There's no 911 for cybercrime. If there were, would you call?
Security pro Nick Selby is running a survey to see who REALLY calls the authorities when they're hacked. Here's why.
By Nick Selby
April 25, 2012 — CSO —
If you work for a large corporation, you hear lots of talk about corporate responsibility, and that's great. But I can't help but point out that, whether it is intentional, there is a massive and growing hypocrisy in the corporate world when it comes to prosecuting crime.
When I worked at a large company about 20 years ago, a mid-level manager told me the company showed it was serious about crime when he called the police about some minor vandalism to the doorways of our corporate headquarters. I'm certainly not saying that companies shouldn't act aggressively to ensure that employees and the public observe the rule and the spirit of law. Quite the contrary.
But it's anecdotally clear that most companies simply don't call the authorities when they experience criminal losses through online attacks. We in the industry know this, but I wonder if the assumptions we make as to why this is so are correct. It's especially important to consider this now, as we're in the middle of what can only be called a "conversion convergence" which continues to see increases in use of the Internet to monetize stolen information and to launder ill-gotten gains.
I've often said that there is no 9-1-1 for cybercrime. But I wonder: If there were, would anyone call?
I'm not so sure.
In handling computer incidents and advising companies which have been the victims of intellectual property theft in the millions of dollars, one thing we hardly ever hear is, "Let's prosecute." Actually, the concept of prosecuting a cyber breach seems so quaint as to paint the utterer with the brush of someone hopelessly out of touch. We in the business know the chances of a successful capture and prosecution of those responsible for a given act of cyber crime are nearly nil (unless you've gotten exceptionally greedy, irritated the FBI or US Secret Service, gotten your hack in Time or stolen the email of someone famous).
In fact, at this point, calling the authorities after you're hacked won't actually get you much. With my vandalism example above, at least the cops could provide directed patrol of your headquarters. No one's gonna patrol your network. Criminals and victims know this: When non-tough-guy Ashton Kutscher goes all Charles Bronson and says he's "coming for" those who hacked his Twitter account, law enforcement's failure to provide a deterrent is highlighted. Outside those very high-profile cases, you're pretty much out of luck when it comes to getting law enforcement help on a computer crime.
Is privacy an ally of security, next of kin, or something else? These articles dig into the hows and whys of data privacy and data protection, and its relationship to enterprise security efforts.
6 ways we gave up our privacy
The effect of social networks, web 2.0 technologies, and other privacy-shaking developments
7 Firefox plugins for data privacy
Plug data-leaking holes in your web browsing
4 signs of an easy victim on social networks
Scammers and hackers of all kinds scour social sites for personal data
Potential privacy 'gotchas' in cloud computing
How to respond to a data breach notification
5 things to know about the Chief Privacy Officer
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Content Analytics Explained
- Modernizing Wireless Infrastructure for Today's Mobile and Data Driven Enterprise
- #FFSec: Infosec pros who bring value to Twitter
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - B-Sides Boston is Saturday
- Leaving CSO, Heading to Akamai
More Salted Hash with Bill Brenner
