Risk Management

Come Together over Cybercrime

A Homeland Security official calls on CFOs to break down the corporate silos that house cybercrime risk management.
Marie LeoneJune 29, 2010

“Cybercrime is not a problem that is growing, or coming, or off in the future,” said Greg Schaffer, an assistant secretary at the U.S. Department of Homeland Security who heads up the agency’s Office of Cybersecurity and Communications. “This is a problem right now,” he told an audience of finance executives at the CFO Core Concerns conference in Baltimore on Monday. He cited recent FBI testimony before Congress that revenues from cybercrime have reached an estimated $1 trillion per year, putting it ahead of drug trafficking (for the first time) on the list of the world’s most lucrative illegal global businesses.

Schaffer, onetime chief risk officer for Alltel Communications, asserted that there is a “disconnect” between corporate risk managers and information technology professionals. For the most part, he said, companies have kept risk management related to cybercrime in “a silo” within the IT department, rather than treating it as something that permeates the entire operation. CFOs have a responsibility to break down such silos, he said, given their involvement in enterprise risk management.

Thwarting cybercrime has moved beyond simply keeping networks operating smoothly or intelligent gizmos running without a glitch, said Schaffer. Indeed, a major challenge for companies is simply realizing that they have been victimized. Cybercrime isn’t like a warehouse break-in where managers find inventory missing the next morning, he explained: “If [a cybercriminal] steals from you, you still have the data.”

That means companies must have systems and processes in place to detect a breach, and have the forensic capabilities to retrieve information about a theft soon after it happens. If they don’t, the chances of tracking a crime to its source are “infinitesimal,” noted Schaffer.

The only way to stay ahead of the crooks is to have risk managers and IT practitioners thinking about the crimes before they happen, said Schaffer, noting that the stakes are high and growing. On average, a single cyberbreach costs a company $6.75 million. That adds up, considering that according to a recent international poll, all 27 countries participating in the survey claimed to have experienced financial losses related to cybercrimes during the past year.

Schaffer also pointed out that security-software maker McAfee says 30 million examples of new malicious software were released on the Internet in 2009. That’s about 47,000 new cases of “malware” per day.

Shaffer discussed a few company-specific cases, noting that one U.S.-based bank lost $9 million in one day from cybertheft at ATM networks located in 27 different cities. Meanwhile, three major oil companies confirmed that they were jointly targeted by an “extremely aggressive” networking scheme to steal intellectual property and other proprietary data, including a multimillion-dollar research project on oil exploration.