R. David Edelman
Director, Massachusetts Institute of Technology, Internet Policy Research Initiative
You know, a lot of the cybersecurity challenges that we’re seeing today, they are actually pretty offline. They’re pretty human. They’re not wildly techy.
If you think about the rash of wire frauds that have happened all over the country, this is particularly epidemic in small- and medium-sized business, a lot of that happened, yes, because maybe a virus got into a network, somebody clicked a link somewhere, but after that there was no large theft of files, no massive spike in internet traffic. Instead, the attackers, they sit and they watch and they wait, and they see when is money transacted and in what amounts? What days are the wire transfers sent? What’s the protocol for sending them? Maybe even, when is the boss out of town, so that they can find that exact moment, and then that’s when they strike.
Now, all of that results in a loss that in some cases averages $100,000 or more, most of that is actually human EQ. Not IQ and not TQ. So one of the great challenges that most mid-size businesses have to bear in mind is that a lot of it is going to be a human risk—of individuals being fooled, of data fooling them.
People are your first line of defense
And then, you know, an enterprise is only as good as every single person who makes it up. I know a lot of companies that get grant exceptions, maybe for that CEO or that general partner that doesn’t want to comply with the cybersecurity rules because they’re used to doing it one way. Well, guess what? That’s going to be the way in. That’s this device that isn’t secure. And so part of the challenge is to find a way to make sure the systems work for every employee.
Prepare for a cyberattack
Data manipulation attacks, because they fundamentally manipulate our trust in the system, are one of those areas that can be incredibly disruptive. Maybe more disruptive than not even having access to your device. And so that is one of those areas that, frankly, most companies don’t even see coming until it’s too late.
And the only way to visualize how that relates to their company, in particular, is to engage in exercise. You know, in the Pentagon, we’d call this a war game. And I have seen over and over, sitting down and reviewing technical materials for cybersecurity risks doesn’t do a lot of good. The truth is that only helps CIOs and CISOs. But what you really need is everyone in your leadership team to understand the risks and the roles they can play in mitigating them. That’s how you get to the understanding that something like a data manipulation attack could actually be more challenging to your relationship with your customers than a data availability attack.
And so, you know, my one recommendation is to simulate a cybersecurity incident. Set aside a few hours, actually role play, and have every person in your company figure out what they would do in a series of bad events.
And you know what? One bad day in cybersecurity, it’s usually several bad days. It becomes a bad week, and a bad month, because it usually goes much deeper than any individual first responder is able to find when they first see that indication of a cybersecurity risk in a system, or a risk that’s been exploited. And so by going through that exercise of actually planning, of rehearsing what companies would do, that has made a big difference in terms of them feeling confident they at least have gone through the motions of the most common sorts of attacks, so they know how they’d respond, and they aren’t caught flat-footed.