Willie Sutton, the infamous 20th century criminal, was once asked why he robbed banks. He replied simply, “Because that’s where the money is.”
In hindsight, it seems like such a simple idea and could explain, in part, why so many people now hack into company computer systems with the intent to steal data. Today, that’s where the money is.
For many technically skilled, albeit ill-willed, individuals, access to this treasure trove of valuable data is the low-hanging fruit for easy picking.
A data breach can come in many forms. It might occur through unauthorized access to a corporate retail payment processing system, as experienced by Target in 2013, or perhaps through stolen computer equipment, as experienced by California insurer Health Net in 2011. As a result of those data breaches, personally identifiable information (PII) and protected health information (PHI) of millions of people was exposed. Once obtained, this type of data can be made available for sale to the highest bidder on the cyber black market.
Hackers might also seek unlawful financial gain through the use of software such as CryptoLocker, a new type of ransomware that locks up and prevents access to a firm’s important computer files until a ransom is paid (see my February 24, 2014, post).
But it’s not only PII and PHI that companies need to worry about. Their own corporate intellectual property (IP) and trade secrets can be at risk as well and accessed by unauthorized intruders.
Last week, former Secretary of the U.S. Department of Homeland Security Tom Ridge stated in a keynote address that cyber crime will be an exposure that will challenge us for generations to come. This is certainly a foreboding warning, and, given the state of affairs today concerning the collection of PII and PHI by many businesses and the ease of electronic access, it’s one that’s difficult to disagree with.
Unlike St. Patrick, who, according to legend, banished all the snakes from Ireland, we may never be able to totally eradicate computer hackers. Companies need to do all they can now to protect themselves against unauthorized access to data they possess. Steps they can take include:
- Ensure that computer systems are maintained with up-to-date software and firewalls
- Train employees how to safeguard data and what steps to take if they suspect a data breach
- Implement risk management procedures to minimize exposure to data loss
- Invest in adequate cyber insurance protection
Though prophesied for several years, the “cyber hurricane” — what you might consider a catastrophic cloud-based data breach on a national scale — has not yet materialized. Nevertheless, many smaller cyber events are showing the warning signs.
Hackers are demonstrating that they’re vigilant, becoming more creative in their techniques and doing what they can to access computer systems and illicitly gain “green.” Don’t let your data be their pot at the end of the rainbow. Do what you can to protect your data.
Lá fhéile Pádraig sona dhaoibh! (Happy St. Patrick’s Day!)