Imagine trying to defend yourself against the most sophisticated and modern military opponent by using a moat and a draw bridge. Sounds ridiculous but it's exactly what most companies are doing when it comes to cyberthreats.
Cyberthreats, such as WannaCry, will commandeer the headlines for a week or so, a flurry of media attention will arouse our collective consciousness, cybersecurity company stocks will rise, and then, just as quickly, it all seems to fade into the background noise; until the next attack.
It's not that companies ignore the threat, but rather that they are simply not investing in the right strategies to mitigate the risk. Their cyberstrategies are old and outdated. In short, when it comes to cybersecurity, many of us are defending against yesterday's enemy.
Defending Isn't Enough
The stark truth is that we've barely begun to experience the magnitude of potential cyber risk. I'd estimate that if we stay on the current trajectory we are two to four years away from a disastrous global cyber event that will take most companies by surprise and finally act as a wake up call to all of us--a 9/11 category attack that will have a serious impact on the global economy.
I'm not fear mongering. I've seen the potential up close and if anything amazes me it's that it hasn't already happened. This isn't about predicting, it's about preparing.
But that doesn't mean we can't change the trajectory, or at least bend its arc away from the worst case scenario. But doing that means changing the way we think about cyberdefense.
The root of the problem is that most organizations are still embracing an outdated mindset of "perimeter" defenses as the exclusive means of protecting their organizations. With a perimeter defense you can draw a line around the assets you need to protect. This is the way we once fought wars and barricaded our crown jewels from the enemy. From Windsor castle to NORAD's Cheyenne mountain complex to Fort Knox, it's how the physical world works. No matter how large the area to be protected it was still surrounded by a single set of defenses that created a perimeter, a border, a fortress, a wall. Post smart and diligent defenders around the perimeter and you were safe
There's just one problem with that approach in today's world. The perimeter is gone.
Trying to define a cyber perimeter, whether it's a physical one around hardware or a digital one around software and data, is like trying to fight a war with terrorists. Yes, we can lock down our borders, use analytics to sniff out the bad guys, and send them back home. But in the end the only complete defense is one that also builds the capacity to respond to the threat after it has breached our perimeter.
Far too many scenarios for dealing with cyberthreats end at the perimeter. Antivirus software, firewalls, passwords, pretty much everything we've come to think of as the last line of defense against cyberthreats is defending us against an old enemy. Today's enemy is using social engineering, human weaknesses, and the exploitation of extended ecosystems to get well within the perimeter.
This is exactly what happened with the recent Verizon breach in which 14 million customer records were exposed by a Verizon contractor, Nice Systems, on an unprotected Amazon S3 server. The now infamous Target breach, which has, by some estimates, cost the company nearly half a billion dollars, came from a vulnerability with its HVAC contractor! The reality is that the whole notion of "defending" creates an unrealistic perception of safety. If you can't accept that you will be breached then you aren't going to be able to protect your company from the real damage. Look at the cost of any significant cyberattack and it's always poor and unprepared damage control that accounts for the greatest weakness and liability.
The Cyber Ecosystem
So, what's the solution? Well, it's not as simple as something you can buy or install, but there is a way to start by changing the way you look at cyberthreats from being defined as something that exists outside of a perimeter to something that is an ongoing part of an ecosystem, one that is only accelerating in its complexity and risk.
Ecosystems are inherently complex and constantly evolving networks of mostly symbiotic interactions between vast collections of partners and suppliers. We used to call these supply chains, but the image of a supply chain is very misleading. Chains are composed of a set of defined links. If each link is secure then so is the chain. And only the links that make up the chain are part of the process. But an ecosystem has no permanently defined links. The partners, processes, and people that make up an ecosystems are constantly in flux and constantly subject to forces that cannot be predicted or fully protected against.
"...immunity is not the absence or the deterrent of a threat, it is the explicit mechanism by which we recognize and eliminate a threat after it is inside us."
A great analogy is the way our immune systems fight off disease. Our bodies have great perimeter defenses but we cannot exist without letting in all sorts of nasty bugs. Our bodies are constantly dealing with toxins, pathogens, bad bacteria, and cancer cells. The reason we do not all succumb to them on a daily basis is that our immune system is built to deal with the regular breach of the perimeter. I'm using this analogy because immunity is not the absence or the deterrent of a threat, it is the explicit mechanism by which we recognize and eliminate a threat after it is inside us. That doesn't mean that there won't be damage but rather that you'll survive anyway.
Ah, "wait," you say, "While, I can't control my body's environment I can control my partners! Let's just nail down the supply chain and make sure everyone plays by the same rules." While that sounds easy enough it fails in a free market by putting you at a distinct competitive disadvantage. The speed of innovation demands that we constantly reform our supplier networks in order to meet the market's appetite and expectation for innovation, even as risk increases. Slowing down isn't an option if you want to survive and thrive.
The only way to win at this game is to build an immune systems that can keep ahead of the threats. Here are four essential ways to do that:
1) Include a cyber expert in every conversation about your business that involves any discussion of how technology will enable it.
I can hear you now, "Oh no, one more cook in the innovation kitchen, just what we need to slow us down." But that's only true if you do not integrate cyberculture as part of your innovation teams. Including cyber as a last stop before we implement an idea will create friction, constrict innovation, and increase cyberthreats.
