Cyber – as in cybertheft – may be the cool new prefix at the board table, but it’s often misunderstood by those who use it, writes Dave King, chief executive of Digitalis Reputation
Thanks to the media, business leaders know they need to be scared of something – though typically they’re not sure what that ‘something’ is. Regulation of the financial services sector has ensured that major cyber-originated financial thefts are finally being reported, where previously they’d been hidden for fear of reputational damage. The danger of this, of course, is that company heads now think cyber risk relates only or mostly to financial data – whether customers’, or their own credit cards.
However, the biggest problem with the board-level perception of cyber risk is the assumption that it’s purely an IT problem. Financial theft gets the headlines but Verizon reports that one in five attacks are IP theft – and a growing number of those espionage raids begin with social engineering.
I remember back when web development first appeared as a budget ledger line there were often debates as to whether it should be overseen by IT or marketing departments; here was a new phenomena rooted in technology but which quickly became the most important outward-facing collateral of an organisation. Yet the apparent conflict in cyber is far more fundamental, and poses a much greater threat.
Best practice IT is a must – but it’s mostly tactical. When it comes to thinking beyond the generic cyber threat, there are three key questions to ask: (1) where are the Crown jewels – i.e. what is it that comprises the real value within the organisation; (2) who is the potential attacker – State, competitor, hacktivist – and what is their typical modus operandi and (3) what must we do to protect the priority assets from the identified threats? That last question in execution doubtless includes many more challenges for the IT department. But if its owner doesn’t have the authority to make wide-sweeping policy and personnel changes throughout the organisation then it risks being flawed from the outset.
Whether it’s the proprietary trading algorithm of a hedge fund, the pre-patent application plans of a pharmaceuticals firm or the sensitive transaction being mooted in a FTSE environment, the enterprise value (EV) of many companies often relies on the protection of data. Sometimes that EV rests solely on the shoulders of the value of the IP (intellectual property, not internet protocol). So when one IP met the other, the single biggest vulnerability to the value of business was created.
The IT team has a massive role to play, there’s no doubt. Senior IT professionals have spent the last 10 years increasingly focused on network defence, data encryption and other new skill sets. But the CIO or CTO who thinks that the cyber threat to the business is an IT problem – and the CEO who asks his or her head of IT whether the network is secure as the test of cyber vulnerability – is missing the point.
Like so many things, off-the-shelf products and services are designed to address mainstream, mass-market threats – and many do a great job of it. But increasingly, dedicated cyber attacks begin with social engineering and prey not on technical weakness but on human vulnerability.
Recent successful red team compromises in the industry include the mining of social media data across an entire organisation’s personnel and subsequent bespoke, individual, phishing emails with links to photos of Martha’s 40th, and rewards for specifically identified corporate charity triathlon performance. More disconcertingly still, the digital shadow left by one organisation enabled the construction of a seemingly bona fide representative of a supplier who required access to the theoretically secure server room. Physical access was gained, compromising all virtual protection.
So what’s missing? Well, metaphorically, we’re getting better and better at installing sophisticated burglar alarms, infrared sensors and in some cases guards on the gate and snipers on the roof. But what we’re not doing is educating the house staff in what a threat might look like; nor are we making sufficient efforts to ensure they are not cloned or mimicked. So the best attacker walks straight in the front door, either having bribed the housemaid or having dressed up as her. He ignores the cash in the safe, quietly steals the design prototypes and client roller deck and leaves without a trace.
Training and understanding is as fundamental to mitigation as any technology. Since the most sensitive information often resides at chairman or CEO level, that’s where the biggest vulnerability lies too. So until cyber is fully understood at the board table – in terms of what the threat looks like and from whom – the enterprise is working with a great big IT-shaped sticking plaster when the patient is potentially bleeding out from another artery.