The Risky Business of Breaches
2014 seemed to be the year of big breaches, especially for payment card information. The loss of millions of records containing payment information occurred at many well-known retailers such as Home Depot, Target, and Nieman Marcus, and even smaller retailers such as SuperValu, Michaels, and Aaron Brothers. With the frequency and magnitude of these breaches increasing, the “business model” regarding attacks is becoming rather well-defined—for both the attacker and the attacked.
What is meant by business model? Well, one could argue that these breaches have certain risks, costs, rewards, and reactions that are well-understood. Let’s take a closer look.
- The value and cost of information. There is clearly a market for stolen data once it is acquired. Depending on the credit limit, credit score, age of stolen data, and country of origin, the market has a clearing price for these records. In some cases may there even exists several layers of “distribution” for how the information is delivered to buyers.The organizations that were breached understand a different type of cost as well. They must notify the customer, provide a credit monitoring service in many cases, and reissue a card or cover the cost of reissue (courts are allowing banks to sue retailers to recover costs in the Target breach).
- Insurance. Many of the organizations that are subject to attacks have acquired some form of insurance coverage that offsets the cost of a breach. Such polices certainly are based on some risk model or actuarial-table-like calculation to determine the premium amount to charge based on level of coverage. Organizations can factor this into the cost model for a breach and recovery.
- Attack tools. The perpetrators of attacks have a fairly set script they follow, with costs and expected returns. They may purchase a zero day exploit, do research to find a zero day exploit, or purchase specific malware or malware toolkits to carry out their “projects.” They probably consider the risk and their investments against what the clearing prices are for payment card records in the open market.
The cyber attack business model is somewhat structured—it has defined risks, costs, and revenues. There have been so many attacks in the last twelve months that the model is becoming well established. Perhaps without better security by organizations, or changes in law enforcement’s apprehension and prosecution, this may become the “cost of doing business”—just as a certain amount of shoplifting or shrinkage in retail has become accepted since the cost to drive it down further may not make sense.
But there is a problem with just accepting this business model, and Sony as an attack victim late in 2014 highlights this. The breach at Sony did indeed steal information, but it was outside the “normal” model for data theft. The data stolen was not payment records that had defined values and recovery costs that could be insured against with a well-defined recovery cost. The breach at Sony divulged business conversations about actors, agents, and the people they interact with to create intellectual property that can become academy award winners and multi-million dollar box office hits. It damaged business relationship relationships that are difficult to mend. It disputed business operations that were being executed to recognize returns on a $44 million investment. It even supposedly put at risk other assets that may have had even more potential than the $44 million project. It also brought the network down and stopped any productivity for days. This is all quite a different business model that the typical payment card information breach.
What could Sony have done? As details are divulged this may become easier to answer, but for now one can assume that they should have had a more serious focus on security and took more steps to ensure that they had a well-defined and deployed security strategy. Perhaps Sony needs to think more like their attacker, or perhaps they should borrow some gaming ideas from Sony Online Entertainment (the ultimate online gaming destination) to test their own network security as if they were the attacker. It might reveal some interesting ideas for how Sony could harden their defenses.