Have you been having trouble getting your board of directors to care
about information security? This weekend’s news that Nasdaq’s
Directors Desk web application was compromised by hackers may help to
improve your situation.
Details have been elusive thus far, but reports indicate that multiple
breaches occurred, resulting in “suspicious files” on the company’s
servers. A statement released by Nasdaq assures us that its trading
systems and customer data were not compromised, and those in the know
tend to agree that infiltrating the trading systems would be
substantially more difficult than breaking into the web environment
and leaving a few files behind. As the investigation continues,
hopefully we'll learn more, but what can we take away from this story
so far?
The list of attractive hacker targets continues to grow. Whoever
perpetrated this breach chose not to go after traditionally lucrative
targets like customer/employee data or a more difficult and
devastating attempt to dismantle one of the world’s biggest exchanges.
Instead the target was a more accessible set of extremely sensitive
corporate data – details about mergers, acquisitions, dividends, and
earnings. Without much sophistication, criminals could use this
information to execute rather impressive “insider trading”
transactions or simply find an outlet like WikiLeaks for some of the
more embarrassing tidbits.
Normal monitoring should have caught this breach sooner. A federal
official told the Associated Press that the attacks took place over
the course of a year, while Nasdaq’s statement said the files were
found through the company’s “normal monitoring systems.” It would
appear that the monitoring functions were not as frequent or effective
as they should have been.
The government will get even more involved if there’s a perceived lack
of control. While we still don’t know if hackers gained any useful
information from this attack, the potential implications touched many
of today’s most buzz-worthy topics... investor confidence, corporate
oversight, and financial market stability. Legislators on both sides
of the house were quick to press Nasdaq and other exchanges, as well
as regulators, for more information about what’s being done “to ensure
the ongoing integrity and security of exchange trading systems and
clearinghouses.” If they don't like the answers, expect more rules and
oversight to follow.
It’s a good time for a heart-to-heart with your board about security.
You don’t have to build a horrific awareness campaign about the
hackers lurking around every corner... but it’s important for the
board of directors to know that their mobile devices, email accounts,
and online communications may very likely be a target of attack.
Directors and top executives who often expect policy exceptions should
understand the potential risks those exceptions expose. Also, it
wouldn’t hurt to look into the way your board members communicate to
make sure top-level secrets are appropriately protected.
No comments:
Post a Comment