“There are two kinds of companies out there: those that have been hacked, and those that don’t know it yet.” A timely reminder from former FBI Director Robert Mueller holds as much water now as it did when he first said it in 2012. With so much attention trained on Russian cyberattacks targeting the US electoral process, it has never been more important to reinforce the underlying threat to the private sector that has grown substantially in the past several years. For those familiar with the threat landscape, cyberwarfare is not a new phenomenon or a concern exclusive to governments. Companies have been, and will continue to be, targeted by hackers with increasingly advanced capabilities. Welcome to the new normal.
Increasing connectivity, the democratization of hacker tools, and an expanding underground economy for stolen data have converged to spur a revolution. The most banal pieces of information can have enormous value in the hands of the right entity, and the demand for middlemen to facilitate the arbitrage has led to a flourishing market for hackers and their skills.
To an investment-savvy hacker, a stolen email between an attorney and his client could mean a multi-million-dollar windfall in the stock market if the message pertains to a yet-undisclosed merger or acquisition. To a foreign competitor in the Asia-Pacific region, an American pharmaceutical’s proprietary drug formula could be the key to breaking into a new market. To a con artist, $100 for a cache of stolen medical data could turn into $5,000 if he can manipulate a patient into wiring him money for specific outstanding charges pertaining to a hospital stay.
Unfortunately, the first breach example undercuts the acquirer’s buying power and stock price while the law firm’s reputation takes a considerable hit. In the second breach example, the hundreds of millions of dollars invested in drug research turns out to have been for naught when the Asian competitor introduces a cheaper version in the American market. In the last example, the hospital that lost the patient data was hit with massive fines for HIPAA violations.
Sophisticated attackers do not discriminate by size, industry, or prominence when picking their targets. Oftentimes it is the small or mid-size firm with minimal defenses but still replete with valuable data – the “slowest zebra in the herd” – that offer the biggest returns for hackers. And while the most advanced cyber threat still comes from well-resourced nation-states with literal armies of engineers, it is crucial to remember that governments don’t always reserve their capabilities for use against other governments. Sony Pictures, Yahoo Inc., and the Ukrainian Kyivoblenergo electricity distributor are all private entities that have been targeted by nation-states. The bottom line is that everyone is a target, and the threat is real.
That threat became much more acute in August 2016 when an obscure group called the Shadow Brokers released online a cache of cyber weapons developed by the United States’ electronic spying entity, the National Security Agency. While the means by which the Shadow Brokers obtained this so-called ‘toolbox’ is unknown, what is clear is how dangerous a development this is for the corporate world. The US government presumably spent hundreds of millions of dollars producing these weapons and, unsurprisingly, they are extremely potent. Designed to discretely infiltrate the networks of some of our most sophisticated adversaries, they make short work of many commercially-available firewalls and other security features. Now they are out there for anybody to use.
Combined with the already-burgeoning market for stolen data, the NSA tools paint a disturbing picture not just for information security leaders, but also for executives. Data breaches can have tremendous financial, reputational, and legal consequences. This is compounded by the fact that many forms of malicious software are incredibly difficult to detect once inside your network. The average malware remains undetected, doing damage or exfiltrating data, for up to 200 days. Wishful thinking is no longer an effective security posture in 2017.
Instead, corporate executive leadership must be proactive when it comes to cybersecurity. First, they should foster a security-conscious corporate culture can go a long way to ensuring every employee is doing his or her share. This is crucial since everyone – from an office manager to the CEO – is a potential attack vector into a network. Second, leadership should develop a comprehensive cybersecurity policy complete with contingency plans, communications, and response strategies can eliminate ambiguity and allow for more effective responses to security breaches. Third, they should equip information security and technology teams with the resources necessary to take the appropriate defensive measures such as penetration testing and network security architecture reviews. Fourth, decision-makers should utilize physical threat analyses to gain crucial visibility into the kinds of motivations and tactics potential attackers might use on their industry or their company specifically. Finally, instituting simple and inexpensive fixes – the low-hanging fruit – like multi-factor authentication and strong password requirements can bring an organization in line with security best practices, and potentially deter hackers looking for easier targets.
Fortunately, this new normal of advanced threats facing the private sector, while serious, does not necessarily need to adversely affect operations. It simply reflects changes in the business and security environments, and forward-thinking executives can turn these threats into opportunities.