What every executive needs to know about Cybersecurity

Graphic of digital 1s and 0s leading to keyhole
Man pointing to image to the left

Virtually every business has had hackers attack their systems.  Many don't know it.  Some don't want to admit it publicly.  But with all the robots and other tools available to hackers, if you are connected to the internet - which virtually every business is - someone has gone after you.

You will be / have been hacked.

Illustration of Ostrich with Head in SandOur Ostrich friend does not have the right approach to this threat.

Having said that, a lot of organizations, and people personally, do follow the Ostrich theory, as evidenced by the comment made by Ashton Carter, Secretary of Defense for the United States, when he was talking about the current investment in security:

" Companies just aren’t willing to admit vulnerability
to themselves,
or publicly to shareholders. "

You need a clear picture of what is happening and what you need to do.

As an example of "What you don't know CAN hurt you.", here's a scenario where you personally are exposed in a way you probably never thought about.  Those key cards you now get at almost all hotels?  They contain a lot of information about you on their magnetic stripe, including your credit card information.  There are hacker organizations that have paid hotel staff to collect the cards you return to the front desk, and instead of erasing the information, they sell the intact card to a hacker, for the hacker to capture your information and sell it to someone else.  Maybe next time you get a key card, you will think twice about returning it and instead, take it home and cut it up.

I recently attended a Cybersecurity information session in Kitchener, hosted by the ICD (Institute of Corporate Directors - www.icd.ca), moderated by Jane Klugman, President of Whitney (www.whitneyre.com), with panelists J. Paul Haynes, CEO of eSentire (www.esentire.com) and Jeremy Samide, CEO at Stealthcare (www.stealthcare.com).  The session was NOT for technologists; the session was for senior executives and Directors on boards of organizations.  The session was to make senior executives and Directors more aware of the realities of today's networked world: what kinds of risks organizations faced, what questions executives need to ask their IT teams, and what organizations need to do to protect themselves against risks about which they often know very little.

You could be fired.

picture of man holding unemployed sign

Why should a senior executive care about this?  Is that not the reason they have IT departments?  Well, look at what happened at Target when the executives did NOT pay attention to the hacking threat.  Millions of customers had their information stolen and Target's brand value, as reflected in Target's stock price, dropped dramatically.  The CEO and the CTO were fired.  Within the IT world there is a saying: "When the company gets hacked, the CEO gets whacked.".  At Target, they had spent millions on systems to detect and report on hack attempts, but when the systems reported suspicious activity, Target ignored it.  Executives need to know what to pay attention to and they need to ask the right questions.

Who, me?

But, you say, I am not some Fortune 500 company.  No-one is going to come after me.  Wrong!  Hackers do not usually target a specific organization.  They send robots out to scan IP addresses without regard to who is at those addresses.  When they find one with a vulnerability (an open port, an easy-to guess user id/password, ...) they go at it, hoping to place some of their software on the system and then use that software as a base from which to initiate additional attacks on connected systems.  You may have databases with client or donor information.  You may have costing files that a competitor would be willing to pay for so they could beat you at the next bidding war.  You may have access to other systems which "trust" your system, so the hacker uses your system as a "vector" to get to those other systems.  Think of the damage a hacker could cause if they obtained access to a system that was authorized to do wire transfers of funds from your bank account.

I once put a single server with its own IP address on a network at a local university and set it to report every morning on all intrusion attempts over the last 24 hours.  I averaged over 700 intrusion attempts per day, with over 50% coming from China, 20% coming from Eastern Europe or South America, a few from Russia, and the rest from North America.  This for a single server that had no publicly accessible applications and had never been advertised to the public.  You will have hackers come after you regardless of how small you are. 

If you wondered why most hackers operate in remote areas, look at the visual representation of Cybersecurity "wellness" by region, presented at World Map of hacker-friendly regions .  Canada ranks fairly high for its efforts to combat Cybersecurity threats, but many other nations do not, harbouring (and in some cases potentially encouraging) hackers to ply their trade.

Time is of the essence.

