When it comes to cyber security, the biggest problem executives face today is the institutional failure to grasp the way hackers and identity thieves operate.
While there seems to be a general understanding that email is a way people get hacked and it is imperative personal information be protected, somehow the idea that breaches and other compromises are inevitable hasn’t quite sunk in. Nor has the message that cyber criminals are constantly hunting for vulnerabilities.
Just a few weeks ago a massive distributed denial of service attack on Dyn slowed to a crawl or even completely stopped traffic to major sites that included Paypal, Amazon, Twitter, Reddit—even HBO and Playstation.
This happened because hackers were able to find a vulnerability sufficiently widespread to orchestrate a digital blitz that worked. This is neither the first, nor will it be the last assault of its kind, but clearly its size and ferocity were unprecedented. When it happens again—and doubtless it will—no one can say they weren’t warned.
The manufacturers of the webcam that made this particular attack possible, in addition to recalling certain older versions of the device, probably will reconsider the inane default password setting they used, since that was the way the hack was successful—i.e,. the hacker’s guessed that most consumers wouldn’t bother to change the password. They will do this because it is a liability issue. Tens of thousands of their products were recruited as soldiers of a cyber robot army and used to inflict damage on significant third parties. The specter of lawsuits isn’t the only reason I bring up Dyn. The unthinkable disruptions that can be visited upon any company are impossible to foresee—and if you’re not set up right, you will also be vulnerable to the thinkable (i.e., avoidable) ones.
This is why no C-suite discussion about a product or service should be conducted without inviting a hacker to the table. Now before you get too alarmed, you probably already have one working for you, namely, your chief information security officer, or CISO.
Distributed denial of service attacks are temporally limited. While they can cause some harm, they generally get resolved within hours and there are much worse things that can happen.
Ransomware is a significant risk that countless enterprises face today. In the simplest terms, this is a hack—usually delivered via email attachment—that takes over servers and computers and locks them down till a ransom is paid.
Ransomware attacks are geometrically increasing. Last year saw an increase of 125 percent in attacks over 2014. This year is much worse. According to FBI statistics, over $209 million was paid out in the first quarter of 2016 in comparison to $24 million in the first quarter of 2015. The most recent attack of note happened in San Francisco during the first weekend of holiday shopping. Ransomware thought to originate in Russia took control of 2000 of the 8,656 computers used by the San Francisco Municipal Transit Authority. The hackers demanded $73,000 in bitcoin for their release. The attack forced the SFMTA to provide free transportation to the metro area’s 837,000 users throughout the weekend.
Why so dire?
Consider this: You information security protocols have to be perfect.
Anyone who’s spent any amount of time in a C-suite knows how often “perfect” actually happens on a weekly, daily or even hourly basis. Compound that reality with this one: the modes of infiltration—phishing, spear phishing, distributed denial of service attacks—are many and various, and almost always dependent at least to some extent on human decision making.
Imperfect, May I Introduce Disaster?
The fact is that your CISO or equivalent has to get everything right, and a hacker need only find one vulnerability. It’s pure competency versus dumb luck sometimes, and you can guess who wins more.
There is often a misconception that it somehow matters how large or small the enterprise is. Banish the thought.
It really doesn’t matter if you are using a server set up for the Pentagon (especially in light of all of the government hacks over the past few years), nor does it matter if you have a small database of customers or if you manage the personally identifiable information of tens of millions of consumers. There is no such thing as being beyond the reach—or notice—of hackers.
Change the Tone
Marketing guru Peter Drucker usually gets credit for the phrase, “Culture eats strategy for breakfast.” These days, many companies have a strategy of some kind for protecting their data and their systems. But hackers have a culture of breaking down these defenses. That’s bad news for your company’s strategy.
Remember the Target breach? It was by no means the first major compromise of a megacompany, but because it is an iconic retailer, the breach resonated with consumers, businesses, regulators and lawmakers alike; fueled headlines for months; and resulted in a number of senior managers, including the CEO, walking the plank. One reason was that it happened during the holidays when the world was focused on shopping. The other reason was that the breach was simply so massive. It was disastrous for the company. For a period of time, it harmed the brand immeasurably. In fact, in many circles, the name Target was (and frankly, to some extent still is) synonymous with the word “breach,” that is until the parade of breaches was so interminable that the tide of opinion changed. Many now see breaches as the third certainty in life.
Following news of the Target breach, first-quarter sales slid 16 percent from where they were during the same period the year before, and the company’s stock lost more than 16 percent of its value. There were several factors that put a damper on earnings that year—including a total dud of an expansion into Canada that cost $941 million—but the damage caused by the breach cannot be underestimated.
A big part of Target’s problem was that customers worried about shopping there.
Say it with me now: Data compromises are the third certainty in life.
In the age of transparency and a twenty-four-hour news cycle that can start with a single outrageous tweet by a customer, client, disgruntled employee, or President-elect, there really is nowhere to run and nowhere to hide. That’s been the flashlight-under-the-chin message hackers have been trying to get out there for years. At first it seemed like boasting. Now it seems more like an understatement. And for anyone who has ever become the victim of a ransomware attack, a DDoS assault or an identity-related crime, the nowhere-to-hide message hits home with painful accuracy.
Target’s problem was a failure in vision—and that’s why it’s only right that the CEO took the hit. Awareness of our collective data insecurity needs to become second nature so that when the dark day of a major hack or data breach arrives, the notification and resolution process is pure muscle memory. Data security must become a part of a company’s culture, just like employee benefits and legal affairs.
When culture takes a backseat to insincere remorse dispensed by publicity departments charged with moving product and “growing the brand” rather than saving it from ignominy, you are going to need much more than a voucher for one or two years of credit and identity monitoring and a 10 percent off sale to attract customers.
In a corporate culture that assumes and prepares for the worst-case data-security scenarios, and puts emphasis on urgency, transparency, and empathy, the true risk of a breach—massive loss of customer loyalty—can be contained and perhaps reversed. Putting the pitfalls of the inevitable into human terms is how you build and sustain brand equity.
For more on this, read the Culture Eats Strategy chapter in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.
Have you read?
Digital Security Starts In The C-Suite
Should You Find a Technical Co-Founder or Hire an Early Developer Employee?
The Best Music schools in the world, 2016
The most and least trustworthy professions of 2016 revealed
Written by Adam K. Levin .
Adam K. Levin is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on security, privacy, identity theft, fraud, and personal finance. A former Director of the New Jersey Division of Consumer Affairs, Mr. Levin is Chairman and founder of IDT911 (IDentity Theft 911) and co-founder of Credit.com. Adam Levin is the author of Amazon Best Selling Book Swiped, available now. Connect with Adam on Twitter at @Adam_K_Levin. For more information visit adamlevin.com.