The reaction to Chinese hackers

Hackers has been very much in the news recently (and I mean ‘hacker in the old fashioned bad way….):

  • Google’s decision to pull out of China – (the latest news suggests they will pull search out of China but are in negotiations about retaining other services)
  • The news yesterday that China based online attacks of Google and other companies targeted social network accounts of employees’ friends as a way in
  • Reports in the FT this morning that CIOs are stepping up efforts to defend themselves against hacker attacks, for the first time including state sponsored attacks
  • Techcrunch.com was down this morning – a report here

So the trick here, I think, is to avoid hysteria and focus on what we should actually be afraid of, i.e. where real damage can be done, and then assess protection options in light of the actual threat.  For companies it seems to me the two things to worry about are having their business disrupted and having proprietary data and intellectual property stolen.

Business disruption is typically very costly – e.g. for Techcrunch whilst their site is down revenues stop, but all their costs continue, and for businesses large enough to be at risk the right course of action is usually to take all reasonable measures to protect themselves.

The theft of data is a little bit different though, in my experience the threat of data getting stolen and the potential consequential loss is often simply assumed to be large when for most companies the risk is pretty much limited to a competitor getting hold of a strategy or pricing documents.  Most competitors would not stoop to illegal activity to gain this sort of information (which they probably have a rough idea of anyway) and of those that would, few will have the resources or know how.  For most companies it isn’t worth the cash cost or productivity impairment that comes with worrying too much about data security.  (Companies that hold credit card data on behalf of their customers or similarly sensitive information are a clear exception here.)

I hope that CIOs don’t over react to the threat of Chinese hackers and burden their customers and employees with security that is disproportionate to the real risks involved.  Unfortunately there are people in this world who have a vested interest in promote security for security’s sake.