Although there are some breaches companies can’t prepare for, this breach appears to be a case of lapsed security.
The breached system at Nasdaq, so far, was tied to Directors Desk, a web-based service tool used by directors of companies, including board members, to share confidential documents. One would think that if Nasdaq were acquiring a company for their portal service, as they did Directors Desk in 2007, the web application would have been thoroughly tested for flaws based on the highly sensitive information that flows through and is housed in its system. For all you CEOs out there, take note! Have ALL your web-based applications tested!
What’s so concerning about this breach is that it became known through “routine computer security checks” revealing that hackers had installed malware files inside Directors Desk. The Wall Street Journal reported the computer network had been repeatedly penetrated during the past year. So the real question is why the system was only routinely monitored and not continually monitored? This went on for a full year before it was discovered, despite the files left on the system by the hack! Web-based services like this are highly vulnerable and require constant monitoring.
There are other board portals out there and these services don’t come cheap. It would be interesting to see if companies jump to other board management systems because of the lack of security discovered by this breach.
The latest development from this breach is to revive the Cybersecurity Enhancement Act. To investigate the cause of this breach is certainly required, but to initiate a bill that funds scholarships and grants for security research through the National Science Foundation to the tune of $639 million over four years is truly alarming.
It’s said that these systems are complicated, but really? With a thorough information security program in place, the chance of this type of breach is minimal. According to the reports, the files in question were removed and Nasdaq made modifications to the system as a deterrent. Gee, guess it wasn’t all that complicated.
Posted by Mike Fitzpatrick, CEO, NCX Group