Cybercrime surpasses illegal drug trade and we still don't think it's a big deal (updated)

IT Compliance Institute claims that Cybercrime has become a $105 billion business, which surpasses the illegal drug trade, but people still don’t understand what a serious threat cybercrime can be. Corporations lose more than 40 billion dollars per year to cybercrime, but as a security analyst I still feel resistance to changes in software security, IT infrastructure and other factors that could mitigate a great amount of risk in the insecure systems.

I understand these company’s concerns - they have board members and stock holders to answer to and they have to keep profits as high as possible, so everything is about ROI. What’s the return on an investment protecting you against something that may or may not happen? ROI for security is very difficult to measure, to be sure. However, as soon as your company is crippled by the next worm, or the internal network has been targeted and breached by the latest 0-day vulnerability the CSOs, CISOs and CTOs of today’s modern company will have no choice but to listen to the deafening sound of the next major data breach.

So what can we do?

It turns out there’s a lot we can do, here are a handful of easy to implement activities that I employ and that people should really be considering.  These will reduce your external attack surface and reduce the damage of generic threats.

Require the use of TLS/SSL for all e-mail – this will help ensure e-mail credentials and contents are not sniffed from the network if an employee connects to the network at a coffee shop or airport.

Deploy and use PGP encryption and signatures – this will make sure that the e-mails that you are receiving are coming from who you think they are and that you have the ability to encrypt sensitive customer information.

Create and enforce a solid password policy – making your users choose a secure password helps mitigate the threat of hackers breaking into your system through the front door.

Encrypt sensitive information in databases – breeches like TJX wouldn’t have been as much of an issue if proper encryption techniques were used to encrypt stored sensitive information.

Expire sensitive data as soon as possible – information that is kept past its useful time period is simply a liability, properly expiring your data as soon as it loses usefulness will help you sleep better at night

Education – The last but most important thing we can do isn’t policy at all; it’s educating our employees to see the benefit of security and empowering them to make good security decisions. Little things like not downloading or running files and programs from un-trusted sources (such as the internet or e-mail) is a great place to start.

--Joe Basirico

EDIT: I posted this last Friday, but over the weekend I realized that I’m much more interested in hearing what works for you, so I’ve compiled a few questions to get some discussion going, please respond in the comments.

• Have you found that these techniques help secure a network?


• Are there techniques that you use that I haven’t listed here?


• What works for you, and how much security do they provide versus the headache and time they took to setup?


• From an IT perspective should we always make the decision that will create the most secure system, or are there times when usability wins out?