For example, car manufacturers have been scrambling to add levels of connectivity to their vehicles for decades. But in their haste to innovate they have also created an enormous vulnerability in connected cars. In 2015 a group of researchers showed how easy it is to commandeer a Jeep Cherokee by hacking it's Internet connectivity. In a graduate course I teach at Boston University one of the most consistent themes of nearly every case study is how it is simply impossible to use to perimeter defenses to stop cyberattacks. I'm not saying perimeter defenses aren't important but if your defenses stop at any perimeter you are leaving yourself vulnerable. Go back to my immune system analogy. If you want to innovate you have to accept the threat and learn to live with it.
In order to keep up with the pace of innovation you have to integrate cybersecurity into every part of your organization's business and innovation model. That way you won't find yourself suddenly playing catch-up after the fact to deal with a cyberthreat. In my experience the best prepared teams are the ones who have been working together with cybersecurity from the outset and integrate it into every part of their organizational pathology.
2) Do relentless penetration testing and advertise your vulnerabilities without chastising people.
This is a very tough one. Few companies actually stress test their cybersecurity, fewer still on a regular basis. Again, we're not talking about just perimeter defenses. The key is to test how your organization will respond after the breach--when the enemy has penetrated the perimeter and is lurking among you. For example, in one case I teach involving the DOJ, the culture of the organization had to change in order to make transparent the poor practices used within the DOJ to deal with human failings that allowed potential breaches.
Again, to use the immune system analogy, our bodies only fully develop immunity when they are exposed to harmful pathogens. There's risk in that but greater benefit!
So, why is this so hard when it comes to cybersecurity? Imagine sending out regular phishing emails that would attempt to get your employees to click on a malicious link. While many of us would proudly say that we stopped the attack by not clicking on the link, those who did click and then realized their error might very well just look the other way for fear of being chastised for their mistake. Former White House CIO Theresa Payton often tells the story of how one of the toughest cybersecurity challenges she encountered was getting White House staffers to notify her if they lost their mobile device. Why? They were worried about how it might look. If they just waited perhaps it would show up. Of course a lot of bad things could happen while they were waiting as well! Yes, it's ludicrous but it's how we humans behave.
To change that behavior you need to first acknowledge that it exists and then provide incentives for being transparent about it. At the same time, regularly remind people that the bigger part of cybersecurity consists of not only preventing attacks but also dealing with the inevitable breaches openly and immediately. In my experience the best antibodies are the people not the technology.
3) Make Cybersecurity part of your Board of Directors' agenda and practice board-level response scenarios regularly.
Yes, you really need to do this. Culture and priorities flow from the top down. If you are not looking at strategic decisions through the lens of the cyberthreats they pose you will bake vulnerabilities into your culture, processes, and strategy. If we agree on the fact that breaches are inevitable then it becomes critical to have in place a well thought out and rehearsed plan for dealing with liability, insurance, ransom, PR and media, customers, analysts, law enforcement, and any other affected party.
And please don't tell me that your business isn't at risk. Every business will experience an incident that threatens to shut it down or irreparably harm its brand. 60% of small and medium sized companies that experience a significant cyberbreach are out of business in six months! And, according to Symantec, 43% of all attacks are on businesses with 250 or fewer employees. You're an easy target. The only question is when it will happen. Trust me, having your board scurrying about to figure out a response without prior practice is the last place you want to be.
Doing regular scenario-based planning exercises with your board and your execs will create a confidence and readiness in dealing with breaches.
4) Deal with it.
I've found that all great leaders share an ability to instantly go from calm waters to category 5 winds instantly. They do not dwell on "could have, should have," but deal with they hand they've been dealt. When Capt. Sullenberger made the split second decision to ditch flight 1549 into the Hudson it was his ability to seamlessly go from "operations as normal" to the unwritten script of ditching in the Hudson that saved the 155 souls onboard. Had he taken just a few seconds more to curse at the heavens, wonder "why me?" or hope the engines would spin back up, the outcome would have been horribly different.
But what's not talked about as often is that Sullenberger's ability to do that was honed by a lifetime of focusing on safety and crisis scenarios. In his own words, "for 42 years, I've been making small, regular deposits in this bank of experience, education and training. And on January 15, the balance was sufficient so that I could make a very large withdrawal."
Being that prepared for a cybercrisis only comes from rigorous and regular scenario-based planning on how to react in a breach situation.
If you spend all of your time focusing on investing in preventing the breach you will never be ready for the ultimate test of dealing with the breach. And, unlike the minuscule probability of having a few dozen geese shut down all of your engines over the Hudson, the likelihood of dealing with a cyberattack is as close to 100% as it can get.
The bottom line when it comes to dealing with cybersecurity is that the rules have changed. No amount of investment can fully lock out cyberthreats. The enemy is no longer just on the outside, it's part of your ecosystem. Organizations that make the shift from simply protecting their perimeter to looking at their business as part of an ecosystem that is constantly under siege, from the outside and the inside, and evolve to build immune systems to cope, are the ones who will survive to fight tomorrow's enemy.
The rest can just keep topping off the moat.