The following are three rules of the cybersecurity game that have not yet been publicly released: (1) all computing systems were created vulnerable; (2) a computer system that has not yet been hacked – will be hacked; and (3) there is no correlation between an investment in cybersecurity and the prevention of attacks.
All systems are hackable
Despite the billions of dollars of investments in cyber protection technologies, leading companies and institutions have been successfully penetrated by hackers. The harsh truth should be out in the open: no investment in technology will prevent an effective cyber-attack.
Any CEO or CISO will be greatly mistaken to assure his/her company’s board that their computer systems are immune to hacking. An effective attack can be caused by crime organizations, foreign countries, individual hackers or even employees. Since all systems are hackable – we need to change our paradigms. Cybersecurity should be regarded as a managerial challenge and not as a technological one. The real and main challenge is not the futile attempt to shield our systems from hackers, but the management mitigation of the expected cyber crisis.
Who pays the price?
Many cyber-attacks have resulted in a hit to the share price and the dismissal of the CEO. In most of these events, the leading cause of such results was not the actual breach in security, but the mismanagement of the crisis following the attack. Past cyber-breach events have demonstrated that managements are not judged by their failure to prevent the attack. They are, however, judged by their performances and managerial decisions before and during the crisis.
Two recent events have demonstrated severe mismanagement of cyber crises. Equifax has been hacked, and the records of 143 million customers were compromised. The company's management conduct before and during the crisis has brought its share down 18%, and the company's CEO was dismissed. Post-attack poor decision made by the management included hiding information from the public and the authorities. Equifax management was particularly helpless and confused after it became clear that this was the third successful attack on the company.
Another company whose management failed to manage a cyber crisis is Uber, which suffered a ransomware attack a few months ago. According to media reports, Uber's former CEO chose to pay the attackers in order to hide the fact that 57 million users' details have been stolen from the company's database. Paying the ransom to hide information from the public and the authorities exposed management to risks of civil lawsuits and criminal charges. One may ask if Uber’s gatekeepers – such as the company's legal counsel, the insurance company, law enforcement agencies, or the board of directors – were involved in the decision-making process. Was Uber's management aware of the relevant SEC regulations and the relevancy of counter-terrorism and money laundering laws?
Considering the nature of the attack
The nature of the attack is a significant parameter affecting management challenges. A high-profile attack means that given the nature of the attack – the public is exposed to the fact that a certain company has been attacked. One type of such attack is a General Attack ("Spraying Attack") – an untargeted attack which is not focused on a specific organization and affects many companies and organizations. Such an attack is the renowned WANNACRY, which caused substantial damage to many companies. When a general attack is ongoing, management enjoys the benefit of the doubt as long as it acts in a similar manner to other companies.
A high-profile attack can also be an attack that immediately affects customers. One example is a distributed-denial-of-service (DDoS) attack, in which hackers "bombard" a company's website with tens of thousands of requests. Such an attack usually harms the service provided by the company to its customers and is relatively solved in hours or days. The implications of such an attack are primarily on the PR, marketing, and customer service divisions. While the CISO is managing the technological side of the crisis – the main managerial challenge is dealing with the customers and the public.
Alternatively, Advanced Persistent Threat (APT) attacks target specific organizations. In many cases, these attacks carry low public signatures. APT attacks are designed to cause damage to the company or to make a profit from penetrating the company's computing resources. For example, penetrating computers to steal knowledge or money or to demand ransom. In many cases of APT attacks, hackers do not want to draw media attention. In keeping a low profile, they can continue to exploit their ability to extort funds from the same victimized company or other victims. Extensive exposure to the attack and its methods prompts security companies and many amateurs to find a solution to the attack tactics and stop its effectiveness. Interestingly, many of the companies exposed to a low-profile attack are also interested in hiding the event. In such cases, managers are hiding the attack from the public eye to keep the company’s (or their own) reputation intact.
A preconceived policy of the company in cases of APT is even more important than the technology that tries to prevent such attacks. If it turns out that the company does not have a clear policy for dealing with such attacks and their consequences, the company managers are exposed to legal claims and even criminal charges.
So what is there to do?
A cyber crisis is a cross-organizational challenge that may have a critical strategic impact. Management must ensure that the organization is prepared in advance for such an event. Each organization should devote considerable resources for management's preparations and adopt a strategy of risk management in the face of cyber threats. Such strategy should include managerial- and organizational-level decisions and processes. Developing and applying such strategy may protect management from prosecution.
Cyberspace expertise is usually in the hands of the CISO. While the CISO's roll in a cybersecurity crisis is critical, some CISOs may not have the required personality needed to lead such an event. A CISO that may be the best operational manager for everyday cybersecurity operations might not be fit to manage a major crisis. Cyber crises should be managed by a CISO who is a leader by nature, capable of making decisions under uncertainty and tremendous pressure.
Although the role of the CISO in a crisis is obvious, many of the challenges involved in a cyber crisis are not in the sole domain of the CISO. These challenges include, among other things, policy regarding exposure to the authorities and the public, legal options, handling customer care, self-initiate shot down of certain services, crisis implications on production, production continuity and recovery, public relations company strategy, etc.
Although the expertise is in the hands of one member of the management team, in practice, the entire management and the board of directors are exposed in the event of a significant fault. Therefore, while the CICO is the content specialist, the other managers, at least on the C-level (CEO, CMO, etc.), must know the cyber domain enough to understand the implications to their specific domain. Relevant cyber management training, both the on individual and the team level, is a minimal requirement for cyber readiness.
The limited discussion here regarding organizational aspects of the cyber issue illustrates the importance of cybersecurity organizational strategic plan and execution. In fact, the management that will fail to follow this logic is exposed to failure and even to legal charges.
As recent events have demonstrated, a CEO that will neglect that cybersecurity threat and leave it in the hands of the CISO might need to look for a new job or be forced to hire a costly lawyer.
So dear CEO, do not ask what your CISO can do for you – but what you should do to protect yourself.
Shabtai Shoval is CEO and owner of SDS, which specializes in cyber threats