Despite continuously rising cyber security threats, we remain our own worst enemy. Below is a candid look at why we continuously fail to address our cyber vulnerabilities and what we can do to change our behavior.
This is part one of a two-part series. See part 2.
We make a hacker’s job easy. From poor passwords, to clicking on suspicious links, to failing to keep our systems patched, we leave the door wide open for cyber threats. Ask a penetration tester, those people you hire to hack your system and tell you how to fix it, and they’ll say that they’re bored. They want a challenge. They’re done by lunch. A tester will roll into your company with a list of default passwords, a simple phishing attack, and a toolset to exploit existing vulnerabilities, and they will own your system before their morning coffee gets cold.
The WannaCry ransomware attack is a good case study for this. Not only was WannaCry one of the largest attacks in history, infecting hundreds of thousands of computers across over 150 countries, but it was also completely preventable.The vulnerability it exploited was not only known, but it had been popularized in the news as one of the vulnerabilities used by the NSA and leaked to WikiLeaks. Microsoft had released a patch for it months before the ransomware was released. You would think that an NSA-level vulnerability would motivate people to run the patch. Alas, they did not, and it was only by luck that a malware tech incidentally triggered a kill switch that slowed it down.
The question then is why. Why don’t we all implement the basic cyber hygiene that would make theses types of attacks obsolete? Are we lazy? Foolish? Irresponsible? Although these are easy answers, they are neither accurate nor helpful.
To get to real answers, we need to take a long look in the mirror. Here are some reasons why we are self-defeating and what we can do about it.
We hope this sparks discussion.
We don’t think it can happen to us
When it comes to cyber security, too many companies have an incredible propensity for self-denial. They convince themselves of excuses such as “We’re not targets” or “I don’t have access to anything a hacker would want” or “Nothing’s happened yet.” With cyber, you are investing in things not to happen, which makes it harder to justify. Additionally, the investment in cyber is unclear, ongoing, and increasing. A lot of executives don’t want to look into cyber security for fear of opening up a costly can of worms. To even look into the cyber Pandora’s Box might make them legally obligated to address cyber issues. Denial is much more cost effective.
What We Can Do: The fact that companies are reticent to take on new expenses that impact their bottom lines isn’t a bad thing. It’s prudent for a company to be cautious about new investments, especially recurring and costly ones. However, the reality is that every company is a target. Hackers are often indiscriminate about who they attack. They are broadening their traditional targets, and they are getting more efficient and automated. There are three levers we can pull to make companies take cyber security more seriously:
- Create a market pull: Companies care not only about their bottom line, they are also highly motivated by their top line. If their cyber security maturity directly impacts their sales, they will invest in it. Thus, companies should have much higher expectations of their vendors, suppliers, and partners. They need to make cyber an expressed part of their sales cycle, a key purchasing criteria, and an integrated part of their contracts. As soon as companies cannot bid on a sale or loses opportunities because of cyber security, they will make it a priority.
- Hold CEOs accountable: Boards of directors need to make cyber a core priority, and hold the CEO directly accountable for reducing cyber risks. If CEOs know their jobs are on the line, cyber will be a key priority.
- Make it real: You can show executives statistics, give them warnings, and even do table-top exercises to show them what could happen. However, there is nothing more compelling than an actual compromise. Some companies do this by launching target phishing attacks on their senior executives, and then reporting the results at their senior meetings. Other companies have been known to create a controlled hack that temporarily shuts down an important system or process. This is not a penetration test where a white hat hacker tries to infiltrate a system but does no real damage. This is a full, live-fire exercise, where a designated system is under attack. This is much tricker to pull off, and involves a number of legal, strategic, and operational hurdles, but it can be very effective. The bottom line is that the threat and impacts of cyber attacks needs to be real for the organization.
We don’t take ownership of the problem
Cyber security is a slippery topic. It cuts across departments, organizations, and industries, which makes it very easy to say that it’s someone else’s problem. Who is responsible for making sure employees don’t download unauthorized applications that might contain malware? The cybersecurity department? The training organization? The line-of-business?
Consider a supply chain. Most companies who manufacture products have both supply chain organizations and cyber security organizations. There is often confusion about who has ultimate responsibility over the security of the components. Are they free of malware? Has the manufacturing process been compromised? The supply chain organizations want to pass that off to cyber security, while the cyber executives want to focus on how suppliers might connect to the corporate network, rather than on securing supply chain, manufacturing, and delivery processes.
These types of examples exist across almost any aspect of operations. Anywhere there is a digital seam stitching together different connected environments you get this kind of ambiguity. As a result, security becomes the “other” group’s responsibility, and more importantly, their budget.
What we can do: We cannot pass the buck. Cyber security is too important to push the responsibility down the line.
