Have you noticed that “fear” seems to be a major theme of this information-overload era in human history?
“Be afraid; be very afraid,” the slasher-movie moguls warn us. “Fear Factor” is a network television success. “No Fear” has become the mantra of the “extreme” boardshorts-wearing crowd. Were fighting the War on Terror. And then theres the list of phobias that seems to grow longer every day.
Everywhere you look, someone is telling you to be afraid of something or other. When you think about it, its kind of scary.
Of course, some fear is useful, even desirable. “Whos afraid of the big, bad wolf?” ask two of the legendary Three Little Pigs in a popular song. It turns out that Pig No. 3 used a healthy dose of fear to motivate himself to build a brick house that kept that wolf at bay. Lucky thing for the other two porkers that he had extra room when they came frantically knocking at his door after their flimsy houses had been decimated.
When it comes to hackersthose who would access our computer systems for nefarious or “recreational” reasonsI would similarly suggest that fear is a healthy response but only if its the Pig No. 3 variety.
Let me explain.
In September of this year, New York-based PricewaterhouseCoopers and CIO magazine announced results of a worldwide survey (47 countries, across all industries). The survey found that nearly two-thirds of respondents had “experienced negative security incidents in the past 12 months.” These attacks included insertion of malicious code, unauthorized systems access and denial-of-service incidents.
But the survey yielded another result that only can be characterized as disturbing41% of the respondents said they dont report such security incidents to anyone, including the authorities. In other words, when their systems are breached, they keep their mouths shut. The question, apparently not explored by the survey, is why?
Perhaps some of those companies have been threatened by hackers with more damage if they report incidents, but my instincts tell me that most of them are just plain scared of having anyone know their systems are so vulnerable. If youre a bank or an insurance company, for example, would you want to advertise that your systems were not capable of protecting your customers money and/or private information?
Yet the survey reveals that nearly two-thirds of companies have had breaches. Does anyone believe banks and insurers are immune?
Consider the results of another survey from Ernst & Young, New York. The company talked to some 56 North American banks and insurers and found that only 38% of those asked rate themselves as “adequate” or better in their ability to secure critical information from a malicious attack or disaster. In fact, 30% of the respondents describe their ability to identify information system vulnerabilities as “marginal” or “inadequate.” Now that is frightening.
“The risks are increasing and as the vulnerability and threats increase, organizations have not been able to stay up to speed in addressing them as effectively as they would like,” comments William Barrett, partner and leader of E&Ys Technology & Security Risk Services Group. The solution, he adds, is not necessarily spending more money on security but doing a better job at “prioritizing” security risks and spending in the areas of highest priority.
When a companys systems are breached, however, a conspiracy of silence is the hackers best friend. When a company is mum, law enforcement loses what could be valuable information about the cyber-criminal. The hacker is able to continue his dirty work safe in the knowledge that more than 40% of the victims will never report the crime. The victims, meanwhile, publicly live the lie that their systems are impregnable. But all the while they are doubly fearful of further attacks.
Microsoft recently announced $5 million in rewards for information leading to the arrest and conviction of those who launch viruses and worms on the Internet. Hackers often use such malicious code to gain access to and/or control targeted computer systems. One could view this announcement as a publicity stuntand that view may be justifiedbut it is a step in the right direction. It is an attempt to get people to open up and share information so cyber-criminals can be brought to justice.
When it comes to fear of a cyber-attack, we can rightly cite one of the most famous remarks on the subject, from Franklin Delano Roosevelt in his 1933 inaugural speech: “So, first of all, let me assert my firm belief that the only thing we have to fear is fear itselfnameless, unreasoning, unjustified terror which paralyzes needed efforts to convert retreat into advance.”
I think FDR says something very important here. Fear that “paralyzes needed efforts to convert retreat into advance” is just what most of the “silent 41%” suffer from. To save what they view as their potentially tarnished image, such companies will stay mum and allow the criminals to have still greater successes.
On the other hand, fear that motivates us to positive action is a blessing. Just ask those pigs in the brick house.
Its not easy to admit that your systems have been cracked by hackers, but in this age where such incidents are now commonplace, its not a damning indictment either.
To quote the same FDR speech again: “This is preeminently the time to speak the truth, the whole truth, frankly and boldly.” When we can bring ourselves to share information openly with authorities and othersand realize we are fighting a common enemywe will turn the tide in the fight against cyber-criminals.
As a very wise man once said, “The truth will set you free.” Report your breaches and help catch a hacker today.
Reproduced from National Underwriter Life & Health/Financial Services Edition, November 21, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.