The toll of cyber crime appears to be rising as criminals become more sophisticated and more focused on financial gain. And while businesses are doing a bit better at protecting themselves, criminals have become better at bypassing the standard security measures, experts say.
To complicate matters, more businesses are adopting cloud computing, in which they run software and store data on computers outside their own premises and their own direct control. (The term can also refer to internal or private clouds, which distribute work over multiple servers but only within an organization.)
Worries about data hold some businesses back from cloud computing. When Toronto-based technology news site ITBusiness.ca surveyed about 300 small and medium businesses last September, about 35 per cent named security as their biggest concern about cloud computing.
But cloud computing isn't necessarily less secure, says Brian Baird, chair of the Canadian chapter of the non-profit Cloud Security Alliance and chief technology officer of the Identity Management Centre of Excellence at SaskTel in Regina.
"If you're running a completely isolated and private network on your own premises," Mr. Baird says, "then there's a pretty good likelihood of control."
Few organizations do that, however; if you're dealing with customers and partners, those services are exposed to the Internet in one way, shape or form.
Yet putting data in the cloud does not have to make it more exposed. And since good security is costly, Mr. Baird says, a major cloud service provider can usually do it better than an average small to medium business.
The basics of security are keeping anti-malware software up to date, applying security patches to software promptly and protecting the perimeter through firewalls and the like, says James Quin, lead analyst at Info-Tech Research Group in London, Ont. And those rules still apply in the cloud. But for businesses using the most popular cloud computing services, security becomes less a hands-on matter of maintaining firewalls and more a question of choosing cloud service providers wisely and asking the right questions about their security practices.
Most cloud computing today takes the form of software-as-a-service, where the cloud provider offers a complete application running on its own servers. In this model the cloud provider takes responsibility for security, and the customer's concern is making sure the provider does its job.
Customers should look for possible holes in the defences – things that may be overlooked, such as whether backup tapes are encrypted before they leave the provider's premises.
Would-be cloud customers can also look for "some kind of third-party validation of that cloud or the technology powering that cloud," says Eran Farajun, executive vice-president of Asigra Inc., a Toronto-based cloud backup service provider.
For instance, the Statement on Auditing Standards No. 70 (SAS 70), developed by the American Institute of Certified Public Accountants, covers internal controls including information technology and related processes. FIPS 140 is a cryptographic standard developed by the National Institute of Standards and Technology in the U.S.
No matter how good the cloud provider's security, Mr. Quin says, off-site cloud computing means data passes over a public network between the business and the service provider. If that data is at all sensitive, it should be encrypted for transmission.
One twist on security that arises in cloud computing is the need to ensure that you can get your data back if the cloud provider goes out of business or either party terminates the contract.
"You, the customer of the service, maintain ownership and control of the data at all times," Mr. Baird says. Otherwise, warns Mr. Farajun, "you might get such a secure cloud that you can't get your own data out of it."
While most cloud computing today follows the software-as-a-service model, other models called platform-as-a-service and infrastructure-as-a-service mean the customer is essentially buying raw computing power, possibly with a layer of operating software on top, rather than applications. In that case, Mr. Moss says, the customer rather than the cloud provider is responsible for the details of security, more like in the traditional computing model.
State of security
The median cost of cybercrime by businesses surveyed in the Second Annual Cost of Cyber Crime Study, conducted by the Ponemon Institute of Traverse City, Mich., last summer, was $5.9-million (U.S.) per business, per year. Individual businesses reported costs ranging from $1.5-million to $36.5-million a year. Computer maker Hewlett-Packard Co. of Palo Alto, Calif., sponsored the survey.
That median number was up 56 per cent from Ponemon's first survey in July, 2010.
While this particular survey has been done only twice, Ponemon Institute has studied cyber crime for years. Larry Ponemon, its chairman and founder, says the damage cyber crime does is growing as criminals have grown more sophisticated.
The apparent increase in losses could be due partly to increased reporting of security breaches, notes Mr. Quin, but there's no question cyber criminals are focusing on money. "Cyber crime is a very monetized threat," Mr. Quin says.
Criminals are going after the online targets with the biggest rewards, says Tom Moss, director of products and services for security software provider Trend Micro Canada in Ottawa. "It's not necessarily mischief any more."
The good news, Mr. Quin says, is that everyone is more aware of the threats.
But there's no room for complacency. Mr. Ponemon says he would give U.S. companies a grade of C+ on security today compared with perhaps a D- 10 years ago. He adds that Canadian businesses do a slightly better job than their American counterparts at security and protecting privacy – but their record is still less than exemplary.