The Day the Cyber Threat became a Management Challenge
All of the latest cybersecurity developments notwithstanding, there is no hermetic protection against the cyber threat. There is, however, a proper way to manage the cybersecurity crisis. What should the managers do after the hack? What is the best way to prepare for "The Day After"?
Shabtai Shoval
| 09/03/2018
Illustration: Bigstock
Despite investments by the billion in cybersecurity technologies – leading companies have been hacked, but the successful hacking into the computers of those companies was not the main problem. It was the poor management of the cybersecurity crisis pursuant to the hack that caused the price of the company's share to drop and led to the dismissal of the managers.
There are three yet unpublished laws to cybersecurity: all computing systems are born vulnerable; all computing systems (even those that have not been hacked yet) will be hacked eventually; and there is no correlation between investment in cybersecurity and the prevention of hacks.
No Hermetic Protection
The alumni of the relevant IDF units who establish cybersecurity companies and offer protection against cyberattacks know the truth: no amount invested in technology will prevent the success of an effective hack. Such a hack may be executed not necessarily by a monstrous criminal organization, but often by individual hackers or even present or past company employees. Any CEO or CISO (Chief Information Security Officer) who makes the mistake of assuring the board of directors that the company's computing layout is fully protected against hacking – will be proven wrong. The real test of how an organization or company cope with the cyber threat is managerial rather than technological. One example that effectively demonstrates how management teams fail to effectively manage cybersecurity crisis situations is the story of the Equifax Company, entrusted with safekeeping the credit data of tens of millions of Americans. The Company admitted it had been hacked and that the data of 147 million clients became available to the hackers. Equifax reported these facts to their clients and to the general public a few months after the event. The Company's conduct before and during the crisis had a severe impact on the share price and the management. The management team demonstrated helplessness and confusion, particularly after it was realized that the hack in question was the third attack the Company or its subsidiaries had sustained.
Another company whose management team failed to manage a cybersecurity crisis effectively was UBER. This Company sustained a cyberattack a few months ago. The managers of the UBER Company paid ransom in order to keep their clients unaware of the fact that their data had become available to hackers. The new CEO announced that the manner in which the crisis situation had been handled was extremely inadequate. The case of the UBER Company provides a particularly good example of the significance of poor management in the event of a cyberattack. The management of the UBER Company chose to negotiate with the attackers, who demanded substantial amounts of money in exchange for avoiding to expose the data of 47 million users they had managed to extract from the Company's databases.
The UBER Company paid the ransom, thereby exposing the management to the risk of civil and possibly even criminal legal action. In other words, a focused, covert attack against the UBER Company led to an extremely serious risk being imposed on the management – which definitely reflects inadequate decision-making by the management. Was the Company's legal counsel included in the decision-making process? Were the insurance company, the law enforcement agencies and the board of directors involved in that process? Was the management team of the UBER Company aware of the fact that according to terrorism and money laundering prevention statutes, the payment of ransom might, in some cases, constitute a criminal offense?
Dozens of successful hacks that were reported proved that the management team of a company where a hack had been identified will be measured according to the management decisions it made before and during the crisis situation (and less by technological aspects). As a cybersecurity crisis is multi-systemic, cross-departmental and constitutes a strategic threat to the success of the company and its managers, those managers must see to it that the organization prepares well in advance for those cybersecurity crisis situations. This strategy, of advance organizational preparations for cybersecurity crisis situations, will reflect the professionalism of the management team and can save the management from paying the price of the crisis. Every organization must allocate substantial resources to administrative preparations for the inevitable crisis situation (the opposite of the prevailing approach of "This can never happen to us"), just as a military organization must assume the possibility of a war and prepare for it well in advance.
Everyone is Responsible
In order to prepare for the next cybersecurity crisis, the entire management team must be familiar with the subject. The specialized cybersecurity knowledge is normally the responsibility of the Chief Information Security Officer (CISO), to the point where in some public companies, the CISO reports directly to the board of directors. Despite the fact that the cybersecurity expertise is the responsibility of one particular member of the management team, in effect, the entire senior management echelon (including the chairman of the board of directors, the entire board of directors, the CEO and the other senior executives) will be exposed to legal action in the event of a serious failure.
So, while the CISO is regarded as a content expert, all of the other managers must be familiar with the field of cybersecurity, at least with regard to their own specific responsibilities. The entire C-level echelon, including the CEO, the marketing manager, the customer support manager, the legal counsel, the operations manager and so forth – must be familiar with the field of cybersecurity from the respective perspectives of their specialized fields of activity. The test of the organization's preparedness for a cyberattack is managerial – whether the company leaders received the relevant training, as individuals and as a team.
