The R&D Tax Credit Aspects of Cyber Security
Cyber-Security
Recent cyber-attacks on sovereign nations
and corporations alike have demonstrated how porous network
security can be. For businesses, the fallout from a cyber
security breach can have disastrous consequences including
shattered reputations, criticism from shareholders, lawsuits,
regulation penalties, and negative publicity.
These cyber attacks are
becoming more prevalent, forcing organizations to realign
their security priorities and take a comprehensive approach to
cyber security. R&D tax credits are available for
companies developing and integrating cyber security
technology.
The
Research & Development Tax Credit
Enacted in 1981, the Federal Research and
Development (R&D) Tax Credit allows a credit of up to 13
percent of eligible spending for new and improved products and
processes. Qualified research must meet the following four
criteria:
- New or
improved products, processes, or software
- Technological
in nature
- Elimination
of uncertainty
- Process of
experimentation
Eligible costs include
employee wages, cost of supplies, cost of testing, contract
research expenses, and costs associated with developing a
patent. On December 19, 2014, President Obama signed the bill
extending the R&D Tax Credit for the 2014 tax year. As of
this writing, proposed tax extender legislation would extend
the tax credit through December 31, 2016.
Network
Security
Network security is comprised of
multiple layers of security and involves any activities that
protect the usability, integrity, and safety of a network and
its data. Multiple layers are necessary to defend from an
array of threats and to ensure that if one layer fails, others
will hold. BBC reports that on average, companies use 75
separate defense systems to maintain their networks.
Common network work security components include:
- Anti-virus
and anti-spyware
- Firewalls to
block unauthorized access to networks
- Intrusion
prevention systems (IPS) to identify fast-spreading
threats
- Virtual
Private Networks (VPNs) to provide secure remote access
Network security is
comprised of hardware, software, and an IT security policy. An
organization’s IT security policy is essentially the company’s
rules on how to ensure security and integrity of data. Without
administrative support, the IT security policy will lack the
clout necessary to be effective. The policy could be perfect
but destined to fail if no one in the organization follows it.
This leaves room for
cyber criminals, hacktivists, and cyber organized criminals,
to embarrass, steal customer information, disrupt operations,
destroy property, destroy business, and cause widespread
disruption and destruction.
The most common threats
to a network include viruses, worms, trojan horses, spyware,
adware, zero-day attacks/zero-hour attacks, hacker attacks,
denial of service attacks, data interception, and identity
theft.
Short
Comings of Network Security
Business, not-for-profits, and government
organizations are all vulnerable to potential hacking. Over
the past two years, Premera Blue Cross, Anthem, Chick-fil-A,
Sony, USPS, Staples, JP Morgan, and many others have been
compromised. The recent decrease in computing costs has made
it more economical for cyber criminals to execute an
increasing number of automated cyber attacks. The increase in
attacks coupled with organizational use of antiquated network
security systems sets the stage for future breaches of
colossal proportions.
A large number of
companies have neglected to keep their security systems
current, which has made them highly vulnerable. The
network security systems of many organizations rely on
outdated technologies that depend on multiple layers of
protection, comprised of products from various manufacturers.
Predominantly, these products are designed to defend against
one specific threat. Since these products are produced
by a multitude of manufacturers in isolation, they end up not
communicating well with one another; similar to how PC
software and hardware is not compatible with one another.
This lack of
communication prevents the automation of security systems and
forces network security to be manual in nature, therefore,
susceptible to automated attacks. Humans simply cannot keep up
with the speed and efficiency of an automated attack.
A superior approach
would be to have all elements of a security system work in
unison. Due to Moore’s Law the cost of computing is expected
to maintain its downward decent for the foreseeable future.
Subsequently, the number of automated hacks is expected to
maintain its upward trajectory. The only viable option to
maintain network security is to increase the computing power
needed to conduct a cyber attack, therefore making cyber
attacks a costly endeavor. To accomplish this, organizations
will have to invest heavily in automating their network
security in coming years.
The
Cost of Network Breaches
Cyber attacks are becoming so prevalent
that some companies are experiencing multiple attacks in rapid
succession. Talk Talk Group, a telecommunications company has
been hacked three times in the past year. Private information
of up to four million customers may have been compromised
during Talk Talk’s last cyber attack. This is particularly
alarming since Talk Talk has not definitively verified that
all of their customers’ data was encrypted. Encryption
enhances network security by making information indecipherable
without the necessary inscription key. Encryption is
quintessential to network security and should never be
overlooked. The cyber attack could cost Talk Talk over $37
million.
