“Cyber” is suddenly the new buzz word at the board table. But just like its predecessors, it is often misunderstood – or at least not fully understood – by those who use it.
The media has ensured that those running businesses know they need to be scared about something – though typically they're not sure what. Regulation of the financial services sector has ensured that (at last) major cyber-originated financial thefts are now reported, where previously they had been hidden for fear of reputational damage. The danger of this coverage is that the CEO or chairman now thinks that cyber risk relates only or mostly to financial data (whether that of customers or his or her own credit card).
But the biggest problem with the board-level perception of cyber risk is the assumption that it's just an IT problem. Financial theft gets the headlines but Verizon reports that one in five attacks targets IP theft and a growing number of those espionage attacks begin with social engineering.
When web development first appeared as a budget ledger line there was often debate in major organisations as to whether it should be overseen by IT or marketing departments – here was a new phenomena rooted in technology but which quickly became the most important outward-facing collateral of the organisation. Yet the apparent conflict in cyber is far more fundamental and poses a much greater threat.
Good, generic, best practice IT is a must; but it's mostly tactical. When it comes to thinking beyond the generic cyber threat, there are three key questions to ask: (1) where are the Crown jewels? – ie what is it that comprises the real value within the organisation?; (2) who is the potential attacker – State, competitor, hacktivist – and what is their typical modus operandi? and (3) what must we do to protect as best we can the priority assets from the identified threats? That last question doubtless includes lots more challenges for the IT department, but if its owner doesn't have the authority to make wide-sweeping, policy and personnel changes throughout the organisation then it risks being flawed from the outset. Questions (1) and (2) of course, can only be answered exhaustively by the board as a whole.
Whether it's the proprietary trading algorithm of a hedge fund, the pre-patent application plans of a pharmaceuticals firm or the sensitive transaction being mooted in a FTSE environment, the enterprise value (EV) of many companies often relies on the protection of data. Sometimes that EV rests solely on the shoulders of the value of the IP (Intellectual Property, not Internet Protocol!) in those ideas. So when one IP met the other, the single biggest vulnerability to the value of business was created.
Technology and the IT team have a massive role to play, there's no doubt. Senior IT professionals have spent the last ten years increasingly focused on network defence, data encryption and other new skill sets. Assessing network data monitoring tools, deploying penetration testing, keeping on top of bug fixes and upgrading hardware and software are daily chores to most. But the CIO or CTO who thinks that the cyber threat to the business is an IT problem – and the CEO who asks his or her head of IT whether the network is secure as the test of cyber vulnerability or readiness – is missing the point.
Off-the-shelf products and services are designed to address mainstream, mass-market threats – and many do a great job of it. But increasingly, dedicated cyber attacks begin with social engineering and prey not on technical weakness but on human vulnerability.
Recent successful red team compromises in the industry include the mining of social media data across an entire organisation's personnel and subsequent bespoke, individual, phishing emails with links to photos of Martha's 40th, and rewards for specifically identified corporate charity triathlon performance. More disconcertingly still, the digital shadow left by one organisation's people enabled the construction of a seemingly bona fide representative of a supplier who required access to the theoretically secure server room. Physical access was gained, compromising all virtual protection.
So what's missing? Well, metaphorically, we're getting better and better at installing sophisticated burglar alarms, infrared sensors and in some cases guards on the gate and snipers on the roof. But what we're not doing is educating the house staff in what a threat might look like; nor are we making sufficient efforts to ensure they are not cloned or mimicked. So the best attacker walks straight in the front door, either having bribed the housemaid or dressed up as her. He ignores the cash in the safe, quietly stealing the design prototypes and client database before leaving without a trace.
Training and understanding is as fundamental to mitigation as any technology. Since the most sensitive information often resides at chairman or CEO level, that's where the biggest vulnerability lies too. So until cyber is fully understood at the board table – in terms of what the threat looks like and from whom – the enterprise is working with a great big IT-shaped sticking plaster when the patient is potentially bleeding out from another artery.
Contributed by Dave King, CEO, Digitalis Reputation