Reporter: “Why do you rob banks?”
Willie Sutton (bank robber): “Because that’s where the money is.”
That’s Sutton’s law. It seems obvious, but it’s so very true. The law also holds true for hackers– they will attack systems that store valuable data.
So where might that be? My first guess would be the iron-clad data centers of the world’s largest banks, pharmaceutical companies, defense contractors, governments, and Fortune 500 corporations. They are the big juicy targets, right? But attractive targets aren’t necessarily easy targets.
Today, banks and other high profile institutions have state-of-the-art data protection in the form of firewalls, two-factor authentication, sophisticated encryption, and Varonis. Hence the term “bank-level security.” As a result, hackers have to weigh the value of a successful attack against the difficulty of breaching the target.
What if there were a way to seize a corporation’s digital secrets without having to penetrate their heavily fortified walls? A group of Chinese hackers figured out a rather cunning way to do it – infiltrate the company’s much more vulnerable law firm instead!
According to Mandiant, a Virginia-based security firm, 80 major US law firms were hacked last year. Clearly, law firms are becoming a primary back door that hackers are using to gain access to valuable corporate data. But it’s not just law firms we have to worry about, unfortunately.
Any time you send an email to another party—e.g., law firms, accountants, consultants—or transfer confidential documents to DropBox or Google Docs, you’re implicitly trusting that they take security as seriously as your own security admins do, and that they can determine, at all times, who can access your data and who is accessing your data.
The fact is that many organizations, including the growing number of cloud service vendors, haven’t even scratched the surface when it comes to serious data protection and security. The message is clear: start now. Your customers will demand it.