Information Security & US & Life & Love & Fashion & Hacking & Passion

Fighting cybercrime in an economic downturn

Editor's note: This is part of a series of stories about the recession's effect on the tech industry.

Last month, McAfee cybercrime strategist Pamela Warren sat down with a senior executive at a Sydney bank to discuss the risks to the corporate network from workers using social networking.

After going over the trade-offs associated with allowing insiders to use social networks at work, his team confirmed that they would use data leak prevention technology to monitor the network traffic--balancing the desire to benefit from such new technologies while ensuring company secrets remain protected.

Warren had a similar meeting with a U.S. government agency last week to discuss strategies for dealing with public employees using Web apps at work and mobile devices, which can introduce viruses and other security problems into a corporate network. And she's been preparing for the launch early next year of McAfee's Cybercrime Response Unit, a site where consumers can go when they think they've been victimized by online scams.

She's sharpening her focus on protecting Internet users because malware attacks are up now that economic times are tough. Online scammers have been going into overdrive with phishing and other online schemes aimed at people confused about the banking consolidation or who are desperate because of a layoff or foreclosure. In fact, there are direct correlations between targeted cyberattacks on consumers and the stock market decline over the past few months.

"It's a ripe economy to take advantage of people," she said.

Consumers are being scammed in a variety of ways. People are receiving phishing e-mails asking them to provide their bank account information so as to avoid having their bank account closed in a merger. They provide their bank information and their account balance is plundered.

People also are getting e-mails and seeing ads on the Web for work-from-home "jobs" where all they have to do to become an "international sales rep" is open a bank account to receive money in and then wire the money to some international third party. In reality, the transaction is nothing more than a money-laundering move, known as a "cyber mule operation," to transfer money to another country and hide the trail in an illegal deal. Typically, the transaction is a payment for some kind of illegal activity such as the exchange of lists of credit card information or personal data that can be used for identity fraud. (McAfee published a report about the rise in cybercrime earlier this week.)

Physical crime may not pay, but cybercrime certainly does--and it pays big for those with the know how to take advantage of it. Moreover, in some countries where technology is still in its infancy and laws don't exist or are only vaguely defined, it's even semi-legal.

On one level, this should come as no surprise. Laws often take years to catch up to technology. In places where technology is still developing, it will take even longer. But even in established economies it takes time to comprehend all of the ramifications of new technology and to figure out how that technology is actually used and misused.

Yet there's another level. Because the Internet is an open highway for data moving in all directions, it means criminals can work in one or more geographies, individually or in gangs. It also means they can reach across international boundaries and grab whatever they can through a variety of means--phishing, pharming or spear-phishing--without ever stepping foot in the country where the crime is committed.

Bad people with bad intentions do exist and, when they can get away with it, they often do bad things. For corporations, that poses both philosophical and legal problems--both of which fall squarely on the chief information officer's shoulders.

On the philosophical side, the biggest question is just how open should a company be? The free exchange of ideas is vital to an innovative company. In fact, the more the better, even if most of them aren't useful, and that generally requires interaction with the outside world. Locking down a corporate enterprise to keep out the bad guys is roughly the equivalent of air travel after 9/11. Prior to that, it was an acceptable mode of transportation. Now it's time-consuming, inconvenient and often just plain miserable.

Most people don't want to work in an ultra-secure environment, so it's up to the CIO to find a happy medium between the open, free flow of ideas and the legal problems that can ensue if company data gets out. That includes everything from intellectual property, which can be used by a competitor, as well as customer data that can create havoc if it falls into the wrong hands.

Corporations are entrusted with keeping personal information private. Adhering to minimum industry standards is no guarantee data won't get stolen or the company won't get sued. Even if a company ultimately wins in court, lawsuits are expensive to defend and can chip away at a company's well-earned image.