When the WannaCry ransomware attack was launched in May, it shocked businesspeople around the world. But security experts will tell you that it was just part of a larger, ongoing trend in which cyberattacks are constantly evolving—and becoming more sophisticated.
Dealing with cybersecurity challenges is an unending battle. But CEOs can take steps to help ensure that their organizations are ready—and a good starting point is a comprehensive view of the issue. Cybersecurity needs to encompass people, processes and technologies, says T. Casey Fleming, CEO of the BLACKOPS Partners security firm in Washington, D.C., and it needs to receive top management’s attention. “This needs to be led and driven by the CEO and board,” he says.
“When in a matter of hours a company can suffer a massive reputation or brand hit, or financial or stock price hit, then it’s clearly a business problem.”
The Ever-Changing Threat
Keeping business information secure is not getting any easier. The proliferation of mobile technology and connected Internet of Things devices creates an array of entry points to corporate systems. It also means that a great deal of corporate technology is outside the direct control of the IT department—including a lot of data and applications. “It’s not just about compromising a network and utilizing computers and servers to do evil things anymore,” says Christopher Ensey, COO of Dunbar Security Solutions, in Hunt Valley, Maryland. “It’s also about these new applications that are the new data troves for the really powerful or valuable corporate information.”
“Are we in alignment with best practices in IT security? That may seem obvious, but busy IT groups often fall behind on the basics.”
At the same time, the tools for doing evil are widely available. Software that can be used to launch cyberattacks is increasingly easy to find, as is “crime as a service” in which, for example, criminals offer to conduct denial of service attacks on an on-demand basis. “It’s now really easy to get into the cybercrime game as a junior player, which is fundamental to what we’re seeing,” says Roderick Jones, CEO of the Rubica security firm in San Francisco. Criminals simply don’t need a lot of technical expertise to compromise company systems.
The power of crimeware itself has grown by leaps and bounds—largely because much of it is being created by nations that are targeting U.S. institutions and businesses. “These tools are being developed and then actually given to organized crime groups by Russians and others in opposition to the U.S.,” says Jones. “So there is this enormous kind of asymmetry that CEOs have to deal with.”
Tightening Up the Technology
In this environment, CEOs need to work on several fronts. The traditional IT department is still key to security. Thus, says Ensey, CEOs need to ask their CIOs, “Are we staying in alignment with best practices in IT for security?” That may seem obvious, but busy IT groups often fall behind on some of the basics of security, such as updating systems. It’s worth noting that the WannaCry ransomware exploited systems that had older software or had not installed a recent security patch.
Meanwhile, corporate security technologies are also becoming more sophisticated. Roderick Jones points to tools such as anomaly detection, which uses rules-based systems to spot unusual patterns in network usage and user behavior, and penetration testing—the launching of friendly attacks on networks to identify weaknesses. Looking ahead, companies may turn to active defense techniques—things like embedding data with code that attacks the criminals’ systems if the data is stolen. The technology for this exists, Jones says, but its use would raise legal questions.
“But active defense is an emerging area that CEOs should be aware of,” he says. A decision to use it “would have to necessarily involve the CEO in the discussion, because of the policy and reputational implications of that process.”
In many IT landscapes, the cloud is an area of special concern. Having infrastructure and software provided as a service over the network naturally involves security risks that differ from those found in the traditional data center operating behind the firewall. “As a CEO of a company that is very much cloud-enabled, I think about [cloud security] all the time,” says Yong-Gon Chon, CEO of the Focal Point Data Risk in Tampa. “There’s a blessing and a curse when moving to the cloud.”
The cloud offers significant benefits, such as greater flexibility and less capital expense. It also means losing a degree of control over security policies—time-to-respond when there is a breach, for example, or software patching schedules. CEOs need to balance those factors when looking at the cloud.
