Individuals, businesses and countries perpetually underestimate the threat from cyber crime, cyber terrorism, and information warfare.
Twenty-five years ago, you could forgive somebody for being naive around these threats, but in 2022 and beyond, every CEO, every COO – every employee – should be well aware of cyber risk and cyber crime.
And the big mistake that people make is, they don't think it will happen to them.
They come up with excuses like, “Why would anybody want to go after our company? We just make widgets. We're not important.”
The thing that they don't understand is that, most of the time, they're not targeting your company specifically – they're targeting every company, and so many of the attacks are fully automated.
No matter how small your organization is, it’s a target for a cyber attack.
If you are a small three-person law firm in Montana, maybe there's no reason for Russian organized crime to come after you.
But, let's say that you have a client or a case that the Russians are interested in, or you have the financials of a wealthy client that the Russians or the Chinese or the Iranians or any other country might be interested in. Now there's a reason to come after your firm.
So broadly, it's not just your company being targeted, it's every company being targeted. And beyond that, there may be reasons that your company is targeted that you don't understand.
I spent a long time working in Silicon Valley, and when people would say, “we've got nothing to hide,” or “there's no reason for any company to come after us,” my response is, “then you must not be doing anything interesting, because if you're not producing anything that's worth stealing, then what is your business model?” If anybody can reproduce exactly what you are doing, then you don't have a very successful business.
Every company's got a budget, every company's got a bank account. They have everything from huge payroll systems to employee personal information to intellectual property, to secret plans of products they're going to be launching. And all of that is of key interest for espionage, whether it be industrial espionage by your competitors, or by foreign governments, or whoever the case may be.
So what are some of the ways that companies can mitigate these risks?
Understand that everyone in the organization is responsible for cybersecurity, no matter their role.
First and foremost, it starts with mindset. If you think that you're not a target, you have completely missed the boat.
Next, if you understand that there's a risk out there, but you don't make it the problem of every employee in the organization, you have missed the boat.
If you’re a lawyer in the Washington DC office of some multilateral, multinational law firm, you may think, “well, I'm the lawyer. I deal with lawyer stuff. We have an IT team, or we have a chief information security officer who's responsible for this.” You have missed the boat.
Everybody at every level of the organization, from a custodian, who can decide what gets thrown away, what pieces of paper or passwords are out there, all the way up to the senior management and the C-suite, and, of course, the board and the board of directors who set the tone for the organization.
And if cyber is not at the front of your mind in your overall risk management strategy, you have missed the boat.
Push beyond basic compliance initiatives into building an organization-wide culture of cybersecurity.
I talk to companies and clients about the key importance of creating a culture of cybersecurity. It has to be a problem for everybody, that everybody in the organization understands, and you have to prepare for it.
And one of the ways that companies tend to handle cybersecurity is as a compliance issue. “We have this HIPAA compliance rule, or Sarbanes-Oxley, where the SEC says we need to do X, Y, and Z to protect ourselves.”
Compliance is not a cybersecurity strategy. It's a strategy for not getting sued.
Compliance is the lowest level form of cybersecurity. You can be compliant and wholly vulnerable. So you need to focus on developing that strategy and making every member of your organization feel responsible for it.
Unfortunately, most companies tend to do this around punishment. In other words, when you join your company, they make you watch a really stupid 20-year-old video on cybersecurity. And at the end of it, they say, “if you don't follow our cybersecurity policy, we're going to fire you.”
That is not a way to build teamwork. That's not a way to educate people. That is not a way to prepare. It’s a way to check a box. And checking a box is never going to save you from these threats.
So building out a culture of cybersecurity is one of the key strategies. In order to be able to stand up to this threat, you need to make cybersecurity fun, as odd as that sounds.
You need to make it the responsibility of every frontline employee. You need to encourage people to report stuff, give away prizes, and have competitions for people that report the greatest number of phishing attacks. Because if you've got a chief information security officer and that person has got 20 people in their InfoSec team and a hundred thousand person corporation, you're missing out on 99,979 other people who are seeing cyber threats come across their radar every day and mostly ignoring them. Without that early warning network fully activated, you'll never be successful.
Prepare for a cyberattack with proactive scenario planning and simulations – on a consistent basis.
In the old days, you could think that people would never attack us, or we haven't been attacked yet, and therefore we’re safe.
Today, it’s more likely that either you've been attacked and know it, or you've been attacked and don't know it.
So how do you respond to a cyber incident when it inevitably occurs?
This is where so many companies fall down and break. They don't practice, they don't run red team exercises where, in effect, they simulate cybersecurity attacks.
You have to practice responding to a cybersecurity incident. You can't, once you're under cyber attack, take out the 300-page cybersecurity plan book off the shelf and start reading “step one, how to respond to a cybersecurity incident.” You need to practice. Practice makes perfect.
Imagine two pilots take off from JFK, and they're flying over the Atlantic Ocean, and the pilot suddenly notices that two engines on the plane have gone out, and he turns to the co-pilot and says, “Hey, we just lost two engines. What do you think we should do?” And the co-pilot responds, “You know, I've never really thought about that.”
That would never happen – they are prepared for every eventuality.
They've got books, they've got manuals, and they practice in simulators all the time. You would never want to get on a flight where a pilot didn't think about the engines going out, in the same way that you would never want to run a company or an organization where those responsible never thought about the extreme likelihood of a cyber attack. And we've seen companies fall down and respond to these incidents in abysmal ways over the years.
The key to your response plan is you need to practice, practice, practice, so that you're effective.
And that doesn’t mean running a simulation once every decade or two. Your employees are constantly changing. In a multinational corporation with a hundred thousand employees, you may have an employee turnover of 30% a year, which means that you have 30% new employees since the last time you ran a cybersecurity exercise. And, of course, the threats are always changing. So frequent practice and plan adaptation is critical to your preparation.
Use a secure, out-of-band network to plan your response to a data breach.
Once you’re involved in a breach, one of the biggest mistakes that companies make is that they try to plan their response to a data breach or a cybersecurity incident on a network that has been penetrated by the bad guys.
In other words, the bad guys have full access to their network. And on that fully breached network, you have employees talking about, “how are we going to mitigate this? Our data center in Houston just went down, and here's the cell phone number for the CEO. You’d better call him.”
All of those response procedures are being captured by the bad guys. And this is why so many companies stumble at the time of the inevitable data breach, because the bad guys have full access and are recording and may later share everything that you're doing in your failed response to the data breach.
The beautiful thing about CYGNVS is that it builds a separate, redundant, secure system upon which you can securely plan and even practice your response to a data breach. And that is critical, and that's why I'm so excited about the company and what they're doing, because nobody else is doing this in an effective way to date.
By Marc Goodman
Marc Goodman has spent a career in law enforcement and technology. He was appointed futurist-in-residence with the FBI, worked as a senior adviser to Interpol, and served as a street police officer. As the founder of the Future Crimes Institute and the Chair for Policy, Law, and Ethics at Silicon Valley’s Singularity University, he continues to investigate the intriguing and often terrifying intersection of science and security, uncovering nascent threats and combating the darker sides of technology.