The first mistake companies make while trying to protect their digital assets is to believe they can be secure. “Forget aspiring to full protection. Hacking is black magic engaged in by a ton of bad guys from Russia to Romania whose citizens do not necessarily view them as the bad guys,” Eric Cornelius shared at Fusion 2017.
Cornelius serves as the Director of Critical Infrastructure and Industrial Control Systems at Cylance, a software firm that predicts, prevents and protects its clients, many of them Fortune 1000 companies, from cyber threats. “What you can do,” he argued, “is understand and then manage your cyber security risk from sophisticated threat actors who aim to steal your data or disrupt your business.”
Cornelius gained my undivided attention when he explained exactly how one of these bad guys gets past a company firewall and steals the crown jewels. (Cornelius worked for the Homeland Security and the US Army in the past.) Hackers rely on the fact that “Humans fail,” he said. Clicking on anything in a phishing email or accepting a Facebook friend request from a hijacked account while inside the company’s firewall creates an opening for the hacker to find the domain controller, map the drivers, search the drivers, and then steal the data or disrupt operations. It takes a hacker 36 hours to achieve this victory; it takes a company on average 236 days to ID what happened and respond. In other words, in 2017 the odds are stacked against the good guys.
The well-known 80/20 Rule applies here: 80% of your risk comes from 20% of places, according to Cornelius. Identify the most vulnerable areas – the choke points where data and programs come together – and protect these weak spots. Technology helps, he added, but security programs must involve far more than technology acquisitions. For every $10 you spend on cyber safety, allocate $8 on people (or outside vendors, if unable to afford leading talent). “90% of the steps are hygiene. The more you know, the less technology you need for protection,” Cornelius advised.
Cornelius encouraged, for example, reducing the “attack surface” by not allowing personal work on company computers and using two-level passwords. Kurt Roemer, Chief Security Strategist for Citrix, argued in his comments to limit biometrics as security devices because once hacked, you cannot change your biometric (fingerprints, retina, etc.).
I recently watched a great old Western, Who Shot Liberty Valence. It reminded me there was a time in our nation when guns versus the law ruled who won and lost a disagreement. Cyber insurance and regulations are the Wild West of today’s digital world. The digital world is moving so fast that it’s challenging for legislators and insurance commissioners to create model laws and policies. Also, insurers lack the historical database that predicts current risks. Finally, settled case law is missing for cyber security, taxing the courts when it must make decisions.
Small and medium-sized organizations are most at risk, as their insurance brokers, in general, do not understand cyber security insurance. As a result, companies are often under-insured, according to a panel speaking at Fusion 2017. Because policies are hard to compare, it is essential that you bring your lawyer into the process to evaluate offerings and work with a broker who is an expert in cyber insurance risk. Breaches hurting employees (the largest claim area) are deemed negligence if the organization failed to adopt the best practices of its industry in managing cyber security risks. Also, in the event of a breach, keep your lawyer on your side and make sure she gets your forensics report, as client-attorney privilege protects its contents.
The digital world creates many opportunities for new revenue, enhanced customer experiences, and cost-savings. The price we pay for these gains? Security risk. It may be difficult, but leadership must quantify potential losses from a security breach. Only then can you decide on an appropriate level of investment to protect against that loss. Customer relationships, employee relationships, court penalties, reputational damage, and competitive risks all enter the calculation.
The analogy is not exact, but imagine United Airlines calculated its risks and created employee rules of engagement that aligned with those risks. Gate personnel would never have ordered TSA security to drag a paid passenger from his seat. In fact, United could have handed a passenger a million dollars to leave his or her seat and be ahead financially today. Hundreds of millions, in fact.
Where do your liabilities lie? What is your cyber version of the United passenger fiasco—something management could have easily prevented had policies and procedures taken long-term risks and brand damage into account?