Data leaks evolving into weapons of business destruction

Increasingly, attackers are using data leaks to target the companies themselves, going after proprietary or embarrassing information and releasing it in such a way as to do the most harm

1 2 Page 2
Page 2 of 2

"You can leverage dissident hacktivist groups, and if there aren't any dissident hacktivist groups, you can make them up," Meyers said.

"What's most concerning is they've established that there's credibility around the documents, and if they were to start putting fake stories in there, it would be very difficult to go through and validate that as not true," he said. "Verification of these documents is very difficult and time-consuming. And it might be irrelevant if it's true or not -- the damage would have been done."

A nation-state in particular might take a long-term view and leak real documents through a particular platform in order to establish its credibility.

"If I am a nation state, I might want to appear to be a hacktivist or freedom fighter, establish a reputation over time, and then strategically use those leaks -- maybe even modify some of that data," said Rich Barger, chief intelligence officer and director of threat intelligence at ThreatConnect. "A few sentences here or there, and I might begin to introduce some fake information. If I have enough of a following, and I do it long enough, I'll have established trust and folks wouldn't be as critical or look as deep into the information I put out."

Plan for failure

Better security and employee education may reduce risk of data leaks but won't eliminate it, and companies need to plan for the worst case scenario.

"If you're doing things that you think would be embarrassing on the front page of the New York Times, then it's going to get on the front page of the New York Times," said French Caldwell, chief evangelist at governance, risk and compliance company MetricStream and former Gartner vice president specializing in risk management.

We're now in a world without secrets, he said.

"You're just going to have to get prepared for the fact that it's going to happen," he said. "You have to assume that it is going to get out there somehow, either through a hack or through a whistleblower."

Organizations built around transparency will have an advantage on this front, he added.

And everyone needs to be prepared to respond quickly on multiple fronts.

"With social media, these crises get blown up extraordinarily quickly, and it becomes a social storm," he said. "What is your response to a social storm? It's not something you want to be learning about on the fly."

He suggested that companies take a look at their business operations and identify areas where there might be an issue with public perception and be prepared to respond.

For example, he said, a company might be using hazardous chemicals -- but those chemicals also offer significant advantages. "In the event of a crisis, are you prepared to make the argument about the benefits of what you're doing, so that you're engaging in this public policy debate?"

In fact, a company or their employees might be unintended victims in an otherwise unrelated attack.

"One of the things that is a bit concerning and the disclosures that are going through WikiLeaks now is that it's not apparent what the actual immorality or the crime is that warrants the disclosure of every single email," said Mark McArdle, CTO at security firm eSentire.

"There is a collateral damage aspect," he said. "A mom talking about a doctor appointment for a child --- there is no merit in having those types of disclosures."

Elevating security

One positive benefit of all the leaks -- both those aimed at personally identifiable data and at proprietary corporate documents and communications -- is that it has elevated the discussion of security and risk in general.

No longer limited to the IT department, it has become a concern for finance, for sales and marketing, for investor relations, for top executives, and for corporate boards.

"As you see more and more of these types of events come up, and the entire organizations realizes that they need to plan for these types of events, you'll definitely see more and more collaboration," said Jesse McKenna, director of cybersecurity product management at security firm vArmour. "Not just a security response plan, but a coordinated response plan."

And that goes for budgets, as well, he added. "How much are you willing to spend now to prevent a potential catastrophe in the future?"

A leak might cost a CEO their job, or even destroy an entire company.

But there's another possible upside to the current climate.

"My optimistic response would be that the additional risk of exposure for CEOs or executives would make them far more cautious and would -- ideally -- prevent them from engaging in activities that, if exposed publicly, could cause them to lose their job," McKenna said.

He's not alone in thinking this.

"I think in a sense, that's something that we can bring away from this," said Paul Shomo, senior technical manager at security firm Guidance Software. "Organizations operating at a more acceptable and ethical level, while at the same time reducing the risk from weaponized data affecting you."

1 2 Page 2
Page 2 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.