Square-Off: Are Corporate Cyber Defenses Adequate?
It's not just about the technology, stupid. That's the collective message of the four expert commentators in this CFO Square-Off opinion forum, which addresses the issue of how CFOs and their corporations should be addressing cybersecurity in the face of rapid advances on the hacking front. Instead, finance chiefs should be focusing on their companies' systemic risks rather than just software. However, many companies are failing to address cybersecurity adequately because they tend to underva ..
The days are over when you could simply install software to block cyberattacks. If malware did get through, you just cleaned it and moved on or made sure employees didn’t access the wrong systems. That was information security.
Today’s companies are burdened with a task that was formerly that of the military and government, defending themselves from today’s exponentially more sophisticated attackers. Today’s adversaries are cunning, determined, and as happy to take down a small target as a large one.
Although the enemies have changed, many companies are just realizing that their defense postures haven’t. The technology they’ve deployed is a patchwork, consisting of solutions from multiple vendors that don’t work together.
In the current environment, we’re seeing more complex attacks that employ sophisticated tactics even against smaller targets. Here’s a great example: I received a call from our intelligence team informing me that they had intel that a mid-sized company had been compromised. The attacker had control of all the company’s systems and was trying to sell the company’s confidential data on the Silk Road, an online black market that transacts business on the dark web.
If the company didn’t pay the ransom in 24 hours, the attackers threatened, they would encrypt its data and demand payment for them to decrypt it. Not wanting to give in to the attackers, the company didn’t pay them. No one in the black market paid for the data in the 24 hours, and the attacker simply walked away. The ransomware campaign was launched, and the ransomware encrypted the customer’s entire data hoard.
The problem was that although company was equipped with good security products, it had no cyber defense program. No one had even considered it. Ultimately, the company suffered greatly and spent months trying to recover.
WannaCry is another example. In that case, the hackers took advantage of a security vulnerability that for a lot of companies was still exposed. The problem was something that a standard information security program might have allowed to slip by for a time or go completely unaddressed. For companies with strong cyber defense programs, including defenses against attacks like Wannacry, the attack had no effect.
Why were so many companies caught off guard? We spoke to people at a great many of them that week and almost all were baffled about what the attackers were doing and how the companies might have protected themselves.
Although many organizations are striving to keep up with such threats, there are too many where key executives don’t understand that cyber defense is not the same as a security program.
The problem extends not only to C-level executives not responsible for security to those who are. What was formerly a good security program isn’t designed to provide the type of protection required to foil sophisticated attackers. Companies need a more global view of attackers’ tools, tactics, and procedures, regardless of the companies’ sizes. There is no way to hire the skillsets and team size needed to keep up with all the different attack groups and government sponsored adversaries, however.
Cyber defense really requires a change in mindset. Leaders need to truly accept that their organizations are under attack. That means understanding that there are many reasons they might be targets.
But acting as if their companies are too small or lack the visibility to interest hackers is naïve. Accepting this reality will change the measurement used to calculate financial risk models.
A lot of the problem is that most non-IT C-level executives don’t have the time to properly educate themselves on cyber defense. Financial trade organizations should focus more on informing CFOs and their peers about cybersecurity. For their part, CFOs should make time for top-tier vendors to present to them just as they present to their CTOs.
In short, we need to get the message through to that company-wide cyber defense is more important than mere information security.
Bob Shaker is a senior manager for cyber security services product management at Symantec.