The worst case scenario for global computer and Internet security is that of any blockbuster thriller about international cybercrime. The true enemy rarely shows or never shows its face until its too late.

But this is not a movie.

From Japan, to Europe to Silicon Valley, hackers with financial designs on stealing mission critical data and so-called hacktivists with aims to disrupt governments and businesses are equally busy, with the list of high-profile system incursions and data smash and grabs growing by the day.

Since 2005, U.S. businesses have publicly reported 3,765 security breach incidents, costing more than $156 billion, according to the Digital Forensics Association, in an August report titled The Leaking Vault - Six Years of Data Breaches. Hacking was responsible for 48 percent of all security breaches, the report said.

Now, as hackers become more nimble, shrewd and anonymous, the challenge for publicly-traded enterprises which have been hacked, such Sony Corp. SNE, is not only the risk of lawsuits and loss of market share but also loss of confidence based on disclosed data breaches. If customers, partners and shareholders dont have assurance that data is safe, businesses will suffer.

In that vein, and in recognition of National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security, many in the information technology community are calling on government to step in with comprehensive policies to stave off threats.

Government needs to provide clear federal safe-harbor rules that allow companies to report intrusions without draconian legal or fine consequences as long as the company immediately reports intrusions and cooperates with law enforcement, said Phil Lieberman of Los Angeles-based Lieberman Software. There also needs to be clear guidance as to what is reasonable care with respect to the responsibility of companies to protect their infrastructure.

Meanwhile, security companies are consolidating to help cut costs and improve the services they can offer. The most prominent example of this is the $7.7 billion purchase of McAfee by Intel Corp. INTCearlier this year. Thats a deal that merges security software architecture with microprocessor manufacturing in an effort to shore up security in tablets and mobile devices.

Yet even with consolidation, analysts arent yet hot on IT security as a big money play.

A perfect case in point is anti-virus and security research giant Symantec Corp. SYMC, which despite solid earnings and tireless threat landscape research, has seen its shares stuck in a range this year between its $15.27 a share and $20.50.

The biggest risk, analysts say, is that its difficult for companies to estimate what the true cost of a hack will be, and therefore be prepared to defend against it.

Companies often underestimate the hard-and soft-costs associated with notifying customers whose personal information was stolen, the costs of legal proceedings, the value of lost intellectual property, and the longer lasting brand damages resulting from the loss of customer trust, said Ashar Aziz, chief executive of FireEye, a Milpitas, California-based network security company.

The list of incursions is as long as it is alarming and it seems almost no entity, from Sony, to the IMF, to Citibank, to Microsoft, to Google and even the RSA security conference is completely safe.

Robert Stroud, vice president for strategy and innovation at CA Technologies, said a number of risks are at play.

First is the expectation, and often the regulatory requirement, to report breaches, which mandates reporting, said Stroud. Consider when credit card data is compromised and you receive notification, for example.

Second is the proliferation of data, he said. The massive amounts of data that is being created, used and stored, and the awareness and knowledge of those who wish to obtain access to the data, combined with ineffective security processes, often also expose data.

One area investors are looking at closely is cloud computing and virtualization. Companies such as VMware Inc. VMW, which in May acquired privately-held Shavlik Technologies to shore up cloud security offerings, is closely monitored by the hedge fund industry, though its shares have also been stuck in a range the last six months.

Stroud said that enterprises need to fundamentally understand the information they have and how they use it and store it though its life cycle.

Vincent Schiavo, CEO of a San Ramon, Ca., security company called DeviceLock, said he doesnt see threats letting up anytime soon, and predicts they will get worse before they get better.

Corporations that ignore newer threat vectors like mobile computing, dockable devices and cloud computing should certainly make special allowances since they will be the most likely to experience data breaches and hacks, he said.

(c) 2011 MarketWatch.com

Publication Date

10/13/2011

Source:

Marketwatch