Imagine if robbing banks were so easy and common that the only headlines were about all the taxes the thieves were avoiding.
Cybercrime has become so expected and normal that media coverage of the Panama Papers leak has barely mentioned law firm Mossack Fonseca’s failure to protect its most valuable and sensitive assets: the files and e-mails that identify clients and their transactions. Another week, another damaging breach.
A new report from PwC says cybercrime is on the verge of becoming the #1 form of economic crime against U.S. companies, surpassing “age-old asset misappropriation,” or stealing money. PwC’s survey also found that only 40 percent of U.S. boards request cyber readiness information more than once a year, suggesting failures in both governance and management.
Regardless of the size or nature of your organization, the Panama Papers leak is relevant. Files and e-mails are the digital records of everything we do. This unstructured data, as it is known among IT people, tends to be what companies have the most of and know the least about. In my company’s recent analysis of risk assessments, more than 25 percent of shared folders in the average company aren’t locked down at all and are visible to everyone in the company. Nearly all data breaches result from compromised insider access—whether the culprit is an outside attacker, an employee with bad intentions, or simply the innocent clicking on an e-mail with a malware attachment.
E-mail servers tend to be one of the largest troves of valuable information. If you were spying on a company, the CEO’s mailbox would be a pretty fantastic place to see what was going on. One of the security challenges with e-mail is that the most valuable mailboxes tend to be the least secured. This is because executives (and law-firm partners) often have assistants and other people who get access to their mailboxes—some even have banks of admins who all have access for long periods of time. Another security challenge with e-mail is that mailbox activity is rarely logged or analyzed, making it very difficult to spot abuse or theft. The ubiquitous Microsoft Exchange has “public folders” where a lot of sensitive information can pile up, and often companies don’t pay much attention to securing these folders. If an assistant’s account gets compromised through phishing or password stealing, or if an assistant turns out to be acting maliciously, the contents of the executive’s mailbox can easily be compromised without detection.
When the Panama Papers were unveiled, Mossack Fonseca’s statement described an “unauthorized leak.” This has been widely accepted as indicating an outside attack—despite the ambiguity of that term and the unlikely prospect of 2.6 terabytes being extracted over the Internet without being noticed. Pulling that much data by mining an e-mail server over the Internet is like using a straw to draw down a lake. More likely, insider access was central to the theft and glaringly weak detective capabilities enabled it.
For the U.S. version of its “Global Economic Crime Survey 2016,” PwC talked to more than 6,000 people at 328 different organizations, most of them senior executives at publicly traded companies across all industries. Fifty-four percent said they had been hit by cybercrime in the past two years, just one tick below the 55 percent who experienced asset misappropriation (the increasingly obvious overlap between the two top responses was not captured).
Financial impact is often elusive when examining cybercrime. Because PwC talked to so many business leaders, hard data was more available than in other surveys. PwC said “a handful of respondents (approximately 50 organizations) said they had suffered losses over $5 million; of these, nearly a third reported cybercrime-related losses in excess of $100 million.” A 2015 study by IBM and Ponemon Institute found the average cost of a data breach is now $6.5 million.
With this kind of value now being attributed to data—either as monetizable personally identifiable information (PII) or intellectual property that could lead to corporate extinction if stolen—why don’t we protect files and e-mails better? We underestimate their value and vulnerability. We forget about them but rarely delete them. The recent spike in ransomware shows us how vulnerable unstructured data can be—ransomware advertises its presence to your end users after it encrypts your files, asking for a few bitcoins, and still organizations struggle to detect it before huge numbers of files have been corrupted. Other threats often don’t reveal themselves until much later (if ever) and are far more costly to recover from.
While companies may be monitoring networks for unusual activity or scanning for known viruses, they’re generally unequipped to spot the newest generation of stealthy malware and, even more ominously, the recent arrival of malware-free exploits. In short: most companies have a huge and costly blind spot when it comes to protecting their unstructured information repositories. Better risk assessments, improved data protection, and more sophisticated monitoring of file systems are now the key to real-world security.
While we may never be able to prevent hackers from getting inside, we can spot them more quickly, limit the damage, and ultimately reduce the bottom-line costs of data breaches. Then, perhaps our capacity to be shocked by theft in broad daylight will return to its normal state.