Are companies dangerously complacent about cybersecurity? A raft of recent news stories about attacks have pointed to an alarming vulnerability.
Consider that the number of U.S. companies mentioning cybersecurity issues in their regulatory filings has doubled in a year. Meanwhile, international industrial espionage appears to be on the rise, the CEO of Target has quit because of the mass theft of credit card data, and other retailers such as Neiman Marcus have also encountered threats.
How should the head of a company approach these threats? The average amount of damage from each successful attack has reached an estimated $11.5 million and as industry expert Gadi Goldstein highlights, cybersecurity is a potential existential issue for any company: “A cyber attack could be the end of a business, just like a bankruptcy. That is the first thing a CEO needs to focus on when it comes to this area, and the more we are digitized the worse the threat will get.”
Goldstein is a veteran of the Israeli security services who has set up K2G Global in Tel Aviv, a joint venture with K2 Intelligence. He is in no doubt that although the topic is gaining attention, most companies are dangerously complacent about cybersecurity.
Goldstein likens their unpreparedness to a shop sacking its staff and leaving its merchandise and cash tills out in the street. “Except it’s worse,” he says. “At least with a store you could choose to leave your stuff out in the street in a good or a bad neighborhood. But on the internet you have all the bandits of the world surrounding you and no police, no armies to come to your defense.”
Rotem Iram, chief operating officer of K2G Global, continues to daub dark paint on this depressing canvas. He says companies are running software that is not fit for purpose and is highly vulnerable to attack. As Quinn Norton, a technology writer, put it on website Medium recently: “Written by people with either no time or no money, most software gets shipped the moment it works well enough to let someone go home and see their family.”
“Software is so bad because it’s so complex, and because it’s trying to talk to other programs on the same computer, or over connections to other computers. Even your computer is kind of more than one computer, boxes within boxes, and each one of those computers is full of little programs trying to coordinate their actions and talk to each other.”
K2 Intelligence, which devises strategies and systems for companies to combat cybersecurity, believes many companies start in the wrong place. It is not necessarily about buying the latest and shiniest kit. “It starts with a threat assessment,” says Iram. “Who are the likely attackers and what are they likely to be targeting?” The most popular attacks involve attempts at financial gain, he says, and the epicenter for fraud and digital organized crime is eastern Europe.
Next comes threats to energy installations and large companies operating in areas classed as the national interest. The likely perpetrators will come from countries with which your homeland has a diplomatic dispute. An example would be Iran’s alleged 2012 cyber attack on Aramco, the huge Saudi Arabian oil company.
Intellectual property and industrial espionage is a third class of cyber crime. As the Americans are alleging, this is an area in which the Chinese are thought to excel.
There are the threats too, intentional or otherwise, from your own employees. Disgruntled staff can do damage just for the sake of it. Well-meaning staff can do unintentional harm every day by, for example, unwisely putting a USB stick into their computer, surfing to the wrong place online, or opening up email links designed to breach security.
“The biggest threat is the human element,” says Iram. “We have antivirus software and firewalls but employee mistakes are your biggest vulnerability.”
Companies, he believes, should be focusing much more on “softer” skills such as training and communication for all staff, and having simple internal controls to integrate systems. “Your HR system may have an employee logged as sick and not in; your IT system records that he has logged in. That could be a potential security breach. You need to organize your processes and skills.”
Cybersecurity involves looking at the problem from all angles. “If you haven’t got a lock on the door to your server room,” says Iram, “that’s an issue. You need a plan that prioritizes the most cost-effective way to get from where you are to where you need to be.”
And companies really are skimping on cost, says Goldstein. “We have gotten used to the fact that the use of the internet is free. If you are sending a boat to pirate-infested waters you would put a guard on board. Yet we sail through the internet with no defense.”
The financial sector, says Iram, is fairly advanced in recognizing the problems. Finance companies of course guard the most damaging secrets. Then companies that look after a country’s critical infrastructure are reasonably savvy clients, mostly because they are governed by tight regulations. “Everyone else is fairly complacent,” he says, “though now that Target’s CEO has been fired and the company is being sued, that might be changing soon.”