Watch CBSN Live

More Chinese Attacks on Gmail; It's Time for Everyone to Rethink Info Security

According to Google (GOOG), the Chinese government is blocking its Gmail service in that country. The company called it "a government blockage carefully designed to look like the problem is with Gmail."

It's not the first time Google has accused China of cyberattacks, nor is it the only organization to make such a claim. British intelligence service MI5 has warned of this for years. And Google also isn't the only technically sophisticated company to find itself a victim of disruptive efforts. Two security consultancies have recently found themselves looking foolish.

The security of information is critical to most companies. Trouble is, as these examples show, you can't guarantee that security. Even companies with tremendous technological resources are clearly finding their data-protection setups fairly porous.

Not a question of if, but when
Increasingly, in fact, the question isn't whether a corporation's defenses are vulnerable to attack, but when breaches will occur and how bad they'll hurt. That suggests executives really need to rethink how they manage information security.

Just a couple of weeks ago, Google noted "highly targeted and apparently politically motivated attacks" aimed at its users. The attacks used an Internet Explorer vulnerability that became publicly known in January. In December, Google detected a sophisticated attack from China that broke into not only Google's systems, but those of at least 20 other companies, including DuPont (DPT), General Electric (GE), Johnson & Johnson (JNJ), Walt Disney (DIS), and Sony (SNE).

Security train wrecks piling up
The security train wrecks have piled up as of late. The hacktivist group Anonymous broke into the systems of security consultancy HBGary and grabbed tens of thousands of emails -- the same emails that appeared to link the U.S. Chamber of Commerce to a dirty tricks plot. Furthermore, someone broke into security vendor RSA, a division of EMC, and got sensitive data about one product line.

Nope. There ain't no such thing as absolute information security -- at least not when systems are connected to the Internet, even indirection. The best anyone can hope for is relative safety for the moment ... until those who want to break in find new exploits or new vulnerabilities in a corporate network.

What companies can do, however, is to start thinking about what part of their information is so important that it shouldn't be put at risk at all. Maybe truly sensitive data should remain completely cut off from the Internet. That would be inconvenient, but it might prevent the types of intellectual property fishing that some groups -- or states -- seem to be doing in earnest.


Image: morgueFile user kevinrosseel, site standard license.
View CBS News In