This is part of a series of blogs in which I will share “scary stories” of actual cybersecurity breaches. These blogs are intended to both inform and provide some potential solutions and resources to protect organizations of all sizes and industries from the perils of being a “connected” entity. Visit i3 Insights > Areas of Expertise page to access all of my previous blogs.
In this follow-up to my high-level Source Code Theft article, I re-count the story of a consulting assignment where that organization’s most critical physical assets were left unprotected – and the unfortunate consequences. A truly scary story.
Stolen Source Code
One of the world’s largest digital entertainment firms typically invests millions of dollars to design, code, test, market, and support its products globally. After years invested in readying their products for market, they were horrified to learn that within only a few weeks’ time, bogus copies were already being sold at steep discounts on the black market. The revenue forecasts for this company, as well as its public stock price were downgraded substantially.
How Could This Have Happened?
I was brought in by this firm to investigate the problem and come up with a solution. After only a brief time onsite, I was horrified to learn that there were no information security protocols in place whatsoever – the source code for their critical confidential assets were simply stored on a server stuffed under one of the developer’s desks. Really?
It doesn’t take much to figure out what happened next. The global value of that code – even at steeply discounted black-market rates – was in the tens of millions of dollars.
If this company had even the smallest cybersecurity presence on staff, they would have known that MOST industrial espionage is an inside job. In fact, there was more than a 50% chance that the source code was being stolen from within its own walls. Yep, the answer to the question “Who dunnit?” was that it was, in fact, an inside job.
Employee (insider) threat is the single largest source of stolen confidential data and information.
Enter the Band-Aid Solution
While it was obvious that this organization needed the complete implementation and enforcement of a cybersecurity framework, the immediate need was to stop the bleeding by implementing a four-fold approach:
- Secure software development (SecDevOps) best practices were initiated, and the staff was educated in how to integrate cybersecurity into its software development from Day-1.
- Most importantly, a secure software repository was implemented to house all code from the initiation of the product development cycle to the final QA and pre-production readiness.
- Strict access control protocols were implemented and enforced, including the logging of all access to the secure repository.
- Chain-of-custody protocols were added.
Getting Back to Basics
The immediate implementation of the above approach enabled this company to continue with the rollout of its latest product – now with an acceptable level of certainty that the source code is secure and access to it is controlled and logged.
With this out of the way, I presented a plan to executive management to backfill the organization with a complete suite of cybersecurity best practices. One of the most important aspects of this program was the training of their staff in basic cybersecurity hygiene with the goal of their gaining an understanding of the role they play in protecting their company’s most critical assets.
Isn’t it hard to believe in today’s connected business environment that such an organization as described in this blog was able to function and make money without any cybersecurity presence of any kind? Believe it. I hope your company isn’t one of them. One really scary story like this is enough!
How Do We Shore Up Our Cybersecurity Practices?
The first step is to determine the current state of your organization’s cyber defenses. Typically, an internal cybersecurity assessment or “gap analysis” is performed in order to investigate and document the current state of your defenses. If your organization does not have the internal bandwidth to perform a thorough analysis, consider employing the services of an experienced Cybersecurity Compliance Consultant who can obtain the desired results with minimal impact to your staff and operations.
Complete the form below to reach me for additional information.