A general cyberattack that is not aimed at a particular organization, like the Wannacry attack, inflicted substantial damage on various companies, but the management teams of those companies can argue, justifiably, that many a good company were infected, so the company managers had done nothing wrong and did not neglect the cybersecurity issue. Some cyberattacks produce an inevitable public and media profile. A Distributed Denial of Service (DDoS) attack that prevents external elements (customers) from accessing a company's website by "bombarding" the website with tens of thousands of fake log-ins will normally have an adverse effect on the service the company provides to its customers. In most cases, such attacks are resolved within hours or days. As such an attack will mainly affect the service provided to the company's customers, its implications will pertain mainly to the marketing and customer service organs. In this case, too – assuming the company had taken the technical measures required in order to protect itself against such attacks – the essential challenge of the cybersecurity crisis is, primarily, dealing with the customers and the public, and is not technological.
Unlike attacks with a 'noisy' public profile, cyberattacks that focus on a specific organization often produce a small public signature. Advanced Persistent Threat (APT) type attacks are designed to inflict damage on the company or gain a profit from accessing the company's computer assets – for example, hacking into the company's computers in order to steal know-how or money. In many APT attack cases, the hackers are not interested in a high media profile for their attack, so that they may continue to extort funds from the victimized company without interruption.
Mass exposure of the attack tools and methods encourage the companies involved in cybersecurity, as well as many amateurs, to seek solutions for cyberattacks and in fact eliminate their effectiveness. Many of the companies that had been exposed to low-profile attacks are interested in keeping such incidents a secret, so as not to undermine customer or investor confidence in the capabilities of the management team. Very often, this applies to financial institutions that are not obliged by regulation to divulge information regarding cyberattacks staged against them.
A predetermined, structured company policy for dealing with APT attacks is more important even than the technology that attempts to prevent such attacks. If it is found, in retrospect, that the company did not have a clearly-defined policy for dealing with such attacks and their consequences – the company managers will be exposed to legal action.
This limited-scope discussion of the connection between the nature of the cyberattacks and the involvement of various elements within the organization clearly demonstrates how multi-systemic, advance preparation is a mandatory prerequisite for managing cybersecurity crisis situations. In fact, any management team of an organization that fails to prepare in advance and develop appropriate tools for managing cybersecurity crisis situations will be exposed, economically and legally, and sometimes even criminally. In cases like this, the CISO will not be the only one fired.
***
Shabtai Shoval is the owner and CEO of the Suspect Detection Systems (SDS) Company that deals with the cyber threat
All of the latest cybersecurity developments notwithstanding, there is no hermetic protection against the cyber threat. There is, however, a proper way to manage the cybersecurity crisis. What should the managers do after the hack? What is the best way to prepare for "The Day After"?
Illustration: Bigstock
Despite investments by the billion in cybersecurity technologies – leading companies have been hacked, but the successful hacking into the computers of those companies was not the main problem. It was the poor management of the cybersecurity crisis pursuant to the hack that caused the price of the company's share to drop and led to the dismissal of the managers.
There are three yet unpublished laws to cybersecurity: all computing systems are born vulnerable; all computing systems (even those that have not been hacked yet) will be hacked eventually; and there is no correlation between investment in cybersecurity and the prevention of hacks.
No Hermetic Protection
The alumni of the relevant IDF units who establish cybersecurity companies and offer protection against cyberattacks know the truth: no amount invested in technology will prevent the success of an effective hack. Such a hack may be executed not necessarily by a monstrous criminal organization, but often by individual hackers or even present or past company employees. Any CEO or CISO (Chief Information Security Officer) who makes the mistake of assuring the board of directors that the company's computing layout is fully protected against hacking – will be proven wrong. The real test of how an organization or company cope with the cyber threat is managerial rather than technological. One example that effectively demonstrates how management teams fail to effectively manage cybersecurity crisis situations is the story of the Equifax Company, entrusted with safekeeping the credit data of tens of millions of Americans. The Company admitted it had been hacked and that the data of 147 million clients became available to the hackers. Equifax reported these facts to their clients and to the general public a few months after the event. The Company's conduct before and during the crisis had a severe impact on the share price and the management. The management team demonstrated helplessness and confusion, particularly after it was realized that the hack in question was the third attack the Company or its subsidiaries had sustained.
Another company whose management team failed to manage a cybersecurity crisis effectively was UBER. This Company sustained a cyberattack a few months ago. The managers of the UBER Company paid ransom in order to keep their clients unaware of the fact that their data had become available to hackers. The new CEO announced that the manner in which the crisis situation had been handled was extremely inadequate. The case of the UBER Company provides a particularly good example of the significance of poor management in the event of a cyberattack. The management of the UBER Company chose to negotiate with the attackers, who demanded substantial amounts of money in exchange for avoiding to expose the data of 47 million users they had managed to extract from the Company's databases.
