In 2013, Target Corporation was hacked. Soon thereafter, its Chief Information Officer, and Chief Executive Officer of 35 years, were fired.
Two years later, in 2015, Sony Pictures was hacked. Among the embarrassing details, a long history of Chairwoman Amy Pascal’s personal emails were leaked. She was let go of immediately.
Two years after that, 2017, Equifax Incorporated was hacked. The company’s CIO and Chief Security Officer both “retired” in its wake. Richard Smith, arguably the most successful Chief Executive in the company’s history, also “retired” shortly thereafter.
One could go on and on with stories like these. Corporate hacks over the past decade have, increasingly, been laid at the feet not just of IT personnel, but executives. There is a debate over whether such cases of blame are warranted, but it almost doesn’t matter. Hacking is ubiquitous in business and industry today, and it’s everybody’s problem. Executives, in particular, tend to be on the chopping block when push comes to shove.
Most high-level decision-makers won’t have the broad technical training necessary to attack their company’s cybersecurity head-on. However, one can reduce risk in an organization by instituting some simple best practices. Here are a few tips to get started:
1. At least do the bare minimum
During January 15th and 16th, 2009, French Navy Dassault Rafale planes were grounded when a virus hit their operational computers. The virus, called Conficker, prevented the planes from downloading their flight plans, and so they had to wait until the virus was rid before taking flight as usual.
How could this virus have penetrated a major nation’s Navy? It turns out that those computers hadn’t updated their operating software, despite public notice from Microsoft.
It’s remarkable how often companies fail to do the simple, bare minimum when it comes to cyber security. Purchasing antivirus, setting up firewalls, updating software and operating systems. These are simple measures that even ordinary computer users often know to do for themselves, and yet organizations with millions of dollars worth of property, information and money on the line overlook them.
2. Stop thinking about tech, start thinking about people
When Target was hacked in 2013, the company had three, separate antivirus systems in place: from FireEye and Symantec, two leading cybersecurity firms, and a team in India that monitored their computer systems 24/7.
That Indian team had, in fact, notified Target HQ when the breach occurred. No further action was taken, though. The FireEye program immediately sent red flag notifications to Target system administrators. As the attack progressed, so did the warnings. None of them, unfortunately, were heeded. The Symantec software running on those same systems had a built-in feature that could delete malware upon first detection. In this case, that feature was turned off.
It may appear simple enough, that more defences equals more protection. That is, in fact, not so, as Target learned the hard way. Having three antivirus systems running at the same time is like carrying three umbrellas in the rain: one would suffice, the others add little or nothing, and you’re approaching the problem in the wrong way.
Cybersecurity has, and always will, begin and end with people, not technology. People design malware, and people contract malware, computers are merely the vehicle of transfer. The Target hack began when one employee at a small, family owned HVAC business in Pittsburgh downloaded a malicious program from a spear phishing email. The series of events that ensued ended in millions of Americans’ credit card information being stolen. All because one person clicked on a seemingly innocuous email attachment.
And plenty of other human error occurred along the way: most notably, all of the Target executives and employees who failed to respond to the series of warning signs right in front of their eyes.
3. Invest in talent
No amount of security tech could’ve saved Target in 2013. Only competent people could have. This is the rule, not the exception.
Therefore, the most effective combatant against talented hackers are talented defenders. You don’t often hear news stories about companies with the best cyber security teams, and that’s by design. Only insufficient, incompetent teams ever make the news. If we’re to extend the example of Target 2013: it’s worth noting that the company, which in 2013 had 361,000 employees working under its roofs, had no Chief Security Officer. Its Chief Information Officer was, technically, in charge of cybersecurity at the company (whether she knew it or not). Having somebody to oversee all matters of cyber breaches could have, you’d imagine, prevented such an attack, or at least mitigated it.
4. Recognize that threats can come from anywhere
Malware can take the form of a virus, a worm, ransomware, a trojan, arriving on your computer via a USB drive, a disc, in a laced Word document attached to an unsuspecting email, or a SQL-injected webpage. There are far too many shapes and sizes malware can take, than can be described briefly here.
When an executive stands at the head of a conference room, they expect answers to questions. Many employees work very hard to come up with concrete, effective solutions to problems the company might be facing. In cybersecurity, this is not possible. Any digital information could, in theory, constitute a malicious attack. Therefore, there is no single answer to stopping all potential breaches. The executives at Equifax, the leaders of the French Navy, could patch up all the holes that lead to the breaches of their systems, and still be totally vulnerable in 1,000 other ways. This leads us to the next, perhaps most important thing of all to remember…
5. Know that there is no such thing as being fully “secure”
The word “secure” in the world of cybersecurity is equivalent to the phrase “world famous” in the world of pizzerias. You probably have a “world famous” pizzeria near your house, that your neighbour in the next town over has never heard of. Similarly, cyber defense companies often market their products as “secure”. The word means nothing. Security in cyberspace exists along a spectrum, and no such thing as complete security exists. Even the most secretive, offline, highly-guarded military networks are insecure in one way or another.
So if you’re a high-level decision-maker at your company, and an employee in IT tells you “our systems are safe,” they’re lying to you. If a third party tries to sell you their product by offering 100% protection, they’re selling you frontier medicine.
The harsh reality is that no digital system is ever fully out of reach of the right kind of attacker. All you can do is your best: to understand the scope of the issue, implement fundamental cybersecurity best practices, and fill your halls with talented and dedicated people. Even by giving enough thought to the problem as to seek out and read this article all the way to the end, you’re on your way to being ahead of the game.
