Undoubtedly, most of you will have seen the amazing story about the developer who secretly outsourced his own role to China, investing 20% of his annual salary to free up almost all his work time. The ruse came to light when the firm, who were pushing forward with a more flexible working package, noticed anomalous VPN activity and called in their telecom provider to investigate. The logs indicated that their lead programmer, "Bob," was apparently regularly telecommuting from Shenyang despite being peacefully sat at his desk surfing the Internet for amusing cat videos.
It transpires that "Bob" had FedExed his SecurID token to China and was allowing the remote development company VPN access to his employer's network so that they could do his day job for him.
Irrespective of the terrible security implications here, and they are pretty horrid, "Bob" was delivering high-quality code to schedule. In fact, his performance review regularly identified him as the best developer they had! And what "Bob" did here was not difficult – many sites offer the services of dedicated professionals such as developers, designers, proofreaders, even lawyers, for a small price.
In a business environment where we encourage flexible working, allow personal devices, and seek to incentivize workers for innovation, excellence, and performance, "Bob" could be held up as a role model, but at what cost to the enterprise?
As 2012 came to a close, we studied the financial position of many CISOs and asked about their expectations for 2013. Unsurprisingly, it was apparent that 2012 was another difficult year and that CISOs had been keeping their belts tight once again. When compared with the other IT departments, however, it became clear that this budgetary flat-line actually represented quite a success, as 2012 had seen most other teams face further cutbacks and spending restrictions.
When we looked ahead to 2013, we saw the usual hopeful optimism from the CISOs – proving once again that any allegation of a correlation between ‘pessimists’ and ‘security professionals’ is complete nonsense. It was interesting, however, to note a marked difference in attitudes dependent upon which side of the Atlantic the respondent was located. Put simply, North American based CISOs had a much more buoyant view of security related finances in 2013 than their European peers.
Before we get too far along into 2013, I’d like to take a moment to reflect back on the events of 2012. Thanks to our friends at CyberFactors*, this is what we saw:
1,468 (publicly reported) incidents. This includes everything from stolen laptops to external hacks to third party partners mishandling data to employees accidentally disclosing data via email.
274,129,444 (known) records compromised. In the 608 cases where there was a record count reported, this was the total count.
Types of data lost/compromised
Personally identifiable information (PII) was compromised in 53% of cases. This also includes credit card or bank account information, as well as medical or health insurance information.
Company confidential information (CCI) was compromised in 4% of cases. This includes things like proprietary intellectual property (IP), compensation data, business plans, corporate financial data, and information subject to a non-disclosure agreement with a third party. These types of incidents may not always be publicly reported, assuming that organizations are even aware that it has occurred or is happening. IP is a valuable asset, and must be protected.
Governmental information was compromised in 42% of cases. This includes things like address, voting data, driver’s license numbers, state or Federal tax IDs, Social Security numbers, and passport information.