The UBER Company paid the ransom, thereby exposing the management to the risk of civil and possibly even criminal legal action. In other words, a focused, covert attack against the UBER Company led to an extremely serious risk being imposed on the management – which definitely reflects inadequate decision-making by the management. Was the Company's legal counsel included in the decision-making process? Were the insurance company, the law enforcement agencies and the board of directors involved in that process? Was the management team of the UBER Company aware of the fact that according to terrorism and money laundering prevention statutes, the payment of ransom might, in some cases, constitute a criminal offense?
Dozens of successful hacks that were reported proved that the management team of a company where a hack had been identified will be measured according to the management decisions it made before and during the crisis situation (and less by technological aspects). As a cybersecurity crisis is multi-systemic, cross-departmental and constitutes a strategic threat to the success of the company and its managers, those managers must see to it that the organization prepares well in advance for those cybersecurity crisis situations. This strategy, of advance organizational preparations for cybersecurity crisis situations, will reflect the professionalism of the management team and can save the management from paying the price of the crisis. Every organization must allocate substantial resources to administrative preparations for the inevitable crisis situation (the opposite of the prevailing approach of "This can never happen to us"), just as a military organization must assume the possibility of a war and prepare for it well in advance.
Everyone is Responsible
In order to prepare for the next cybersecurity crisis, the entire management team must be familiar with the subject. The specialized cybersecurity knowledge is normally the responsibility of the Chief Information Security Officer (CISO), to the point where in some public companies, the CISO reports directly to the board of directors. Despite the fact that the cybersecurity expertise is the responsibility of one particular member of the management team, in effect, the entire senior management echelon (including the chairman of the board of directors, the entire board of directors, the CEO and the other senior executives) will be exposed to legal action in the event of a serious failure.
So, while the CISO is regarded as a content expert, all of the other managers must be familiar with the field of cybersecurity, at least with regard to their own specific responsibilities. The entire C-level echelon, including the CEO, the marketing manager, the customer support manager, the legal counsel, the operations manager and so forth – must be familiar with the field of cybersecurity from the respective perspectives of their specialized fields of activity. The test of the organization's preparedness for a cyberattack is managerial – whether the company leaders received the relevant training, as individuals and as a team.
A general cyberattack that is not aimed at a particular organization, like the Wannacry attack, inflicted substantial damage on various companies, but the management teams of those companies can argue, justifiably, that many a good company were infected, so the company managers had done nothing wrong and did not neglect the cybersecurity issue. Some cyberattacks produce an inevitable public and media profile. A Distributed Denial of Service (DDoS) attack that prevents external elements (customers) from accessing a company's website by "bombarding" the website with tens of thousands of fake log-ins will normally have an adverse effect on the service the company provides to its customers. In most cases, such attacks are resolved within hours or days. As such an attack will mainly affect the service provided to the company's customers, its implications will pertain mainly to the marketing and customer service organs. In this case, too – assuming the company had taken the technical measures required in order to protect itself against such attacks – the essential challenge of the cybersecurity crisis is, primarily, dealing with the customers and the public, and is not technological.
Unlike attacks with a 'noisy' public profile, cyberattacks that focus on a specific organization often produce a small public signature. Advanced Persistent Threat (APT) type attacks are designed to inflict damage on the company or gain a profit from accessing the company's computer assets – for example, hacking into the company's computers in order to steal know-how or money. In many APT attack cases, the hackers are not interested in a high media profile for their attack, so that they may continue to extort funds from the victimized company without interruption.
Mass exposure of the attack tools and methods encourage the companies involved in cybersecurity, as well as many amateurs, to seek solutions for cyberattacks and in fact eliminate their effectiveness. Many of the companies that had been exposed to low-profile attacks are interested in keeping such incidents a secret, so as not to undermine customer or investor confidence in the capabilities of the management team. Very often, this applies to financial institutions that are not obliged by regulation to divulge information regarding cyberattacks staged against them.
A predetermined, structured company policy for dealing with APT attacks is more important even than the technology that attempts to prevent such attacks. If it is found, in retrospect, that the company did not have a clearly-defined policy for dealing with such attacks and their consequences – the company managers will be exposed to legal action.
This limited-scope discussion of the connection between the nature of the cyberattacks and the involvement of various elements within the organization clearly demonstrates how multi-systemic, advance preparation is a mandatory prerequisite for managing cybersecurity crisis situations. In fact, any management team of an organization that fails to prepare in advance and develop appropriate tools for managing cybersecurity crisis situations will be exposed, economically and legally, and sometimes even criminally. In cases like this, the CISO will not be the only one fired.
***
Shabtai Shoval is the owner and CEO of the Suspect Detection Systems (SDS) Company that deals with the cyber threat
