “We smile and walk on.” 

http://www.cherwell.org/news/oxford/2013/02/28/university-blocks-google-docs-to-fight-phishing

Happy Data Privacy Day!

Here are some tips and questions you should ask to help protect your business and customers’ privacy online.

Do you tell your employees to keep a clean machine?
Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option. Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.

Do you know your company is only as secure as your least reliable employee allows it to be?Make sure your employees are stewards of personal and company data. Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source. Employees should also be instructed about your company's spam filters and how to use them to prevent unwanted, harmful email.

Does your company have an online privacy policy?Developing these policies can help set the standard for a culture of privacy. The Federal Trade Commission’s Bureau of Consumer Protection Business Center is a great resource. If you already have policies in place, review and update them to ensure they address current threats and best practices.

Are your employees trained to maintain company privacy standards?Conduct employee training on privacy as it relates to employment, helping employees learn how to protect the privacy of clients’ and customers’ personal information and teaching employees how to manage their own privacy at work.

Do you remind your employees to make their passwords long, strong and unique?Making passwords long and strong, with a mix of uppercase and lowercase letters, numbers and symbols, along with changing them routinely and keeping them private are the easiest and most effective steps your employees can take to protect your data.

Do you show your commitment to privacy?Participate in activities such as Data Privacy Day and National Cyber Security Awareness Month to demonstrate your business’ commitment to security.