The 5th Dimension - Cybersecurity

To respond to what is perhaps the most potent threat today to a country's future, many nations have launched the 5th dimension of warfare, CYBER - in addition to land, air, sea and space. But this new theatre of war is like none we have experienced. For one you don't need billions of dollars or many years to develop a weapon, or even a large people force to gain superiority. A few really smart women or men can wreak havoc on a nation’s infrastructure. Another is that a cyber attack transcends our normal notions of geographical boundaries. And increasingly cyber attacks are directed not only at nations but at its people and its companies, with little rules of engagement governing such warfare. In this article I spend some time discussing Cybersecurity in the context of companies.

 A breach of a company’s cyber perimeter can have the following negative consequences:

1. Material – for example loss of information like trade secrets, or the crippling of an organizations business due to attack on its network or websites
2. Reputational – loss of reputation and trust from customers and partners, eventually leading to loss of business
3. Legal – exposing an organization to lawsuits, which result in legal fees and possible punitive damages. This is especially true when a breach has resulted in loss of PII (Personally Identifiable Information)

Cyber attacks on an organization can be classified under three broad categories:

1. Information - the objective of criminals is to steal secure and non-public information, for example credit card numbers, which they can resell later
2. Availability - the purpose is to impact the availability of an organization’s infrastructure. This is typically done through a DoS (denial of service) or DDoS (Distributed Denial of Service) attack, by which cyber criminals inundate a company's network (example: website) with requests, placing a severe out of the ordinary burden, making the network inoperable
3. Integrity - the objective here is to destroy information assets, or create malware / viruses that damage the companies computers or network

It is also important to note that a cyber attack can come from both within the organization and from outside. And a typical cyber intrusion is detected months after the fact, thus exposing any organization to a prolonged breach before the intruders can be thwarted. Another nuance, for consulting and services organizations, is the possibility of an employee compromising the information security of a clients infrastructure, which in turn can result in severe reputational, material or legal damages. 

So how can companies prepare for this new normal of cyber attacks? A few suggestions are below:

• Culture – Many cyber intrusions are made possible by criminals exploiting the ignorance of a firm’s employees. Emails purporting to be official and authentic, known as phishing, lure the unsuspecting employee in sharing information like user ids and passwords or clicking on links that pass information along without the employees knowledge. However organizations have been slow to build awareness amongst employees, partly because they have yet to experience a devastating cyber incident. The need to build awareness, drive behavior and build culture is paramount and needs to be done in a structured manner
• Third Party Risk Management (TPRM) - What do the following attacks have in common: Target where 40 million customer accounts were compromised, JPMC where 70 million households and 7 million small business’s information was compromised and Home Depot where 56 million credit / debit card information was stolen? All these attacks were conducted using vulnerabilities in these organization’s third parties. By some estimates, large financial institutions in the US have on an average 20,000 third party relationships thereby exposing them to 20,000 points of weakness. TPRM , also referred as vendor risk management, is one of the most potent sources of vulnerabilities and therefore an organization must have a very clear policy and procedure, on how information and network access is shared with its third parties
• Detection and not just Prevention - There are only two kinds of organizations: Those that have been hacked and those that don’t know yet that they have been hacked. Such paranoia is definitely helpful when it comes to cybersecurity. For example, the Home Depot breach happened in April 2014 but was only detected in September 2014! Therefore periodic vulnerability tests should not only focus on breaking the firms cyber perimeter but also on detecting a breach that may have already happened and it yet to be discovered
• Elevate the conversation to the boardroom - This is no laughing matter. The Target hack resulted in the resignation of their then CEO. A cybersecurity incident can result in severe reputational and legal damages, that can possibly put the company out of business very quickly. Therefore cybersecurity needs to be part of every Board’s agenda and an organization must put in the right leadership to effectively manage its cybersecurity

The world we live in is evolving at a very rapid pace and so are the cyber threats we face. The exponential growth in the Internet, Cloud, Internet of Things, Mobile and other smart technologies is enabling firms to make more profits, from more avenues but at the same time it is dramatically increasing the interconnectedness of these firms, with other firms and people. This creates an dramatic growth in the probability of a cyber attack with increasingly dire consequences. Therefore there is an even greater urgency to address Cybersecurity and address it with deep rigor.

Be Safe. Be Secure and May the Force be with you!