Last week's reports that the Chinese government hacked into The New York Times were just the tip of the iceberg.
I don't just mean the reports that came out soon afterwards about successful hacks against The Wall Street Journal and Bloomberg.
Over the past couple of years, there have been analyst reports about a number of other companies and organizations infiltrated by Chinese hackers, including a number of oil companies, US government satellites, the US Chamber of Commerce, and a wide variety of technology companies including Google and Nortel.
I'm willing to bet, though, that we don't hear about the vast majority of attacks.
The New York Times is a media company. Media companies love big, juicy stories, and Chinese hackers infiltrating the world's premiere newspaper is the definition of big and juicy.
Sure, there were probably some people at the newspaper who saw the hacking as an embarrassment, and would have preferred to see it kept quiet. But it's hard to fight against the news instincts of your entire organization.
That's not the case in most companies. And, unless sensitive data is stolen, like credit card or Social Security numbers, companies have no obligation to tell anyone that they were hacked.
In fact, going public would only hurt a company's brand image and stock price. Plus, other hackers might read about the infiltration and get the idea that the company has weak security and is a prime target for their own efforts.
So what happens is that companies make a huge effort to protect personally identifiable information. After all, if it is hacked, the consequences are immediate, severe -- and very expensive. According to the latest report from Symantec and the Ponemon Institute, the average cost of an enterprise data breach is $5.5 million, or about $194 per stolen record.
Losses due to Chinese hacking and similar attacks are less visible but more insidious in the long term.
Unfortunately, when you're looking for additional money in your security budget, it's easy to make a case for beefing up security around, say, customer credit card numbers. You can point to all the companies that have been in the news because of data breaches, and how much it cost them to deal with the breach.
When hackers are going after strategic information instead, the costs are less visible, and it's easy to postpone security upgrades until the next budget cycle.
Plus, you could argue that The New York Times and The Wall Street Journal were special cases, high-profile political targets. The Chinese government might have an interest in going after politically embarrassing news coverage. Or military secrets. But why would the government go after regular run-of-the mill companies?
One possible reason was pointed out to me today by Patrick Taylor, CEO of Oversight Systems, a company that provides risk management data analytics software.
“The majority of Chinese companies in the Fortune 500 are state-owned enterprises,” Taylor said.
There were 73 Chinese companies on the Fortune Global 500 list in 2012, second only to the US -- and 65 of them were state-owned.
I can't think of another country on the planet right now where the interests of business and government are that closely intertwined.
And yes, I do understand the irony of writing that after an election where corporate donations and government bailouts were a big political issue.
But when the US government winds up owning part of a company, there's a big outcry. When the Chinese government runs entire industries, sets business agendas, names political appointees as senior executives, and passes legislation to favor those companies -- that's just the way things are.
So if you're a company that is currently competing against Chinese firms, or might do so in the future, consider beefing up your security around your email systems and document storage.
For example, one attack vector used at the NYT was to trick employees into giving up their passwords and then logging into their accounts. One security technique that could work here is to ask for a second method of authentication when an employee logs in from a new device.
Many banks already do this, and most of the time you don't notice this security layer at all. When I do log in from a new device -- say, because I got a new computer or am logging in from a friend's house -- my bank sends me a one-time password via text message.
It's a very minor inconvenience for employees, but a significant security improvement for the enterprise.
— Maria Korolov is president of Trombly International, an editorial services company that provides coverage of emerging technologies and markets. She has been a journalist for more than 20 years.
Related posts:
Email This