Illustration of Stopwatch

And guess what?  If you wait until after you have been hacked to try and fight the hacker, you have likely already lost.  They often install software that stays dormant for a while, like a sleeper cell in a terrorist organization, only put to work when that hacker deems the time right.  Software might be on your system for months before you even know you have an issue.  The software they install can be configured to replicate across your internal network and adapt when it senses that you are trying to defeat it.  So you need to use intrusion detection and fast response techniques to identify and deal with hackers.

Failure to protect yourself
could cost you a lot of time, effort and money to recover.

One of the things hackers do now to profit from their efforts is to use ransomware.  They get access to your system, encrypt your data so you cannot access it, and then demand payment from you - in Bitcoins so it cannot be traced - to decrypt the data and let you get back to running your business.  Most people advise against paying such ransom, since by doing so you encourage them to come at you again.  But even if you do have off-site data backup that was not caught by the hackers, the recovery time can be significant - and costly.  A 100-person law firm - who had remote data backup - refused to pay the ransom and it took them over 24 hours to get their systems back up and running.  They were out of business for 24 hours!  That can seriously impact your reputation, your customer loyalty and your bottom line.

Your exposure is like the Hydra: multi-headed.illustration of Hydra

Every device connected to your network provides a potential attack vector to be exploited by a hacker: Smartphones, Tablets, Laptops, PCs, servers and dedicated devices like controllers on the manufacturing line.  Remember Stuxnet?  Who would have thought a PLC (Programmable Logic Controller) on a production system could be used to take down a nuclear facility?

Can the "cloud" save you?

Cloud_200x200

If securing and maintaining your systems and data is so difficult, why not let someone else do it for you?  Someone who does this for a living and therefore should be fully prepared to look after you?  That is why the "cloud" is being promoted so aggressively as the solution to your problems.  Put your applications and data on someone else's infrastructure and connect to it via the internet using secure protocols and processes.  For some small businesses who do not have IT staff or budget to stay current on best practices for security, this may be a reasonable solution since the "stick the server in a closet and hope for the best" solution is definitely worse.  But not all cloud providers are the same so if you are looking to do this, do your homework and make sure the cloud provider you use can deliver the security they promise.  What kind of background checks does the cloud provider do on their employees?  What kind of access control do they use for their physical premises?  What kind of Incident Response Systems and processes do they promise - and what do they actually do?  These are not just questions to which you need answers.  Often your suppliers or customers want you to answer these questions - and many more - about how you protect their data.

Some organizations maintain their applications in-house but store their data in the cloud, to ensure secure and redundant data storage.  Sounds good, right?  And it may be.  But make sure you know where your data is being stored and what systems and procedures the cloud provider has at ALL their storage locations, including their remote backup locations.  And make sure you abide by all regulations regarding data storage locations, including the international regulations which can impose significant restrictions and apply real penalties for non-compliance.

Lawyers can be your friend.

One interesting twist that was identified:  if you do get hacked, bring your legal counsel into the discussions early.  That way, if someone tries to sue you and tries to use your internal documents against you, you can use lawyer/client privilege to protect your internal documents.  This lets you have real, open, productive discussions about how to fight the hacker without worrying about creating a document trail that may or may not be self-incriminating.

Don't just blame the technology.  It's often a human error issue.

picture of surprised lady looking at tabletBe aware, attacks are, more often than not, caused by human error, not security system deficiencies.  Someone on staff visits a malicious web site or opens a "phishing" email containing a link to a malicious site or an attachment with malicious code.  The compromised system then spreads its infection throughout the organization.  Or someone brings a thumb drive back from a conference and plugs it into a work computer, not knowing it contains a trojan which infects their computer and then spreads.  Or someone adds a wireless access device to the company network so their department can have more flexible connections, but they do not lock the wireless security down tightly.  So the solution to security is NOT just better systems; it is education of staff and enforcement of policies and procedures that staff must follow to keep the company free from hackers.  That education applies to ALL levels in the organization, from the Board of Directors to the janitor.  99 people can do everything right and one person does something wrong.  That's all it takes for a hacker to get in.

How do you get accurate information?

