Are You Prepared?
Security incidents are up 66% year-over-year since 2009. Despite this alarming statistic, 80% of CEOs report that they are confident in their company’s cybersecurity.
Cybercrime is on the rise.
Are you prepared?
Cybersecurity expert Ray A. Rothrock shares the tactics used by hackers and then arms management with the tools to prevent these hacks in his new book Digital Resilience: Is Your Company Ready for the Next Cyber Threat?
Why Leaders Must Pay Attention
Ray, your book is compelling. It starts by scaring us beyond belief. For those who haven’t read your book yet, would you go ahead and scare our readers…
By the end of 2016, one category of cyberattack on business —ransomware infection– topped 4,000 instances per day. One publication, CSO, recently posted an estimate that cybercrime damage will hit $6 trillion by 2021 and, by 2022, the human attack surface, the potential victim pool, for cybercrime will reach 6 billion, which is 75 percent of the projected 2020 world population of 8 billion.
So, if you want to be scared, chew on the incontrovertible fact that you and your business are being attacked today, and you will be attacked tomorrow and the day after and the day after that. Obviously, you need excellent cybersecurity—firewalls, antivirus software, antimalware software, automatic downloading and installation of the latest security patches for all your software, and a workforce educated in basic digital hygiene. Yet the hard truth is that even the best cybersecurity will be penetrated. Some of those daily attacks will pierce your perimeter defenses.
Mediocre security will stop some attacks. Good security will stop more attacks. The best security will stop even more. But, whether mediocre or exceptional, all security will ultimately fail. You will be breached, and, if you depend on security alone, the effects of the next breach—the next inevitable breach—may be annoying or may put your business at great risk. This is why you need both excellent digital security and excellent digital resilience. In short, you need to be prepared because you will be attacked. Resilience starts with preparation.
Shore Up Your Resilience
What is digital resilience?
Simply put, resilience is how you counter the attacks that get through your perimeter security. As cyberattacks are inevitable, successful cyberattacks, the fraction of attacks resulting in a data breach, are also inevitable. No perimeter security measure that is compatible with connectivity—in other words, compatible with doing business online—prevents all breaches. Digital resilience starts with preparation. Preparation consists of digital policies, software tools, and user training that bolster security by helping you to identify vulnerabilities in your network, that help you prioritize your data assets to give maximum protection to your most sensitive material, and that enable you to quickly detect breaches when they occur, contain them, minimize the damage they cause, and continue to do business while you deal with them. Resilient policies also aid in recovering quickly and efficiently from a breach and help you to learn from it, so that you can better guard against recurrences.
In the broader sense, resilience brings to digitally networked life the strength and durability we see in ecosystems in the natural world, in organisms, institutions, businesses, nations, and in the strong, agile, courageous individuals who have been admired throughout history. Resilience recognizes that doing business, like living your life, exposes you to both opportunity and risk. No suit of armor will protect you from everything. You need the ability to fight back against the dangers you cannot evade or prevent. You need the strength not only to survive but to power through the punishment. You need to develop the capacity to bounce back from acute crisis or catastrophe.
The Need for Leadership Intensity
With all the recent cyberattacks in the news, at a growing scale, why doesn’t it seem we have the appropriate level of leadership intensity devoted to it?
In many boardrooms and C-suites, cybersecurity is regarded as a technical support issue to be handled by IT or a CSO (Chief Security Officer) or CISO (Chief Information Security Officer). Insofar as it is perceived as an internal operations issue, cybersecurity ceases to be treated as a business issue. Top leadership tends either not to understand resilience or to see no difference between security and resilience. This lack of clarity is dangerous. Digital security is a security issue—traditionally the province of IT, the CSO, or the CISO. Digital resilience, however, is a business issue—the purview of the CEO. If security is about hunkering down behind perimeter defenses, resilience is about standing up to do business—even in the face of cyber threats and even under attack. Both security and resilience are essential to the survival and prosperity of any digitally connected business, but—as a business issue—resilience requires the involvement and commitment of the whole business, beginning at the highest leadership level of the organization.
