ARCHIVED 12/10/09

December 10, 2009

To view the original article please click here.


David R. Butcher, Thomas Net News, 12/10/2009

As more organizations are realizing the value of social networks, online criminals are increasingly taking advantage of social-media networks to access and exploit businesses’ vulnerabilities.

The complexity and variety of cyber-security threats are daunting, particularly due to the rapid rate at which new risks develop as well as the increasingly sophisticated methods of cyber criminals. Now, we can add the most popular social-networking Web sites to the ever-evolving means of cyber crime.

In its annual report on network security, Cisco Systems Inc. states that the impact of social media on network security “cannot be overstated.”

Social media sites, particularly Facebook, experienced explosive growth in 2009, and adoption of such resources will likely continue to grow into 2010.

”It is now routine for workers of all generations to interact with colleagues, customers or partners using social networks that, a few years ago, would have been populated mostly by computer users in their teens and twenties,” according to the report, released this week. “In addition, it is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter.”

Although some companies have adopted outright bans on the use of these sites in the workplace, the blurring of personal and business communications makes this strategy impractical.

Likewise, the Ponemon Institute, an information-security research center, believes that social networking can be valuable. It is “a useful and powerful tool for individuals and organizations who consider their strategic value and take thoughtful, necessary precautions to their use,” Susan Jayson, executive director and cofounder of the Ponemon Institute, writes at her blog.

As more organizations realize the value of social networks as a business requirement, social networks increasingly become a playground for cyber criminals. This is because many members of such sites often fail to take precautions to prevent the spread of malware and computer viruses.

Cisco claims that most employees have not been sufficiently taught to protect themselves from viruses and other scams that can infect corporate computer systems when other people access their personal Web pages.

”Without concern for their impact on information security,” Jayson writes of social media sites, “companies that ignore the risks will almost certainly suffer consequences.”

While cyber criminals look to social media for new victims, spam remains a “tried-and-true” method for deceiving people. Cisco’s annual security report estimates that worldwide spam volume next year will likely rise 30 percent to 40 percent above 2009 levels.

On other cyber-crime fronts, Cisco reports that the rate of online banking fraud will continue to grow next year.

According to the Computer Security Institute’s (CSI) 2009 Computer Crime and Security Survey, released this week, financial fraud is consistently a highly expensive type of attack, averaging almost $450,000 in losses per organization suffering from fraud.

Forbes recently noted how cyber criminals can successfully pull off major hacks against smaller companies, pointing to a small bookkeeping business run by a couple who mixed their individual and commercial accounts.

The business owners took out a $50,000 line of credit with their bank, later linking it to their business checking account. Hackers tapped into their online accounts and directed that $26,500 from the credit line be placed in the business account. The intruders then transferred the assets to a bogus entity and when the owners realized the money was missing 10 days later, it was in already in an Austrian bank, which refused to return it.

Says Forbes: Who foots the bill Under federal law, losses in individuals’ accounts are the banks’ problem; commercial customers receive no such concessions. That might sound like a free pass for the small guy, until you consider that most businesses are run by individuals.
In fact, small and medium-sized businesses (SMBs) are prime targets of cyber attacks. A 2008 McAfee study revealed that more than one-third of SMBs were attacked more than four times in the last three years. The research concluded that 28 percent of those attacked took at least a week to recover — a devastating length of time spent offline for small firms that conduct business and sales via the Web.

According to the CSI’s 2009 report, average losses due to security incidents were $234,244 per respondent. The survey’s respondents included corporations, government agencies, financial institutions, medical institutions and other organizations throughout the United States.

Last January, the Ponemon Institute reported that the expense of breaches to U.S. companies rose by 38 percent between 2004 and 2008. In 2005, the information security firm found that the average incident cost $4.45 million. Over the next three years, costs rose steadily to an average total incident cost of $6.65 million for 2008. (Ponemon’s latest annual Cost of a Data Breach study will be released in the near future.)

”Regardless of business size, viruses, hacker intrusions, spyware and spam can lead to lost or stolen data, computer downtime, decreased productivity, compliance issues, lost sales and even loss of reputation,” the Internet Security Alliance (ISA) makes clear. “But no one-size-fits-all approach can effectively address the problem.”

In a report released last week, the ISA called cyber security a fundamentally economic rather than technical issue. The industry group, affiliated with Carnegie Mellon’s cyber security laboratory, said that U.S. government and private businesses need to overhaul the way they look at cyber security by “effectively addressing the fragmentary and diverse nature of the technical, economic, legal and policy challenges.”