Over the last year, it's become much more widely known that it's not just governments who are the subjects of targeted cyber attacks. But I thought this story:
http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html
was particularly illustrative of just how broad the range of targets is. According to this report, law firms were hacked in order to covertly steal information relating to negotiations on an M&A deal.
All professional services organisations ought to be really worried about this sort of incident. Of course, we all want to look after our clients' information as well as we can anyway - but the thought of getting a reputation for failing to protect it does really concentrate the mind. And the ultimate nightmare is that other people find out that it's happened before we do.
There are probably a number of lessons we can all learn:
1) make sure we know exactly what we're going to do if we do learn there's been an incident. It's always going to be a bad situation - but being able to show that we're responding rapidly, identifying what's happened, and finding out for our customers exactly what has been taken, is going to stop a bad situation getting a great deal worse
2) be on the lookout for possible tell-tale signs of targeted cyber attacks. As we know, these sorts of attacks typically go undetected by conventional security technologies such as Intrusion Detection Systems and AntiVirus - we need our Security Operations Centres to be on the lookout for potentially suspicious activity, and to investigate such activity to find out what it represents (hopefully, a false alarm most of the time!)
3) think about whether there are particular types of information that we hold on behalf of our customers which ought to be protected to a higher level of security - highly sensitive M&A deals for example might well justify the use of completely separate PCs that are not connected to the Internet. This is particularly the case if our clients have applied higher levels of security: for example, I know one engineering company that has set up a completely separate, non-Internet-connected network that's used for all their R&D activity. I wouldn't want to be the professional services company that was looking after all that Intellectual Property with less stringent security measures...
Food for thought.