Senior leaders see cyber as No. 1 risk; now comes heavy lifting to impose cyber hygiene in a complex environment
Cyber threats now command the corporate sector’s full attention.
It’s reached the point where some CEOs have even begun adjusting their personal online habits to help protect themselves, and by extension, the organizations they lead. Corporate consultancy PwC’s recent poll of 1,600 CEOs worldwide found that cyber attacks are now considered the top hinderance to corporate performance, followed by the shortage of skilled workers and the inability to keep up with rapid tech advances.
As a result, some CEOs admit they’ve stopped Tweeting and deleted their LinkedIn and other social media accounts – anything to help reduce their organization’s exposure to cyber criminals. “Senior C-level executives and board members are paying more attention now to cybersecurity than two years ago, by far,” observes Jeff Pollard, vice president and principal analyst at tech research firm Forrester.
Awareness is a vital step forward, no doubt. But it’s only a baby step. Corporate inertia still looms large. For many Chief Information Security Officers, having the CEO’s ear, at the moment, is proving to be a double-edged sword, Pollard told me. “We find many CISOs spend their time explaining what threats matter and why, as opposed to why cybersecurity matters in the first place,” he says. “Security leaders must also find ways to explain why budgets that have steadily increased, year after year, have not solved the security problems”.
Pollard says discussions need to revolve around how specific improvements can materially add to more robust, overall protection. “Leaders need to show how specific security improvements put them in a better position to protect their brand and their customers, rather than simply saying how much they spent and which projects completed,” Pollard says.
In short, there’s a lot of work left for the corporate sector to do. And it starts with a more precise understanding of a fast-morphing challenge. Here’s a rundown of the key variables at play:
Tumultuous exposures
External pressure is unceasing; harm to companies and consumers caused by cyber criminals continues to steadily escalate. Tried-and-true hacking techniques continue to be highly effective at flushing out soft spots in legacy network defenses, even highly layered security systems.
Just ask MGM Resorts, the Las Vegas-based mega hotel chain, that has no doubt spent multi-millions on cyber defenses. Yet, stolen personal data for more than 10.6 million guests who stayed at a MGM Resorts facility in Las Vegas was posted Feb. 19 on a hacking forum. Indications are that the hackers were able to crack into a cloud service the resort chain relied upon to store the data. Victims included celebrities, tech CEOs, reporters, government officials and employees at some of the world’s largest tech companies. The bonus for these high-profile MGM guests: their full names, home addresses, phone numbers, emails and dates of birth are now up for grabs on the Dark Net.
As part of the rush to leverage the Internet cloud to transact with remote workers, third-partner suppliers and customers, companies opened up endless fresh attack vectors. Threat actors follow the crowd, so the most popular cloud services translate into the biggest magnets of probing, by both white hat and black hat researchers.
Take Zoom, for instance. The supplier of a popular video conferencing tool has been scrambling to issue a series of security patches after white hat researchers showed how the Zoom platform used weak authentication — making it possible for uninvited parties to join an active call. It’s unknown whether any black hat hackers actors knew about these flaws – and exploited them -- before the white hats. Whatever the case, we’re now in the period when garden-variety criminals will, no doubt, actively seek out Zoom systems that don’t get patched in a timely manner. And we know what that means.
This pattern has happened time and time again. Within hours after a public disclosure about vulnerabilities that needed patching in enterprise-grade VPN, threat actors shifted into high gear. Iranian government backed hackers reportedly began exploiting unpatched VPN systems distributed by Pulse Secure, Palo Alto Networks, Fortinet, and Citrix to IT, telecom, energy and security companies of strategic importance to Iran.
The hackers were prepared: they swiftly rolled out an attack that sought out vulnerable VPNs, and spread malware carrying a hidden back door. Because big enterprises tend to move a lot slower than nimble hacking rings, even companies that moved directly to install the patches may not have done so in time, says Avast Security Evangelist Luis Corrons. The only way to be certain they don’t have any back doors is to perform a thorough analysis of all their endpoints and servers, Corrons says.
Complicating variables
These very recent developments represent only a tiny portion of the turmoil unfolding every day across a vast, dynamic threat landscape. For two decades now, wave after wave of high-profile breaches have resulted in Dark Net getting saturated with stolen data. This pilfered data, in turn, has been channeled into all manner of business scams, consumer fraud, election tampering and cyber espionage.
It’s high time CEOs see the light. Clearly, rising consumer awareness – and backlash – must be adding to the pressure. Consumers unease has translated into the rise of regulations relating to breach disclosure. This has taken the form of data loss reporting requirements in Europe and across 47 American states. A handful of states have imposed business certification requirements on top of that. And on the leading edge, political leaders in the U.K., Japan and California have commenced imposing security benchmarks for Internet of Things devices and systems, a sure sign of more IoT safety standards to come.
“New regulations have added additional scrutiny from regulators and raised consumers’ expectations about the steps businesses are taking to keep their sensitive data private,” says Ambuj Kumar, CEO of Fortanix, a Mountain View, CA-based supplier of advanced encryption systems. “With private data now moving between data centers, public cloud and edge computing, we are seeing more senior execs rethink their data security strategy.”
Some have found that a good place to start is on assessing the security of applications, says Sandy Carielli, another Forrester principal analyst I discussed this with. “Applications are still the most common way in for an attacker, so it pays to look at how security is built into your software development lifecycle,” Carielli says.
Gaining a working understanding about how application vulnerabilities get remediated throughout the DevOps software development cycle is vital. Security should be taken into account early on, in the design phase; midway, during development and testing; and in the final production phase, Carielli says.
Kumar opines that the legacy mindset of erecting a strong perimeter around data kept on premises needs to be thrown out the window. Fortanix is in the vanguard of startups introducing advanced technologies designed to keep data encrypted as it moves back and forth through multiple cloud services. “By taking that approach, the business has more control,” he says. “The company keeps the keys to the data and security follows the data wherever it goes.”
In the age of DevOps, where dynamic applications are spun up using a “fail fast” philosophy,
it has become mission-critical for CEOs to do much more than stop Tweeting. (Fail fast is the notion of quickly deploying barely viable software to learn where it works or fails, and then remediating shortcomings on the fly. ) In this hurly burly environment it is now incumbent on company leaders to gain a very specific, precise understanding of what constitutes robust cyber hygiene – and to impose cyber hygiene where appropriate, on both legacy and advanced systems.
“The biggest piece of advice I share with CISOs is to find ways to show how security protects the ways your firm generates revenue,” Forrester’s Pollard told me. “That’s the ‘cheat code’ for CISO success. By protecting the products and services that your company sells, you find ways to show how your efforts directly contribute to the growth of the company. Contributing to product security by ‘securing what you sell’ is the cornerstone of successful CISOs as digital transformation accelerates.”
It’s going to be instructive to see which company leaders move in this direction, and how soon. I’ll keep watch.