So here is the real question for senior executives: How do you get your organization to be honest with you about what is happening?  Of the 70 people in attendance at the ICD session, only one Director had been told that their company had been hacked.  But we now know that a high percentage of companies have been hacked.  So how do executives and directors uncover what is really going on?  You do not want all your executives and Directors trying to learn all the technical details about network and system security but you do want them aware of what is happening in this area.

One suggestion was to create an advisory panel reporting to the board that can serve as the interpreter between the board and the organization on Cybersecurity issues.  This panel can hire external Cybersecurity firms to advise the organization on intrusion detection systems, staff training programs and policies and procedures which will enhance systems security.  This panel, and any external security firm, can work collaboratively with the organization's IT group to enhance the IT group's capabilities in Cybersecurity.  This does have to be handled carefully to avoid the impression of a witch hunt to find problems with existing IT practices.  This must be a safe partnership for IT.  The message - delivered from the top on down -  is that there is no expectation of perfection, but rather, an ongoing effort to stay current, be agile and be constantly vigilant for the ever-changing threats.

graphic of heatmap for Cybersecurity issuesAnother suggestion was to create a "heat map" for security issues.  Security threats DO exist, so create a regular report for executives and the board that reports how many intrusion attempts there have been, what happened, what has been learned and what is now being done to protect against similar intrusion attempts in the future.  There are numerous formats for a heatmap ( the one shown on the right is from rofori.wordpress.com ) so find one that works for you and use it regularly.  This is NOT a threat that is dealt with and forgotten; it is an ongoing, pervasive, persistent threat that must be constantly monitored and quickly dealt with.

graphic of NIST_framework-based_HeatmapThe National Institute of Standards and Technology (NIST  www.nist.gov/cyberframework ) is funding creation of a heat map visualization tool with the first rendition expected to be out by late 2016.  One way of creating your own heatmap now from the framework published to-date is to do like the authors at ( NIST-based heatmap ) have done and is shown at left.

Cymon ( www.cymon.io ) is an initiative supported by eSentire to collect and publish information about hacker activity.  On the website of eSentire, there are workbooks for a company to download - eSentire Workbooks -  which can guide you though some of the complexities of reporting and protecting yourself against Cybersecurity threats.

NICE ( National Institute for Cybersecurity Education - csrc.nist.gov/nice/resources.html ) is a US-based organization which is a resource for information security standards and guidelines.  The site has numerous frameworks, whitepapers and webinars that can help you understand and deal with Cybersecurity threats.

Even the venerable Oxford University is working on combating Cybersecurity with their efforts through the Oxford Martin School documented at www.oxfordmartin.ox.ac.uk .

Can you insure against Cybersecurity threats?

If all else fails, what about Cybersecurity insurance?  The general consensus of the panel was that insurance can be used to offset the costs of investigating an intrusion and the costs to recover from an intrusion.  But insurance to recover business losses has high premiums and numerous exclusions, so it is less likely to be a good investment on your part.

Be scared.  Be very scared. Now do something about it.

The reaction of the session attendees was pretty consistent: "If your intent was to scare us, you succeeded.  Now we need to go back to our business and pay more attention to Cybersecurity".

You can stay safe.  It just takes awareness and diligence.

Illustration of Key with @ sign

Thank you to ICD, Jane, J. Paul and Jeremy for an interesting, thought-provoking and informative session.

 

Posted in General Leadership, Information Technology.

One Comment

  1. As if to make the point, retired Gen. Michael Hayden, a former National Security Agency director, had a gloomy message for corporate IT security managers: You are on your own in the cyber-security war.

    The full ( 2-page) article is at:
    http://www.eweek.com/news/gen.-hayden-private-sector-must-lead-fight-against-cyber-threats.html

    The gist of the article is that, although US citizens have become accustomed to their government protecting them from physical threats, when it comes to cyber-threats, the government is too slow to respond pro-actively or even re-actively to protect everyone from cyber-threats.

    He also made the unusual claim that, as a country, the US was “number one” in conducting cyber-espionage, but that the US did it to keep its citizens free and safe whereas some others did it to make themselves rich.

    So if the best at the business tells you your are on your own, the final line above is made even more poignant: “Be scared. Be very scared. Now do something about it.”

Leave a Reply

Your email address will not be published.