Guarding Against Cyber Snooping

Spying is not like the movies. From Bridge of Spies to 007, state-sponsored espionage is no longer confined to the treasure troves of government secrets. Today’s biggest threat actors, backed by powerful state-sponsors, have set their sights on private industries, and there is no going back.

As the US government continues to utilize innovations from the private sector, these companies become ideal targets for foreign espionage. Today’s unprecedented amount of data swimming on corporate hard drives has given malicious actors ample economic and security incentives to infiltrate private industry.

No innovator is too big or too small to be a victim of cyber espionage. State-sponsored hackers are actively working to cannibalize the technology that powers our economy. In doing so, they help their nation-state patrons leapfrog toward technological breakthroughs, saving them time, brain power, and research dollars at the expense of your enterprise. State-sponsored hackers are also tirelessly engaged in activities to steal secrets from the United States’ leading defense contractors in an effort to both replicate and neutralize the nation’s most advanced weapon systems.

These potentially catastrophic scenarios are not hypothetical; they are real and happening even as you read this article. Private industry executives should learn from the government’s experience in defending against these attacks and take comfort in knowing that these threats can be minimized, largely with a few commonsense actions.

1. Awareness is a critical first step. Innovators across all sectors and of all sizes must recognize that they are targets. While companies know they may need to amplify cybersecurity precautions prior to a merger or acquisition, this level of vigilance should be employed at all times. Cybersecurity is not about buying an expensive tool to deploy on your network – it’s about developing long term strategies to minimize risk and maximize corporate resiliency in the event of a data breach.
2. Having the proper staff in place comes next. Too often the responsibilities of threat awareness and security fall on the shoulders of IT practitioners. C-suite executives unfamiliar with the nuances of cyber infrastructure often conflate programmers, coders, and other IT professionals with cybersecurity specialists. In reality, most IT practitioners are not trained security engineers. Asking an IT practitioner or IT generalist to handle cybersecurity is akin to asking an electrician to repair your plumbing problem. Cybersecurity cannot be relegated to a simple line item in an IT budget. Instead, seek to hire an in-house cybersecurity expert or partner with a cyber consultancy. Doing so is an investment in your company’s long-term wellbeing and success.
3. Company-wide vigilance is also important. Executives have the power to stimulate an open and honest cybersecurity dialogue within all facets of the company. Employees should not be shamed for exercising insufficient cyber hygiene but should instead be educated on how to best protect themselves, their coworkers, and the collateral they work hard to produce. For employees who may not be tech savvy, framing cybersecurity as a business concern rather than an IT problem contextualizes the issue in a more familiar and tangible way.
4. Information sharing across enterprises can be hugely beneficial. While there used to be a stigma surrounding cybersecurity breaches, the prevalence of cyberattacks in today’s digital environment means that companies cannot afford to isolate themselves. Sharing information on Indicators of Compromise (IOC) is paramount to the success of both individual companies and sectors at large. If you are a target, your competitor down the street is too. It would behoove companies to institutionalize explicit yet secure channels of communication devoted to collaborating against common adversaries.
5. Finally—and perhaps most importantly—the concept of least privilege should be strictly enforced. Compartmentalizing sensitive information is imperative to your company’s cyber hygiene. In order to ensure employees do not jeopardize this data—whether willfully or accidentally—each should only have access to the information that directly pertains to his or her day-to-day responsibilities. Should a hacker ever compromise the system of one employee, this security measure would deny them the freedom to move laterally throughout your enterprise network—dramatically narrowing the scope and blast radius of damage they would be able to inflict.

Cybersecurity may seem like a daunting undertaking, but these basic best practices may dramatically improve your company’s information security. The consequences are too great to do otherwise.