With the holidays now upon us, what better way to get started than to talk about what’s on everyone’s mind? No, it’s not the last minute shopping nor the latest credit card spending statistics. It’s really about the amounts of money lost to financial fraud, scams, hacking and identity theft.
The holidays are a special time for everyone. Three groups are the main protagonists in this production: individual consumers, businesses and the bad guys.
Consumer spending is happily higher than any other time of year, businesses with lagging balance sheets have an opportunity to show tremendous gains, and cybercriminals have a fantastic opportunity to cash in on all the activity.
Previous years have estimated global cybercrime losses in the $2+ Billion range, but with little data to substantiate it, we don’t actually have much confidence in the figures. If any blog reader has an accurate number, don’t be shy, let us know.
Inability to track security breaches
Aside from the exact figures, what we really want to know is the reason behind the lack of awareness. In my opinion, that has to do with the sheer inability of online and real-world businesses’ inability to detect and track security breaches. The large volume of transactions during the holiday season means that even if they leave any trace, cybercriminals will be long gone by the time the company has a chance to review security logs and act upon their findings in the New Year.
This time of year, my security industry colleagues produce countless lists of top threats, tips and predictions, so I won’t add to their significant investment in time and expertise. Instead I will propose an alternative:
I have an advice for each of the three players in this season’s security production, to help them successfully get you through the holidays:
1. To consumers I say one word: vigilance. Today’s security threats all turn computer users into accomplices, or at least partners in crime. Without clicking on links, responding to surveys, surrendering sensitive financial details, opening suspect attachments, viewing suspicious electronic holiday cards and using insecure payment systems, the vast majority of threats would be non-events. So remain vigilant, and enjoy the holidays!
2. Businesses should love this time of year. Have a product worth buying and people will buy it. Unfortunately, the more popular that product is, the more likely it is to attract cybercriminals. To minimize your chances of compromise, the one thing you need to be able to do is maintain visibility into all this activity. If it means reconfiguring firewalls, adding intrusion prevention systems, or enlisting the help of co-op students, do it. There’s no substitute for real-time monitoring when it comes to defusing security threats.
3. Finally, cybercriminals. In the name of fairness, if I have to provide one piece of advice to the bad guys it must be simplicity.
Simplicity works best during the holidays. Just because Windows patches have been released, it doesn’t mean that people have bothered to apply them, and those exploits are readily available, so they won’t cost you a dime. In fact, instead of investing your hard earned (read: laundered money) on expensive malware creation kits here’s a better thought: simply ask for the money. Phishing and identity theft successes show that this is still the best way to get information out of people, and although it isn’t technically ‘informed’, it may arguably constitute consent nonetheless!
Regardless of who you are, let vigilance, visibility and simplicity guide your actions this holiday season.
Here’s wishing everyone a prosperous and safe new year!
Claudiu Popa is a Toronto-based security and information management expert and founder of Informatica Corporation. He is an ardent supporter of information security and privacy awareness, as well as a frequent speaker on the topic.