The recent escalation of tension in the Middle East has brought the threat of nation-state cyberattacks back to the forefront for many business owners. In a course on Cyber Leadership that I teach at Boston University, the most important point I try to drive home is that while the news cycle may ebb and flow, when it comes to cyberattacks the threat is persistent and nobody is immune from it.
Still, the number of businesses that I find being unprepared for a cyberthreat is astounding, especially when you consider that 60 percent of small businesses that suffer a significant breach are out of business in six months.
The solution starts by changing the way you look at cyberthreats: from being something that exists outside of a perimeter to something that is an ongoing part of how you manage your business.
A great analogy is our immune system. Our bodies have great perimeter defenses, but we cannot exist without letting in all sorts of nasty bugs. Our bodies are constantly filled with toxins, pathogens, bad bacteria, and cancer cells. The reason we do not succumb to them on a daily basis is that our immune system is built to deal with the breach of the perimeter.
The only way to survive the persistent threat of a cyberattack is to build an immune system that can keep ahead of the threats. Here are four essential ways to do that:
1. Include a cyber expert in every conversation about your business that involves any discussion of how technology will enable it.
I can hear you now: "Oh no, one more cook in the innovation kitchen. Just what we need to slow us down." But that's only true if you do not integrate cyberculture as part of your innovation teams. Including cyber as a last stop before you implement an idea will create friction, constrict innovation, and increase cyberthreats.
For example, car manufacturers have been scrambling to add levels of connectivity to their vehicles for decades. But in their haste they have also created enormous vulnerability in connected cars. In 2015, a group of researchers showed how easy it is to commandeer a Jeep Cherokee by hacking its internet connectivity. It's simply impossible to use perimeter defenses to stop all cyberattacks. Think back to my immune system analogy; if you want to innovate you have to accept the threat and learn to live with it.
2. Do relentless penetration testing and advertise your vulnerabilities without chastising people.
Few companies stress test their cybersecurity. Fewer still on a regular basis. The key is to test how your organization will respond after the breach--when the bad guys have penetrated the perimeter.
Again, to use the immune system analogy, our bodies only fully develop immunity when they are exposed to a harmful pathogen. There's risk in that but greater benefit.
You need to first acknowledge that the wrong behavior exists. To change that behavior, regularly remind people that the bigger part of cybersecurity consists of not only preventing attacks but also dealing with breaches openly and immediately. In my experience, the best antibodies include people, not just technology.
3. Make cybersecurity part of your board of directors' agenda and practice board-level response scenarios regularly.
Culture and priorities flow from the top down. If you are not looking at strategic decisions through the lens of the cyberthreats they pose, you will bake vulnerabilities into your culture, processes, and strategy. If we agree on the fact that breaches are inevitable, then it becomes critical to have in place a well-thought-out and rehearsed plan for dealing with liability, insurance, ransom, PR and media, customers, analysts, law enforcement, and any other affected party.
Doing regular scenario-based planning exercises with your board and your execs will create confidence and readiness in dealing with breaches.
4. Deal with it.
When Captain Sullenberger made the split-second decision to ditch flight 1549 into the Hudson, it was his ability to seamlessly go from "operations as normal" to the unwritten script of ditching in the Hudson that saved the 155 souls onboard. Had he taken just a few seconds more to curse at the heavens, wonder "why me?" or hope the engines would spin back up, the outcome would have been horribly different.
What's not talked about as often is that Sullenberger's ability to do that was honed by a lifetime of focusing on safety and crisis scenarios. In his own words, "for 42 years, I've been making small, regular deposits in this bank of experience, education, and training. And on January 15, the balance was sufficient so that I could make a very large withdrawal."
Being that prepared for a cybercrisis only comes from rigorous and regular scenario-based planning on how to react in a breach situation.
The bottom line is that no amount of investment can prevent cyberthreats. The enemy is no longer just on the outside; it's part of your ecosystem. Organizations that make the shift from simply protecting their perimeter to looking at their information systems as part of an ecosystem that is constantly under siege, from the outside and the inside, and evolve to build immune systems to cope, are the ones who will survive to fight tomorrow's enemy.