My grandma never used a computer. But she sure loved her iPhone.
It’s been a wild year for hacks and breaches. RSA, Lockheed Martin, Sony, and Citigroup all experienced data losses and hacks in 2011, as well as iconic bastions of goodness and security like NASDAQ, the Department of Energy, and the Department of Defense.
The really scary news, though, in the midst of all this breach noise and cyber-hullabaloo, is the persistent targeting not just of Pennsylvania Avenue or Wall Street, but of Main Street too.
Back in July I was busily prepping for a talk at Secure Asia Conference when I came across this excellent Wall St Journal article about tiny City News Stand in Chicago. Unbeknownst to its owner, cyber thieves had planted malware on in-store systems that scraped credit card info and sent it off to a destination in Russia.
As owner Joe Angelastri said at the time, “Who would want to break into us? We’re not running a bank.” I borrowed Joe’s story to help explain the value of Tripwire’s Cybercrime Controls Library and headed off to Jakarta for my presentation.
What I didn’t realize back in July was the fast-growing nature of this trend. Just three months later I stumble over two new articles, without even trying, that highlight the shift to cyberattacks on small businesses:
- From The International Business Times: “U.S. Eyes Stronger Cyber Defenses for Small Business”
- From Wall Street Journal Market Watch: “The Identity Theft Council Warns of Increased Risk of Identity Theft to Small Business”
Verizon commented on this trend in their most recent Data Breach Investigation Report, where they noted a greater than 500 % increase in attacks on small businesses:
This got me thinking some thoughts I don’t usually entertain…
Our products, like those of all providers of IT security solutions, are sophisticated and complex. We rely on some really smart security experts in our customer organizations to implement and run them. But:
- Are we investing enough in the usability and manageability of our products to serve the needs of the smaller guys, the ones without security experts on staff?
- Are we taking seriously our responsibility to not just provide good IT security products, but to be educators and informers as well?
- Are we providing enough out-of-the-box capability, training and best practices to help a 50-person company safeguard their systems (and keep them out of the Wall Street Journal)?
- Could my grandma have used Tripwire Enterprise to insure the integrity of the systems her small business depended on?
Obviously, it’s our many multi-national enterprise customers we need to focus our greatest efforts on — they’re the ones who ultimately fund the R&D that provides better detection capabilities, broader platform support, and more stringent cyber defense.
But even as we count a huge chunk of the Fortune 1000 as our customers, we need to start building more usable, more complete, and more manageable products that better serve the Less-Fortunate 100,000. They’re the ones increasingly manning the front lines.
And we need to do it not only here at Tripwire, but throughout the IT security industry as a whole.
Who’s with me?