Cyber “Whack-a-Mole” is a $10 Trillion a Year Hit for Shareholders and Management
By Chuck Brooks, Skytop Contributor / September 7th, 2021
Chuck Brooks was one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thomson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” Chuck served at The Department of Homeland Security as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. More recently, he was featured in the 2020 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity issues. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic.
He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to Forbes.com. He recently presented to the G20 on Energy Cybersecurity and has been a featured author in technology and cybersecurity blogs & events by IBM, AT&T, Microsoft, Cylance, Xerox, Malwarebytes, General Dynamics Mission Systems, and many others.
Chuck is on the Faculty of Georgetown University where he teaches in the Graduate Applied Intelligence and Cybersecurity Risk Program. He has an M.A from the University of Chicago and a B.A. from DePauw University.
President of Brooks Consulting International, Chuck is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies.
Cyber Crime Up 125%: Every Company is a Reachable Target
In the past several years, the world has changed and has become more perilous for corporate leaders. A new era of exponential digital connectivity catalyzed by the covid pandemic has changed the security paradigm. The growing and sophisticated cyber threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation states. Every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach.
The C-Suite must address the new realities and prioritize cybersecurity.
According to Accenture’s Cyber Investigations, Forensics & Response Midyear Update, in the first half of 2021, Global cyber intrusion activity jumped 125%. In 2021 global losses from cybercrime damages are projected to reach $6 trillion. That equates to damage amounts of $16.4 billion a day, $684.9 million an hour, $11 million per minute, and $190,000 per second (Cybercrime Magazine, 2020). According to IBM, the cost of an average data breach has now risen to about $4 million. The cybersecurity firm Varonis reports that there are approximately 7 million data records compromised each day, and 56 records compromised each second.
Ransomware as a Primary Concern
For companies, ransomware has become an ever-growing threat. The firm ESET disclosed that there were over 71 billion ransomware attacks on remote access between January 2020 to June 2021. A typical ransomware attack will involve the encryption of victims’ data and demands for payment, usually in the form of cryptocurrencies, before release of the data. Criminal gangs, in conjunction with encryption, often steal sensitive corporate data and threaten to publish it publicly or sell the data outright in Dark Web forums. More recently, the Colonial Pipeline represented the first ransomware on our national supply chains disrupting gasoline supplies throughout the Eastern United States. Others have followed similar tactics on meat processing plants.
According to Cyber Security Ventures, Cyber Crime will cost $10.5 trillion in damages by 2025
Driver of Growing Threats
It is not surprising that the volume and lethality of cyber-attacks is increasing. Three factors explain the uptick:
The expanding connectivity of the Internet has increased cyber vulnerabilities. The rapid change to remote work necessitated by Covid19 exacerbated an already weak cybersecurity preparedness profile for business. The number of meshed devices with home offices has provided a huge new attack surface for cyber criminals to access and exploit. In particular, the healthcare industry is a favorite target of hackers who take advantage of limited security budgets and exposed digital vulnerabilities in the middle of the Covid-19 pandemic.
Cyber criminals have become more sophisticated and adept in their cyber-attacks. Cybersecurity criminals are automating their own attacks with machine learning and artificial intelligence tools. As a result, their attacks are now faster, more calculating, and more lethal. Obscurity is no longer a defense for businesses as automation of scans for vulnerabilities and deliverance of malware by hackers allows them to reach anyone.
Skills gap and lack of qualified cybersecurity personnel to fill jobs and combat threats. As the volume and cost of breaches continues to grow, the public and private sectors have difficulty keeping up with the latest malware patches and continuously monitoring the evolving threat horizon. This is an ongoing global problem with no easy workforce remedies in sight.
Hackers are taking advantage of those three factors to exfiltrate sensitive data from businesses. The basic tools and tactics hackers use for exploitation include malware. social engineering, phishing (the easiest most common, especially spear -phishing aimed at corporate executives), ransomware, insider threats, and Distributed Denial of Service (DDOS) Attacks. Sophisticated hacking kits and tools are more readily shared on the Dark Web and among hackers. When a vulnerability is spotted by the bad guys it is often rapidly shared among their groups.
The frequency, sophistication, and maliciousness of cyber-attacks (including Ransomware and DDOS) have become alarming. These are growing cyber-threats to corporate operations and reputation that can directly impact the viability of a company. Statistically, it is estimated that over 40% of small and medium businesses that experience a significant breach go out of business.