European
Penalties & Regulation
The recent uptick in data breaches has
spurred governments to introduce regulation requiring
corporations to take cyber security threats more seriously.
Europe looks to implement the toughest regulations,
requiring companies that experience a data breach to
potentially face fines of up to 5 percent of global turnover
or €100 million, whichever is greater. Companies will have to
drastically increase their network security efforts or
potentially face crippling fines.
Cyber security threats
must be managed however, many professionals believe preventing
100% of cyber attacks is not possible. If this is the case,
many companies operating in Europe could be paying these
substantial fines in the near future. Regulation should focus
more on punishing companies that are negligent in protecting
customer data. Arguably, a company that invests heavily in
network security and is still breached should not face the
same consequences as a company that makes no effort to ensure
network security. The bottom line: U.S. companies spend
millions in annual cyber attack costs and increasing network
security is in their best interest.
Social
Engineering & Network Security
An organization’s network security is only
as strong as its weakest component. However, humans are
usually the weakest link, and unlike other elements of a
network security system, humans cannot be easily switched out
and replaced.
In 2011, the U.S
Department of Homeland Security ran a test to see how hard it
was to compromise workers in order to gain access to an
organization's computer systems. In the test, computer discs
and USB thumb drives were dropped in
parking lots of
government buildings and private contractors. Of the workers
that picked them up, 60% plugged the devices into
computers. When official logos were printed on the
devices, 90% of workers installed the drives and CDs. If these
devices had malware on them, the likelihood is high that it
would have infiltrated the network.
Education is essential
in preventing data theft due to social engineering attacks. If
the workers in the Homeland Security test were informed of the
potential dangers of installing an unknown device on a company
computer beforehand, the percentage of the devices installed
would have been much less. The workers probably did not
consider the device as a potential threat; they were most
likely just curious as to whom the CD or USB drive belonged
to.
Increased
Social Media
Businesses should also be aware what
information they are releasing through verbal communication
and social media. Social media allows social engineers to gain
a treasure trove of information that can be used to obtain
more valuable information. Hackers often research employee’s
profiles for personal information which allows phishing
attacks to be more successful. For example, if a hacker sees
that an employee is a golf enthusiast, that hacker might send
that employee an email containing malware disguised as
promotion offering free tickets to a golfing event. The worker
is more likely to forget or neglect security protocols when
distracted by potential free tickets to one of their favorite
activities.
Companies should also
write up an IT security policy that outlines the assets
criminals are most likely to target and come up with protocols
that will protect those assets. It is paramount to ensure that
these policies are enforced otherwise they will be irrelevant.
Employees should also be
aware that a compromised work computer could also include
personal information. This will give them a stake in security.
IT policies should also cover what types of information are
safe to share. Employees need to ask themselves when giving
out information “Does this person deserve to know this
information?”
Organizational
Structure
The cost associated with potential fines
and data breaches is compelling banks to work together. Trade
bodies like the Financial Service Information Sharing and
Analysis Center with 5,500 members are being created with the
sole purpose of sharing information about security threats.
Companies are also hiring professionals from government
agencies as well as contracting out network security entirely
to private firms.
The responsibility of
network security cannot be completely exported to private
firms. Companies should keep in mind that although private
firms possess the efficacy to improve network security, their
ability to ameliorate security is contingent on company
employees following IT security policies.
Effective cyber security
involves executive leadership to create corporate strategy and
policy, business management to develop actionable procedures
and guidelines and system managers for implementation. Equally
as important is the communication between departments the
development of a feedback loop to assist in constant
improvements. This loop will also allow executive leadership
to determine if they should stay the course or to reevaluate
their strategy. This cohesion of management allows network
security to improve steadily and keep up with dynamic threats.
External
Weaknesses to Network Security
While seeking the easiest way to access a
network, hackers will look for weak links in the supply chain.
There are many ways that an organization’s supply chain can be
compromised; the two most common ways are Adversarial Supply
Chain Operations To (ASCO To) and Adversarial Supply Chain
Operations Through (ASCO Through).
