2014 has earned itself the dubious distinction of becoming the “Year of the Data Breach.”
It’s not as if there weren’t breaches in 2013 (or any other year, for that matter). According to PriceWaterhouseCoopers’ most recent Global Economic Crime Survey, seven percent of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013; almost one-fifth lost between $50,000 and $1 million in the same period.
But 2014 was the year that the issue hit home, with millions of consumer records compromised at major retailers. The news of the Target breach broke just before the new year, Nieman Marcus came shortly thereafter, and the bad news seemingly hasn’t stopped.
It appears the year is ending on an even darker note, with cyber threats morphing into terrorist threats. Sony Pictures has been in the headlines over a breach that has been both embarrassing and costly for the media giant. Most recently, the group claiming responsibility for the hack threatened terrorist attacks on movie theaters showing the Sony film “The Interview.” In a message posted this week, the self-titled “Guardians of Peace” warned moviegoers to “Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.”
As a result, last week’s premiere of the film was canceled, while Regal Entertainment, AMC Entertainment, Cinemark and Cineplex Entertainment, among others, dropped the movie from their holiday lineups (just this week, Sony announced that it will go ahead with a few limited showings of the movie as of Christmas Day). At the same time, the group is threatening to release additional data (beyond the emails, celebrity social-security numbers, movie scripts, and more that it has already published) in the coming weeks.
This isn’t really about Sony, or Target, or Home Depot, or Marshalls (the list, unfortunately, goes on). The Sony story is just the culmination of a variety of disturbing security trends we’ve observed this year. The problem is so significant that the U.S. Director of National Intelligence believes cybercrime to be the top national security threat.
2014 needs to be a wake-up call for businesses and individuals alike. All the large companies I’ve mentioned had dedicated security staff and sizable security budgets. Hackers are bold and incredibly sophisticated, allowing them to successfully attack a variety of companies — even those with employees devoted to data security. What about the vast numbers of organizations that don’t have the resources to employ a chief security officer or to commit IT staff to cybersecurity? What we’re finding very quickly is that no one is immune, whether the attack is an advanced hack against a multinational corporation or a ransomware infection in a small business.
As Richard Henderson, a security strategist with FortiGuard Labs explains, “It’s clear that companies just aren’t getting the message about how easy it can be for an attacker to gain an initial foothold into a network by compromising the human element of the IT equation.” So-called “spear-phishing” campaigns that target employees with legitimate-looking emails, and “watering hole” attacks in which trusted websites are compromised to capture data and install malware, are both common and effective tools that hackers use every day. Just last week, ICANN, the organization responsible for Internet domains, announced that its systems had been compromised as the result of a phishing attack.
Security experts are now saying there are only two types of companies left in the U.S.: Those that have been hacked, and those that don’t yet know they’ve been hacked. And although cybersecurity is being forced to the forefront of national consciousness, we still are not seeing the urgency needed to make a difference.
There is no more time to wait on the issue of cybersecurity. Government agencies and corporations alike must become both educated and absolutely determined to stop cybercrime now. Neither can afford mediocre approaches to security and customers (whether citizens, in the case of government; or paying clients, in the case of corporations) must demand better. Organizations must have the right plans and the right technologies in place to deal with the threats we’ve seen do so much damage in 2014, and the threats we know are on the way in 2015.
Researchers at Fortinet have identified “blastware” as a key technology they expect hackers to employ in 2015: This malware not only destroys the systems it infects, but simultaneously covers hackers tracks as they move around an organization’s data.
Only the right combination of cutting-edge research by “white hat hackers” (who have the training and experience to combat constant innovation by “black hat hackers”) with powerful emerging technologies in threat detection and strong government regulations will be able to control the overwhelming surge of cybercrime. We can’t afford to maintain the status quo of “good-enough” security. The stakes are too high, the losses to organizations and individuals are too great, and the security interests of our nation are too valuable.
As chief financial officer of Fortinet, Andrew “Drew” Del Matto brings more than 20 years of financial management experience and expertise in the network security market. Prior to joining Fortinet, he held a variety of senior management roles at Symantec including serving as its acting chief financial officer; he previously held senior finance leadership roles with Inktomi Corporation and SGI Corporation. Reach him @Fortinet.
This article originally appeared on Recode.net.