“There are two kinds of companies out there: those that have been hacked, and those that don’t know it yet.” A timely reminder from former FBI Director Robert Mueller holds as much water now as it did when he first said it in 2012. With so much attention trained on Russian cyberattacks targeting the US electoral process it has never been more important to recognize the growing threat to private sector companies which have been, and will continue to be, targeted by hackers with increasingly advanced capabilities. Welcome to the new normal.
Increasing connectivity, the democratization of hacker tools, and an expanding underground economy for stolen data have converged to spur a revolution. The most banal pieces of information can have enormous value in the hands of the right entity, and the demand for middlemen to facilitate the arbitrage has led to a flourishing market for hackers and their skills.
Based on real-life examples, to an investment-savvy hacker a stolen email between an attorney and his client could mean a multi-million-dollar windfall in the stock market if the message pertains to a yet-undisclosed merger or acquisition. To a foreign competitor in the Asia-Pacific region, an American pharmaceutical’s proprietary drug formula could be the key to breaking into a new market. To a con artist, $100 for a cache of stolen medical data could turn into $5,000 if he can manipulate a patient into wiring him money for specific outstanding charges pertaining to a hospital stay.
Unfortunately, the first breach example undercut the acquirer’s buying power and stock price while the law firm’s reputation took a considerable hit. In the second breach example, the hundreds of millions of dollars invested in drug research turned out to have been for naught when the Asian competitor introduced a cheaper version in the American market. In the last example, the hospital that lost the patient data was hit with massive fines for HIPAA violations.
Sophisticated attackers do not discriminate by size, industry, or prominence when picking their targets. Oftentimes it is the small or mid-size firm with minimal defenses but still replete with valuable data – the “slowest zebra in the herd” – that offer the biggest returns for hackers. And while the most advanced cyber threat still comes from well-resourced nation-states with literal armies of engineers, it is crucial to remember that governments don’t always reserve their capabilities for use against other governments. Sony Pictures, Yahoo Inc., and the Ukrainian Kyivoblenergo electricity distributor are all private entities that have been targeted by nation-states.
The bottom line is that everyone is a target, and the threat is real.
That threat became much more acute in August 2016 when an obscure group called the Shadow Brokers released online a cache of cyber weapons developed by the United States’ electronic spying entity, the National Security Agency. While the means by which the Shadow Brokers obtained this so-called ‘toolbox’ is unknown, what is clear is how dangerous a development this is for the corporate world. The US government presumably spent hundreds of millions of dollars producing these weapons and, unsurprisingly, they are extremely potent. Designed to discretely infiltrate the networks of some of our most sophisticated adversaries, they make short work of many commercially-available firewalls and other security features. Now they are out there for anybody to use.
Combined with the already-burgeoning market for stolen data, the NSA tools paint a disturbing picture not just for information security leaders, but also for executives. Data breaches can have tremendous financial, reputational, and legal consequences. This is compounded by the fact that many forms of malicious software are incredibly difficult to detect once inside your network. The average malware remains undetected, doing damage or exfiltrating data, for up to 200 days. Wishful thinking is no longer an effective security posture in 2017.
Instead, corporate leadership must be proactive when it comes to cybersecurity. Here are six important steps:
- – Foster a security-conscious corporate culture to ensure every employee is doing his or her share. This is crucial since everyone – from an office manager to the CEO – is a potential attack vector into a network.
- – Develop a comprehensive cybersecurity policy complete with contingency plans, communications and response strategies. In-place policies eliminate ambiguity and allow for more effective responses to security breaches.
- – Empower your information security and technology team with the resources to take the appropriate defensive measures such as penetration testing, network security architecture reviews and the identification of unused or dormant corporate IP addresses.
- – Identify your corporate information“crown jewels” which would be attractive to hackers.
- – Conduct a physical threat analysis to give decision-makers crucial visibility into the kinds of motivations and tactics potential attackers might use on their industry or their company specifically.
- – Don’t neglect the simple and inexpensive fixes – the low-hanging fruit – like multi-factor authentication and strong password requirements which can potentially deter hackers looking for easier targets.
Fortunately, this new normal of advanced threats facing the private sector, while serious, does not necessarily need to adversely affect operations. It simply reflects changes in the business and security environments, and forward-thinking executives can turn these threats into opportunities.