February 9, 2011
Have you been having trouble getting your board of directors to care about information security? This weekend’s news that Nasdaq’s Directors Desk web application was compromised by hackers may help to improve your situation.
Details have been elusive thus far, but reports indicate that multiple breaches occurred, resulting in “suspicious files” on the company’s servers. A statement released by Nasdaq assures us that its trading systems and customer data were not compromised, and those in the know tend to agree that infiltrating the trading systems would be substantially more difficult than breaking into the web environment and leaving a few files behind. As the investigation continues, hopefully we'll learn more, but what can we take away from this story so far?
- The list of attractive hacker targets continues to grow. Whoever perpetrated this breach chose not to go after traditionally lucrative targets like customer/employee data or a more difficult and devastating attempt to dismantle one of the world’s biggest exchanges. Instead the target was a more accessible set of extremely sensitive corporate data – details about mergers, acquisitions, dividends, and earnings. Without much sophistication, criminals could use this information to execute rather impressive “insider trading” transactions or simply find an outlet like WikiLeaks for some of the more embarrassing tidbits.
- Normal monitoring should have caught this breach sooner. A federal official told the Associated Press that the attacks took place over the course of a year, while Nasdaq’s statement said the files were found through the company’s “normal monitoring systems.” It would appear that the monitoring functions were not as frequent or effective as they should have been.
- The government will get even more involved if there’s a perceived lack of control. While we still don’t know if hackers gained any useful information from this attack, the potential implications touched many of today’s most buzz-worthy topics… investor confidence, corporate oversight, and financial market stability. Legislators on both sides of the house were quick to press Nasdaq and other exchanges, as well as regulators, for more information about what’s being done “to ensure the ongoing integrity and security of exchange trading systems and clearinghouses.” If they don't like the answers, expect more rules and oversight to follow.
- It’s a good time for a heart-to-heart with your board about security. You don’t have to build a horrific awareness campaign about the hackers lurking around every corner… but it’s important for the board of directors to know that their mobile devices, email accounts, and online communications may very likely be a target of attack. Directors and top executives who often expect policy exceptions should understand the potential risks those exceptions expose. Also, it wouldn’t hurt to look into the way your board members communicate to make sure top-level secrets are appropriately protected.
We will continue to watch this story as it develops, and we welcome your comments.