Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

And even if a company pays close attention to security, the complexity of the organization can trip it up, says Patrick Peterson, a security expert at Cisco Systems. He points out that other parts of Citigroup apparently had addressed this same security hole, even though the credit card group did not. The company “might have 20, 30, 40 lines of business,” he notes, “and 99.999 percent of the time they get it right. Then someone forgets something. It doesn’t make it okay, but it is difficult to scale things forever.”

Chris Novak, managing principal of Verizon’s security branch, which consults with businesses about intrusion prevention, says security oversights often result from an us-or-them approach. In other words, many organizations assume that employees and other insiders can be trusted, so they focus on defending against outside threats. But in designing their systems with these two groups in mind, they often overlook a third group: those who are “not an unknown but not an employee.” That’s essentially what happened in the Citi heist, when the hackers were never faced with the defenses meant for complete outsiders. It’s as if the company assumed that bank robbers don’t have bank accounts.

Novak says that when organizations are shown the vulnerabilities these users-but-not-employees can exploit, their first response is usually, “Well, why would a user do that?” Furthermore, he adds, a lot of large organizations “have a mind-set that they don’t have small problems.” They end up worried about “Mission: Impossible situations,” he says, but the vast majority of attacks are “opportunistic.”

Schneier suggests a more calculating explanation for Citi’s lack of proper defenses. Maybe the bank didn’t spend the money on good security because it figured that it would be cheaper and simpler to reimburse its customers for any fraudulent charges, he says.

Whatever the reason, these basic security weaknesses are more common than you might expect, Novak says. Faults similar to Citigroup’s show up each year in Verizon’s Data Breach Investigation Report, an analysis of hundreds of intrusions. In the 2011 report, for instance, only 18 percent of the cases Verizon investigated resulted from hacks of “high” difficulty—requiring “advanced skills.”

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Business, Business Impact, Securing Data

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me