C-Suite Executives Lag Behind in Their Assessment of Cyber Risk
The new reality is that we are all playing catchup in cybersecurity, especially the C-Suite. The Internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity, commerce, and cybercrime on the Internet.
The bottom line is that almost every type of business, large or small, must now reinforce aspects of cybersecurity spanning law, finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber-threats are ubiquitous, and they can be an existential event for companies.
The new digital commerce ecosystem has heightened the need for security. Executives can no longer view security, both physical and cyber, as a cost accounting item. It needs to be prioritized as an investment in people, processes, and technologies. It really needs to be part of the company culture from top-down.
Dr. Chris Brauer, Director of Innovation in the Institute of Management Studies at Goldsmiths in London, sums up the state of cybersecurity for board members succinctly: “overcoming the threat boils down to two things: accepting that you will be breached (awareness) and the ability to do something (readiness).”
Emerging Technologies Cause Emerging Threats
Emerging technologies impact cybersecurity planning in many ways. At the annual World Economic Forum meeting in DAVOS, it announced the combined opportunity value of digital transformation — for society and the industry — could be greater than $100 trillion by 2025. That transformation includes the immersive inclusion of digital technologies and cloud-based platforms. It also includes analytics, sensors, mobility, and a new era of automation impacting all industries and verticals including financial, energy, security, communications, and health. The corporate C-Suite must recognize evolving cyber challenges of the Fourth Industrial Revolution and digital economy that include:
Internet of Things – exponential connectivity (20 billion devices according to Cisco in 2021).
Vulnerable Supply Chains (for example the Solar Winds breach that impacted hundreds of Fortune 1000 companies and numerous governments and agencies).
Transition to Cloud, Hybrid Cloud and Edge Platforms (many businesses are replacing legacy systems moving their data into cloud platforms).
An Emerging Tech Landscape: artificial Intelligence, machine intelligence, 5G, virtual & augmented realities, and quantum computing will have a disruptive impact on business operating models and security during the next decade.
Call in the Experts, Organize an Advisory Board
For the C-Suite, the easiest way to address cybersecurity knowledge gaps is to have a strong Board of Directors and/or Advisors. Cybersecurity requires expertise and experience. A corporate board should include a blend of internal and outside subject matter experts. It is very useful for executive management to get perspectives and ideas from experts on the outside for situational awareness, technology validation and threat intelligence.
At its very core, the practice of cybersecurity is risk management. It requires being vigilant and encompasses educating employees, identifying gaps, assessing vulnerabilities, mitigating threats, and having updated resilience plans to respond to incidents.
Cybersecurity at the C-Suite level requires effective communication with the Board and management team. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks.
Board directors should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. Areas of special knowledge for a Board should prioritize risk management and cybersecurity as a company imperative that includes incorporating legal compliance, cybersecurity technology solutions and services, training, liability insurance, governance, and policy. Information security management should include people with a knowledge of best practices in a list that cover topics such as:
Creation of a corporate risk management strategy & vulnerability framework that Identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity. This includes protecting and backing up business enterprise systems such as: financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel & detection, firewalls, etc.) and policies. (Please see cybersecurity strategy elements in the infographic below).
Endpoint security: protecting remote access to a company’s network.
Network Security: protecting network from unwanted users, attacks & intrusions.
Cloud Security: protecting from unauthorized party gaining access to an asset.
Mobile Security: Protection from fake & malicious apps.
Supply Chain Cyber Attacks: protecting each component within the corporate supply chain, especially from third parties.
Identity management and access control: understanding the access every individual has in an organization. Also, in conjunction use of multi-factor authentication, strong passwords, and cyber hygiene to prevent identity theft. Click here for a detailed chart published by #cyberavengers, a group of experts, to which I belong.
Security training for employees (table-top exercises including the use of gamification for executives and employees).
Incident response, mitigation, and business continuity planning. Secure back-up protocols -what to do if networks and devices are compromised.
Cyber Criminals, Terrorists and Hostile Nation States are Well Resourced to Cause Damage—Be Proactive
There are many challenges of functioning securely in an exponentially changing digital world. For industry, it requires awareness and restructuring of plans that can prevent cyber calamities. In the past, much of the cybersecurity focus and activities by industry have been predominantly reactive and viewed as an operating revenue cost. Being proactive is not just procuring technologies and implementing policies, it also means adopting a new security mindset for the C-Suite. Knowledge is a first step and hopefully this primer can provide an initial pathway.
I look forward to your comments.