Each morning, after booting up my laptop, grabbing a cup of coffee and checking my email, I read the latest cybersecurity news from the Wall Street Journal (WSJ Pro Cybersecurity). If you are in the IT industry, especially focused in Cybersecurity, I highly recommend subscribing. One morning a particular article caught my attention. The article, “Angry Shareholders to Seek Proof of Prudent Cyber Tactics,” touched on the public’s growing intolerance of personal data breaches by major U.S. corporations. The article discussed the $29M settlement stemming from the Yahoo data breach that took place a couple of years ago.
According to WSJ Pro Cybersecurity reporter Adam Janofsky, because of this settlement, “board members and senior executives are now vulnerable to charges of shirking their fiduciary responsibilities.” These cases are known as derivative lawsuits. The Enron case was another such example as shareholders claimed that senior executives had lied on the SEC filings by inflating the stock value.
Shareholder claims of misrepresentation or malfeasance by senior executives is often what you see at the start of a derivative suit, states Janofsky. “Although many such lawsuits exist, we’ve seen few that follow a cyber-attack; and until now, we’ve seen none that resulted in a cash settlement.” With the precedent now having been established with the Yahoo breach, the WSJ expects the settlement to open the floodgates for future litigation.
Working for a huge IT distributor, such as Tech Data, I am able to get a different perspective on what is going on out there in Corporate America as it relates to cybersecurity. With over eight thousand security partners, the expansiveness of our global footprint avails us to the latest issues, efforts and solutions in data security and cyber awareness initiatives. Our position also involves us with one of the gurus of cybersecurity training, David Stelzl, CISSP. Stelzl works directly with IT companies in the trenches trying to protect their customers from attacks. When working with end-user customers, Stelzl repeatedly hears the same message, “we’ve got it covered.” Surprisingly, this litany of denial comes not from the top, but directly from the ‘source’ – the companies’ IT departments. The data, however, tells a different story; most organizations absolutely do NOT have it covered.
Positive Words – Negative Results
Stelzl attributes the “we’ve got it covered” mentality to people’s jobs being on the line. As the CIO or CISO in a board meeting, if the discussion turns to what types of security risks or exposures the company is up against, your response should highlight areas that need to be improved, along with quantifiable risk for not implementing, so that senior executives and board members clearly understand the implications and opportunity cost. Unfortunately, the response is often some variant of “we are on top of it” or “we’ve got it covered.” Hearing this, corporate leadership is convinced that all is being done that can be done to protect the organization. But is that really enough?
Negative Words – Positive Results
Now consider the converse. The CIO/CISO tells the Board, “If someone decides to target us, we’re screwed.” Although likely to be stated a little more tactfully, the messenger’s concern is no less diminished. The fear is that he or she will likely lose their job with the-not-so-subtle-message that telling the truth about the company’s vulnerabilities will get you canned. In actuality, identifying them gives the organization a fighting chance to correct things and potentially avoid massive penalties; even possible jail time.
The fact is, everyone is being targeted, small businesses included. Most don’t even have a clue they’ve been compromised. Hackers get in and for months¬ ¬¬¬–even years– inconspicuously syphon off what they’re after. Most are never even discovered
Rethinking, the “We’ve Got it Covered” Mindset
“We’ve got it covered” should be restated as: “We are doing things to protect the organization to the extent our abilities and knowledge allow us.” This is a much more accurate statement. It allows room for self-assessment and an on-going evaluation of operational gaps, with the underlying acknowledgement that protection is not fixed; rather a state of continuous improvement, based on known threats. To achieve this, an objective outside assessment should be undertaken to identify system vulnerabilities - EVERY company has holes.
One role of boards and business leaders is to protect the business. Hearing an IT department claim “we’ve got it covered” should be a red flag. It might be time to circle the wagons as no one, and I mean no one, truly has it covered. Many companies are leaders in how they have implemented security measures to reduce risk. Understanding that risk cannot be completely eliminated, the goal should be to reduce risk to an “acceptable level.” Articulating what that level is implies the ability to quantify risk – a capability elusive to most. Tech Data’s RECON™ Risk (powered by Arx Nimbus) helps organizations address this, however.
Looking at cybersecurity holistically is critical, as most of us know. The National Institute of Standards and Technology (NIST) created the Cybersecurity Framework to help us all look at security holistically. The framework consists of five areas: Identify, Detect, Protect, Respond and Recover. All five areas are important, but what we consistently see are companies focusing only on two or three areas; neglecting the others. To help put this into perspective, consider a barstool - remove one of the legs and the stool (and you) fall down. It’s no different when organizations invest heavily in a couple areas of the NIST Framework while ignoring the others. The two most neglected areas within an organization’s cybersecurity strategy are Respond and Recover. Failing to address these two areas is a very risky venture.
Brett Scott, Tech Data’s Director of Security Solutions Development is also the founder of the Arizona Cyber Warfare Range, one of the premiere training grounds for ethical hackers. As one of the world’s most renowned hackers, he and his team of ethical hackers assist the U.S. government and military in a variety of classified projects.