I. ASCO To directly targets the
organization whereas ASCO Through uses an
organization’s supply chain as means to target one of its
customers. These threats make it necessary for organizations
to work together with all the vendors in their supply chain to
preserve network integrity.
II. Third party outsourcing is
another vector where retail chains’ network security can be
compromised. The 2013 Target Corp data breach where the
personal information of 70 million customers was compromised
is a perfect example of how an organization can be brought
down by the actions of a third party service provider. The
breach started with a phishing attack on a HVAC company that
had access to Target’s external billing and project management
portals. The attackers successfully installed key logging
malware and made their way into Target’s system where they
were able to infiltrate customer databases and POS systems.
The breach was likely
caused by a failure in the free anti-malware software
that the HVAC company was using. This unfortunate event
illuminates the necessity to vet network security systems of
potential third party contractors. This event also
demonstrates the usefulness of implementing a
compartmentalized approach to data sharing. Did the HVAC
company really need access to all the data in Target’s
external billing and project management portals?
To further avoid data
breaches as a result of third party negligence, terms that
allow the organization to audit the third party’s security
systems should be set in place. This will help motivate third
party contractors to keep security as a priority.
Retail
Stores Are at Risk
The large volume of transactions that
retail stores experience makes them a prime target for cyber
attacks. The bank account and credit card data that is created
during these transactions can be used to defraud a large pool
of people.
One interesting factor
regarding retail is that the success of retail companies is
one of the major reasons why they are so susceptible to data
breaches. Globalization has allowed for the creation of impressive,
multinational retail companies that rely heavily on
information sharing to be successful. This has lead to
networks designed with an emphasis on efficiently
disseminating information instead of network security.
It is essential for
retailers to know exactly where customer data is being stored.
Many times customer data is stored in multiple locations. It
is crucial to determine how sensitive data is being accessed,
handled, and secured. This can be challenging especially for
retail companies that have the capability to look up customer
information from any retail outlet.
Retailers must also
recognize that data at rest on laptops, and other mobile
devices are vulnerable too. Encrypting all data that is at
rest will mitigate the damage caused from losing a laptop.
In addition,
implementing traffic monitoring software will help to ensure
that data encryption policies are being maintained.
Technology
Initiatives
Universities are at the forefront of cyber
security developments which will protect organizations from
cyber threats.
The migration to cloud
storage and the access of that data from mobile platforms make
sophisticated passwords a necessity. Carnegie Mellon
University recognizes this, and has teamed up with Northrop
Grumman Corporation to develop the next generation of
passwords for mobile technology. Developments include password
technologies that use sensors and rely on behavioral patterns.
Sensors on a device will be able to monitor user
behavior, for example how a user picks up and handles a
device. This kind of behavior is unique, making behavioral
characteristics passwords highly secure and irreproducible.
Carnegie Mellon is also
developing biometrics for secure authentication systems.
Biometrics is being leveraged to measure and analyze the
unique physical traits of individuals in order to determine
clearance level for data access. The focus now is to improve
image acquisition and image quality in iris and facial
recognition authentication systems.
Many people will be wary
of adopting new authentication systems if they demand more
time than entering a conventional password. The development of
robust segmentation algorithms will be necessary to reduce the
amount of time needed for biometric readers to segment an iris
image and determine if a user is entitled to security access.
Big data analytics
is becoming an essential tool in managing evolving cyber
security threats. Organizations are now using big data
analytics to gather and analyze massive amounts of data to
gain insights, which can help predict and stop cyber attacks.
Big data allows organizations to monitor abnormalities and
suspicious behavior. For example, an alert can be raised
when a user attempts to access data that they normally would
not access or if they attempt to access data at unusual times
or locations.
Artificial
Intelligence and machine learning are being used in
tandem with big data analytics to increase network security.
It is expected that these technologies will help to discover a
least 25% of breaches by 2018. Machine learning is be using by
some companies to detect behavior changes in employees. These
changes in behavior can even be used to determine if an
employee is getting ready to leave a company with sensitive
data.
Conclusion
Cyber criminals are more capable than ever
of permeating network defenses. The days where companies
invested minimally in network security is a vestige of the
past. The development of administrative controls, as well as
the collaboration between businesses and governments alike,
will play a major role in the abatement of cyber crimes.
Federal and state R&D tax credits are available to help
stimulate and support companies developing and implementing
new cyber security technologies.