- Map your cyber seams: We need to see where these cyber seams exist. Companies should map the points where their data, systems, and digital processes cross departments as well as where they connect with outside organizations.
- Assign cyber accountability: At each of the cyber seams, companies need to decide who is accountable for cyber security and define specifically what that responsibility entails. They need to define how departments must coordinate, share, and collaborate to optimize their security posture.
- Provide funding and authority: Companies then need to provide the funding and authority to implement the right security measures.
- Sharpen your external connections: Where these seams cross organizations, there needs to be clear legal language that defines cyber accountability, roles, and obligations to share information.
We think it’s the CISO’s problem to solve
As companies become more connected, CISOs are being squeezed between increasing accountability and decreasing control. On one hand, they are being called in front of the Boards of Directors to report on their cyber program’s progress and reassure their leadership that they are reducing risk. On the other hand, they are losing visibility and control over an elastic and ever-expanding attack surface. Many executives believe that cyber security is the CISOs problem to solve, yet most vulnerabilities and exposures exist outside of their direct control. This is an impossible dilemma, and sets CISOs up for failure. Most CISOs are struggling to keep up with the basic demands of cyber security. The old model of stuffing cyber security into a singe stove-piped department will simply not work. That is an industrial age mindset for an information age problem.
What we can do: The reality is that cyber security can’t be confined to one department. It impacts every aspect of how a company conducts its business, so it must be shared.
- Broaden the CISO’s Role: This means that cyber responsibilities that fall outside the CISO’s direct control need to be shared by the executives that most directly have purview over them. The CISOs role should evolve into three key areas:
- Protection and defense of the networks, systems, and devices over which they have direct control
- Advisory role to parts of the organization that have cyber responsibilities outside of the CISO’s direct control
- Oversight of the corporate cyber security posture and progress
- Make cyber part of job descriptions: Anyone who has cyber security responsibilities needs to have them clearly defined in their job descriptions. They need to understand their cyber accountability and what authorities they have to execute their cyber responsibilities.
- Tie cyber to performances and bonuses: Cyber security should be part of executive performance reviews, bonus structures and compensation – nothing gets you to focus like your money.
We’re in too big of a rush to get to market
Cyber issues often start before we even receive a product. As more companies are rushing to digitally transform their operations, provide new ways to connect with their customers and partners, and develop connected devices, they often skip over key cyber security steps. If cyber is considered, it is usually bolted on at the end. The culture of “launch and patch” iterative development works for agile software development, but it presents fundamental risk exposure for cyber security. To shortcut their time-to-market, companies will ship products with vulnerabilities, exposures, and default configurations that can easily be exploited. IoT expansion is only making this worse. With security standards that are still forming, low barriers to entry, and high market demand, connected devices pose a significant cyber security threat.
What we can do: Resisting market pressure is going to be very challenging, but companies need to understand that cyber security is an inherent part of their brand, which means they will be judged on it. How they are judged, is up to them. Sending out products with little to no cyber protection is like sending out brand bombs to the market that can go off at any time.
- Standardize security-by-design: Poor cyber security is a fundamental design flaw. The sooner companies adopt that perspective, the sooner they will integrate security early in their product development process. It is much more effective to bake cyber in early, than have to redesign your products after they are in the market.
- Hack it, then hack it again: Companies need to break their own products, and they need to do it repeatedly throughout the development process. They should either outsource this or create their own product penetration labs to break their products before hackers do.
- Raise market expectations: Companies need to raise the cyber expectations from their vendors and suppliers. Make cyber security a critical purchasing criteria, and make sure that vendors not only design, but configure their products to secure default settings before they ship. Make cyber a competitive differentiator. Also, don’t believe vendors when they say that it will significantly drive up costs. Basic cyber hygiene and cyber security that is addressed early in the product development process can be cost effective. A clear market demand is one of the few things strong enough to counter the pressure for companies to rush to market.
Two common themes among the root causes listed above are ownership and motivation. Companies and their executives are slow to take direct responsibility for cyber security. Considering that cyber security represents risks, costs, and expanded responsibilities, it’s not surprising.
To make any real changes, we will need to rethink and clearly define cyber roles and responsibilities. We will also need to use market forces, leadership expectations, and compensation to drive the priority of cyber security. We also need to give executives the authority, funding, and support to be successful. Simply holding them accountable, without giving them a path to success will not work.
In the next part of this series, we will take a look at the communication breakdowns and behavioral management failures that hurt our ability to protect ourselves against cyber attacks.
Cyber is the new reality in business. Every digital aspect of running and business is inextricably tied to cyber security. We cannot afford to hide from our cyber responsibilities, and we all need a cyber reality check to address the underlying reasons why we are our own worst enemies.