“As a practical matter, when you’re connecting to the Internet and you’re entrusting a cloud provider with your data, there is no such thing as 100% risk mitigation,” Chon continues. However, CEOs should keep in mind that major cloud providers typically have very robust security—often, better than a mid-size company could maintain in-house. In addition, he says, executives should look at ways to transfer risk they can’t mitigate, for example, contracts that transfer some risk to the cloud provider, or by purchasing cyber liability insurance.
Take it Personally
Cybersecurity experts have long recognized that the weakest point in corporate defenses is not the technology, but the people using the technology. And today, that is truer than ever. “It’s important to remember that one single ‘insider’… can render all cybersecurity hardware and software investments useless,” says BLACKOPS’s Fleming. And insiders are not just employees—think of supply chain partners, vendors and ex-employees as well.
The list should also include the CEO and other executives—people who are especially attractive targets because of their authority and their access to a wide range of company systems.
The FBI reported last year that spear-phishing scams that use fake executive emails to direct payments to phony vendors had cost companies $2.3 billion in the previous three years. In essence, the criminals include details that make a recipient view the email as legitimate. To get that information, they are often making an end run around corporate security, targeting executives’ personal accounts and online activities outside the corporate firewall, as well as family members’ online activity.
With all that in mind, CEOs not only need to be cautious—they might also want to rethink their own access to company information. Instead of directly accessing certain HR systems, for example, might they rely instead on reports from others? “In some ways, the less you know digitally, the better,” says Jones. “You may not want to access some of the core systems in your business, because you are the most prominent person and you’re that most obvious person that will be attacked.”
Organizing the Defense
Cybersecurity is indeed a business issue, and it needs to be dealt with that way. “Cybersecurity is everything from the training department to the marketing
team to HR, legal, risk governance and compliance,” says Ensey. “Every piece of the business is involved in the solution to cybersecurity challenge.”
With that in mind, CEOs can:
GET A CHIEF INFORMATION SECURITY OFFICER (CISO). Today, the CIO often oversees cybersecurity, but cybersecurity has grown into a separate discipline, and experts recommend that companies name a CISO to oversee the many facets of cybersecurity.
Ideally, this will be someone with a deep background in the field. Such individuals are in short supply, and some companies may not be in a position to support a CISO function. In that case, appoint a non-specialist, which will at least put a person in place who can maintain a big-picture perspective and work with outside cybersecurity consultants as needed. Also, it’s important that the CISO not report up through the CIO. “You want to be able to bring them into a board meeting separately so you get two different viewpoints,” says Fleming. “Don’t have the CISO’s reporting sanitized by the CIO.”
IMPROVE COMMUNICATIONS WITH THE BOARD. Security professionals have their own perspective, and it often differs from the board’s. To help bridge the gap, CEOs can encourage CISOs and CIOs to use business language. Focal Point’s Chon also suggests using a cyber balance sheet. This lists assets and liabilities in categories such as data, human capital and so forth, with a checklist showing a risk profile for each—all of which helps the board and security experts understand each other.
ASSUME THE WORST. In reality, companies are very likely to experience breaches of their systems. Thus, it can be useful to assume that it will happen, and then give some thought to how the organization will deal with such an event. “If breaches are a fact of life, worry about the stuff you can control as opposed to the stuff that you can’t control,” says Chon, who says that key questions include, “What happens to our business when the most valuable data that we have gets stolen? How does that impact our ability to make money or our brand? How do we manage the business disruption?”
The answers to such questions should be documented in a written response plan spelling out how systems and data will be recovered and how the issue will be
communicated to customers, shareholders and regulators.
Altogether, a lot of this puts the CEO on familiar ground. Managing financial and operational risk is central to the CEO’s job, and now cyber risk needs to be added to the list. As with other major initiatives, CEOs need to lead by example. “They must own it and they must lead it,” says Fleming. “We’re talking about a cultural change. We’re talking about policy changes and funding allocation changes. And that is all done at the CEO level.”