As I read across the Cyber security news headlines on a daily basis, there is one thing that is starting to become a recurring an item: How on earth to get the C-Suite to understand the risks their organizations face.
There are many ideas and suggestions on this, and even I have written about a couple of times. I have even read somewhere that simply firing the CIO and /or the CISO is simply not enough, and in some cases, it may not even be the right thing to do.
But in the end, employees of a business or a corporation really only can learn by example, and setting this tone comes from the very top of the food chain. After all, if the senior most management doesn’t care, why should the normal, everyday employees care either?
There is still a serious disillusionment out there with many companies, that if they have not been hit with a Cyber-attack, the gamble is that then they will never be hit. This is totally absurd thinking, and it is with this mentality, that these organizations will find themselves at the mercy of a Cyber attacker. But, you can’t blame this mindset on your employees. It all falls down again on the C-Suite.
In fact, one of the most highly recommended ways in order to get the C-Suite involved is to get them to look at other companies that have been hit by a Cyber-attack that are the same in their own industry. But the key thing here is not just to study it, but to learn what went wrong, and apply those same safeguards at their own companies.
Even the head of Cyber security at McAfee, John McAfee laments the same thoughts: “[The C-Suite] should not only be looking at attacks they are getting, but also monitoring and analyzing attacks on other organizations to ensure they would be secure if targeted by similar attacks, because if others are being hit by a particular attack method, it could be just a matter of time before it affects your organization.” (SOURCE: https://www.computerweekly.com/news/252450894/Learn-lessons-from-attacks-says-McAfee-investigations-chief).
He also noted that a new trend is now occurring, in which even the most novice of Cyber attackers is now joining the ranks of the nation state actors to launch even more sophisticated hacks. The goal of course is to steal confidential information and data, but the eye on the prize is financial gain, and lots of it.
A prime example of this is the recent attack launched by the Carbanak hacker group (more information about them can be seen at this link: https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested).
Using the concepts of Advanced Persistent Threats (APTs), they were able to target banks specifically in order to amass millions of dollars. The Cyber attackers involved were a mix of both individual hackers and nation state actors.
But, many companies throughout the industrialized do not understand what IT Assets are at most risk. But in the end, that should not really matter, because everything should be considered to be at risk, both in the physical and the virtual world.
In fact, even the recent laws dealing with Cyber security are being crafted in such a way that they motivate companies to protect their mission information and data. For example, rather than reminding them constantly about the huge financial penalties that they could face, the laws are now encouraging businesses to think about the business side of it.
Instead of thinking, “Hey, I have to implement these controls, if not, I face an audit and serious fines” the shift is now “Hey, if I implement these controls, this will be a great selling point to my customers and even potential ones, because it clearly demonstrates that my company is being proactive in protecting what matters most – their personal information”.
In fact, the recent General Data Protection Rule (GDPR), just passed in the EU, is an example of this. While companies could be fined up to 4% of their net profits, there is also room in this law to give companies time to make their Security model into a selling a feature for their customers.
But there are other threats that are looming on the horizon, such as Cryptojacking. Although I have not written about it, I do plan to at some point. In the meantime, more information on it can be found at this link:
Also, another type of Cyber attack that has not received too much media attention is that of the using the Remote Desktop Protocol (RDP). This is found exclusively on Windows based machines (primarily the server OSs), and this is where an individual can remotely log into another computer, and emulate the exact same kind of environment.
But as far as I know, the remote connection is done in cleartext (just like the File Transfer Protocol – FTP), and the RDP connection that is created between the host and remote machines is not at all secure. In fact, it has become so serious that even the FBI and DHS has issued several warnings about using the RDP.
My thoughts on this?
Although the concept of actually taking the time to understand what has happened to company that has been a victim of a Cyber attack and applying what has been learned seems simple in concept, it is hardly ever done at the level of the C-Suite. In my opinion, these Execs think that they just do not have the time to spend to worry about it, all that matters are cost containment and the bottom line.
Well hello Mr. C-Level Exec, if you are hit by a Cyber-attack, not only will that cost you dearly, but it will also totally even wipe out your bottom line!
In one of the webinars that I recently transcribed for a client, there has been talk now that the Board of Directors are now directly engaging the C-Suite as to the steps they are taking to fortify their businesses. But part of this discussion must also revolve around studying other victims of Cyber-attacks, and applying what they have learned and the new security measures that they have taken.
Perhaps this kind of discussion should be made into a discussion that happens regularly. Maybe then, with fingers crossed, will the C-Suite finally understand they too can become a victim of a Cyber-attack. Remember, another misconception of Cyber-attacks is that they have to super sophisticated in nature, like Ransomware.
They don’t have to be. Even the simplest threat vector, like that of a Trojan Horse, can leave a devastating impact in the end.