It’s hard to believe in something you can’t see
Cyber Security is the practice of protecting your digital assets and the data that they process, transport and store from unauthorized use, modification, or obstruction. It is crucial that people understand the real and present threats the cyber world represent. Most organizations and individuals are simply unaware of the threat cyber-attacks represent to them, but the truth is that we are at war. Cyber-attacks are happening all around us and we are simply unaware or too busy to care. By the time most companies realize just how much damage has already been done to their “protected” assets & data it’s too late.
Shayne Champion, Conversant Group’s Chief Information Security Officer (CISO) warns against two threats that have enabled a mainstream mentality of ignorance toward cyber threats to continue. First, the business of the corporate America is a hacker’s dream because we just get too busy. For example, email is the highest risk threat vector because most of us do not have time to think critically about the email we are about to open; we are all just hurrying to get through the next two hundred unopened messages in the inbox. Cyber criminals count on the fact that we are simply too busy to pay attention.
Secondly, companies have a flawed perspective of cyber security. Most organizations consider cyber security as a sunk cost, but we have the power to change that. Cyber security is a real business need in our modern age where most systems are connected to the Internet. Once most business considered having insurance as foolish too, but now everybody understands the value of insurance and gets how that cost protects the company. Likewise, a strong cyber security program is an asset to your corporation – not a liability. It adds value to your business if you can protect your client’s information better than your competitor. Instead of thinking we are just throwing money away we should look at focusing on our cyber security programs as a competitive advantage.
“The reality is, what company can really operate well without connection to the internet, or a network of sharing data, as long as that is a requirement for our business model? Here in America, we must protect our company, our customers, and all their critical data.”
Who is doing the hacking? Champion breaks it down into four main categories:
- Nation States
Nation state crime is two-fold. For one, we have nations attacking our critical infrastructure; this includes the threat actor countries we would expect: Russia, China, North Korea, Iran, etc. However, there is a second facet to their attacks as well. Neither China nor Russia have the separation between government and industry that Americans consider ‘normal’. As a result, these nation-states, namely China, are directly helping their economy by using their government-sponsored hackers to steal the Intellectual Property (IP) of western commercial interests in a very organized and systematic way. This presents an enormous threat to US companies to the tune of $300-500 billion dollars to China alone – and that is just the theft we know about. These nations will steal information on a product an American company has paid to develop and patent, turn around and patent it elsewhere in the world (e.g., the EU), and by the time the company moves to a European market they are ‘infringing’ on a Chinese copyright on the product they developed.
- Organized crime
Organized crime has really taken root in cyber security, particularly in eastern Asia (Russia and China). This may seem odd that the ‘mafia’ is into hacking, but the truth is that as reported by the 2013 Europol Serious & Organized Threat Assessment, the “Total Global Impact of Cybercrime [has risen to] US $3 Trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined.” These organizations are run professionally – having tech support and human resources staffing – and they take hacking very seriously.
Like traditional ‘activists’, these are groups of people that will actively oppose individuals, organizations, agencies, or even countries that stand against what they believe by using their hacking skills. It is the digital equivalent of Greenpeace sailing their ship in front of a whaling vessel. These threats tend to be rare and have been trending down over the last few years, but they do still exist.
- Script Kiddies
These are usually the least lethal threat to the business. Script Kiddies are low-knowledge wannabe hackers who have access to free tools they barely know how to employ. They usually consider hacking a fun game and are just interested to see how far they can get into a system and to be ‘smarter’ than your system administrators. While they are not usually knowledgeable enough to know how to do serious damage, sometimes even amateurs get lucky. They represent less malicious intent than for-profit hackers but they can still do a great deal of damage – even if by accident.
Although these threats are real and happening all around us, Champion said that the basic concept is to make it inconvenient for the hackers to get in. The problem is there are so many soft targets out there that it is a hacker’s playground. It is like locking your door when you leave your house in the morning. We know that a locked door will not stop a serious thief, but we still lock our door. Why? The reason is because we don’t want to make it easy for a burglar to enter and the same is true for cyber security. Our businesses need to focus on their cyber security fundamentals – the ‘blocking and tackling’ of cyber hygiene where we keep our virtual doors and windows locked. This not only encourages hackers to move on to their next, easier target, but it makes sure that your security team has time to focus on the ‘serious’ threats to your organization by blocking the easy attacks before they ever happen.
The next step is education. According to Champion, “Knowledge goes a long way. We need to educate people, teach them the basics.” Champion spends a lot of time teaching classes and speaking at conferences to spread awareness of the dangers of cyber-attacks. When asked about the specifics of his job he states, “my job is not to do cyber security for everybody, my job is to enable you [users]. I want to teach and enable you so that you become part of the solution for everybody instead of just one digital hole that I’ve plugged. Cyber security will never be successful if people are not be willing to learn.
From a corporate standpoint, information security teams need to make sure that the business owns cyber security. We are here to help the business; cyber security is not a speedbump to slow you down. Cyber security is just the guardrails making sure that you are not driving off the cliff. Where and how fast you go is the business’ responsibility, but cyber security’s job is to make sure that you can get there safely. Everyone needs to be a part of that effort – cyber security is a team sport.”
Cybercrime is real. Cyber security is the solution. Don’t let your company be held back from its full potential for providing a secure, dependable user experience.