Recently, Brett shared an analogy with me on being protected - think of cybersecurity as having your car parked in a huge, crowded parking lot, full of other cars and trucks. Before leaving your parked car, you have several choices to make:
- You can leave the doors locked or unlocked.
- You can take the keys with you or you can hide them inside the car where they could be found.
- If you really want to tempt thieves and make their job easy, you can leave the keys in the ignition.
Believe it or not, #3 is what most companies today are doing and sadly, they are completely unaware that they’re doing this. They think they’ve “got it covered.” Because of this false sense of security companies are not seeking the expertise required to identify and close the gaps in their systems.
Brett recommends the following steps for protection:
- Have a qualified (ethical) outsider do an assessment to show you all the ways they found their way into your network. In essence, they’ll show you where you are vulnerable and exposed. Just like with a car, if someone really wants to break into your car, they absolutely can. A crowbar to the window and they’re in. So yes, lock the car and don’t leave the keys in the ignition, but also have a plan for what to do when the window gets bashed in and the car is being driven off the lot. What alarms will trigger? What procedures are in place to prevent the car from completely leaving the lot? What if the car thief does manage to leave the lot with the car? What actions will you take to retrieve the car before it is destroyed? These fall into the Respond and Recover areas of the NIST Framework and are hugely neglected. They are also arguably maybe the most important, when you realize that if someone really wants in, they will get in. Once they do get in, what are you going to do about it? That’s the key.
- If you are skeptical that a good hacker can break into your organization, hire a solid security company with good penetration testers and see what happens. They WILL get in!! The point is for them to show you WHERE they got in so the holes are addressed. This needs to be done regularly as systems change and software and hardware are added, deleted, or updated. It is an ongoing continual process. So if an ethical hacker can get in to your organization, what prevents a black hat (bad-guy) hacker from getting in? Nothing! If they really want in, they WILL get in. We “do not have it covered.” No one does!
- Don’t be low hanging fruit. There’s an old saying, “I don’t have to outrun the bear…I just have to outrun you.” In other words, don’t be a hacker’s first choice because your cybersecurity posture is so poor compared to others. Having said that, it’s vital to have systems in place to prevent and detect when we’ve been breached. Equally important is having the ability to respond and recover appropriately to minimize the damage once a breach does take place. Unfortunately, many companies don’t even realize they’ve been breached because they have no mechanism in place to know it has taken place.
Why These Steps are Often Not Taken
David Stelzl, the security guru I mentioned in the beginning of this article, and to whom I attribute much of the analysis discussed here, has a theory as to why many companies don’t take action to protect themselves, despite all the breaches making the news and the criticality of cybersecurity. He calls it the “Impact versus Likelihood Graph” and is covered in his book “The House and the Cloud: Building a Compelling Value Proposition Using Risk Awareness to Sell Technology.” We can talk about the financial impact and even quantify it with certain tools, but even then, organizations don’t often take proper steps. The reason? They believe the likelihood of it happening to them is so low that it doesn’t warrant making the necessary investment. That is until their company is hit with ransomware and their business critical systems are hijacked, forcing them to make the investment at an exponentially higher cost, if they are able to recover at all. Unfortunately, the data shows most companies don’t survive such breaches.
Stelzl teaches IT solution providers how to get at and communicate the likelihood of it happening to a particular organization and with both of those ingredients, the impact and the likelihood, executives are able to make more informed decisions. Make no mistake, the likelihood is high and there are an overwhelming number of statistics to prove it. Cybercrime is the fastest growing industry today. Marc Goodman, author of “Future Crimes: Inside the Digital Underground and the Battle for Our Connected World” goes into great detail around this. However, boiling it down to a prescriptive solution, specific to the organization, covering both the impact and the likelihood is critical in guiding companies and moving them to take the proper steps, states Stelzl.
We can no longer afford to have the mindset: “we’ve got it covered.” It is now critical for senior management and the board to be able to show proof they had a plan in place and handled things prudently when a breach occurred. Shareholders are now not only suing for damages, but they are starting to win. If you can’t prove in court that you were prudent in cybersecurity for your organization, be ready to shell out some hard dollars, similar to Yahoo, to the tune of $29M, as the Wall Street Journal states, “the flood gates have now been opened.”
As one of the world’s largest IT distributors, Tech Data partners with over eight thousand companies in delivering cybersecurity solutions. The expansiveness of our global footprint avails us to the latest issues, efforts and solutions in data security and cyber awareness initiatives. To find out how Tech Data can help your company protect itself against hackers and cybercriminals, visit www.techdata.com/security or contact us at email@example.com
About the Author
Jade Witte, prior to working for Tech Data as a cybersecurity Solutions Development Manager, has spent more than 20 years in the IT industry in various sales, sales management and executive roles. Most of his career has been working for national VARs, as well as Global Service Providers focused on providing solutions for mid-size to Fortune 500 customers in IT security, networking, data storage, unified communications and cloud computing. What’s more, Jade founded a successful software development company that was one of the early pioneers of Software-as-a-Service (SaaS). He’s been recommending IT security solutions to customers his whole career. Jade is very concerned about the rapid growth and impact of cybercrime globally and passionate about the need for effective cybersecurity in businesses today.