My earnest advice is that businesses put good security measures in place, but that they prioritize resilience over them. This will not only manage the digital life of the company far more effectively, it will ensure that resilience is a front-and-center business issue and therefore has a claim on top leadership attention all the time. While this may sound like an expensive and time-consuming activity, experience convinces me that it actually saves time, expense, and—ultimately—the business.
What’s the best way to get boards and the C-suites appropriately educated on digital resilience?
Ensure that the company’s digital networks and data assets are protected by excellent security and excellent resilience, but prioritize resilience over security. This will make both cybersecurity and digital resilience whole-business issues instead of the exclusive province of the “techies” in IT. Digital resilience is more than technology. It is a critical element of business strategy.
Digital managers need to make a persuasive business case for resilience when they present it to boards and to C-suite management. Doing this requires overcoming a formidable language barrier. The terminology of cyber technology can make it hard to engage effectively with the leadership team. I hear all the time that non-technical executives are frustrated by a lack of meaningful metrics, the kind they use to assess productivity, quality, and risk in non-digital areas. So, when CIOs or CISOs speak to the board or to the CEO about resilience, they should take care to speak the language of business. Speak in terms of investment and ROI when you talk about digital resilience. Employ software tools that quantify the resilience of your company’s current network and data structures and that allow for clear and objective what-if analysis of the impact of proposed changes in network structure, hardware, data access, and so on. Quantification includes an ROI analysis of a specific dollar investment in resilience. Using the software and analytical tools will quantify both bang as well as buck.
Translate resilience into a business issue, and you will capture the attention of top leadership. You can legitimately scare boards and the C-suite with horror tales of fiduciary liability, but I believe it is far more effective to demonstrate how investing in resilience does not simply enhance overall cybersecurity, it gives the company a competitive edge. In the case of arguing fear or greed, I always argue greed. Increasingly, businesses want to do business with firms that protect data—and that can demonstrate just how effectively they protect data. Resilience is a powerful value-add to businesses, both B2B and B2C.
What are some of the major weaknesses in today’s business networks?
Virtually all the weaknesses of virtually all business networks come from a single cause: lack of knowledge and resilience strategy. Management is often woefully ignorant of the nature and structure of their own organization’s networks, data resources, or even how the networks and data are managed. Typically, no one on staff, let alone in the C-suite, has a complete, up-to-date picture of the network—all its hardware and software and all of its connections, especially to the outside. Very often, little or no attempt has been made to prioritize the data that is stored on the network and passes through the network. Some data needs to be generally accessible, including to the outside world. Other data, such as personnel records and key intellectual property, needs to be far more closely guarded. The architecture of the network should both enable and reflect this prioritization. But, as I say, in many—perhaps most—organizations, the network is so much dark matter, a black box. Data goes in and comes out, and nobody knows everything that happens to it or could happen to it in between.
That is a description of the general absence of clarity that prevails throughout business concerning networks. More specific issues include lack of informed attention to issues of hardware compatibilities and conflicts, lack of attention to how changes made in one part of the network affect other parts, failure to appreciate how the insecurity of, say, a vendor’s network affects your network whenever the two of you connect, and lack of rigor in updating software, firmware, and device drivers connected to your network.
Users of the network are often inadequately prepared. Leadership needs to answer these vital questions: Has everyone been educated in the principles, policies, and practices of essential digital hygiene? Do all employees recognize the signs, signals and earmarks of social engineering exploits? Is leadership fostering a culture that respects everyone’s data, especially the data customers entrust to the firm?
Knowledge—gaining a full, dynamic picture of the company’s networks, their connections, and the prioritization of the data stored and carried—is the first step toward digital resilience.
The Most Urgent Action Step Required
Would you share the most urgent action step required?
Most experts on this subject recommend as a first step that you audit your assets, their connections, and where your data exists in the network. This is great advice. I would add that you also must assess the security and resilience of your company’s networks by using software tools that probe every corner of the network, penetration testing (“pen testing”) the entire network. In short, the most urgent action step is to acquire knowledge of how and with whom your business connects and how your business prioritizes and protects data. Armed with this knowledge, you will have a clear picture of where your weaknesses likely are, and you can proceed accordingly to shore up your resilience.
For more information, see Digital Resilience: Is Your Company Ready for the Next Cyber Threat.