A perspective on cybersecurity: How to mitigate a cybersecurity attack
R. David Edelman, Director, Massachusetts Institute of Technology
Internet Policy Research Institute
You know, a lot of the cybersecurity challenges that we’re seeing today are actually pretty offline. They’re pretty human. They’re not wildly techy.
Think about the rash of wire frauds that have happened all over the country (this is particularly epidemic in small and medium-sized business) because maybe a virus got into a network or somebody clicked a link somewhere. There was no large theft of files, no massive spike in internet traffic, but instead the attackers watch and wait. They see when money is transacted and in what amounts. What days are the wire transfers sent? What’s the protocol for sending them? When is the boss out of town? They can find an exact moment and that’s when they strike.
That results in a loss that in some cases averages $100,000 or more. Most of that is actually human EQ, not IQ and not TQ. One of the great challenges that most mid-size businesses have to bear in mind is that a lot of risk is going to be a human risk—individuals being fooled (data fooling them).
GRAPHIC: [People are your first line of defense.]
An enterprise is only as good as every single person who makes it up. I know a lot of companies that grant exceptions, maybe for the CEO or general partner that doesn’t want to comply with the cybersecurity rules, because they’re used to doing it one way. Well, guess what? That’s going to be the way in. That’s a device that isn’t secure. Part of the challenge is to find a way to make sure the systems work for every employee.
GRAPHIC: [Prepare for a cyberattack.]
Data manipulation attacks, because they fundamentally manipulate our trust in the system, are one of those areas that can be incredibly disruptive—maybe more disruptive than not even having access to your device. That is one of those areas that most companies don’t even see coming until it’s too late.
The only way to visualize how that relates to their company is to engage in exercise. In the Pentagon, we’d call this a war-game. I have seen that sitting down and reviewing technical materials for cybersecurity risks doesn’t do a lot of good. The truth is that only helps CIOs and CISOs. What you really need is everyone in your leadership team to understand the risks and the roles they can play in mitigating them. That’s how you get to the understanding that something like a data manipulation attack could actually be more challenging to your relationship with your customers than a data availability attack.
GRAPHIC: [Practice war-gaming.]
My one recommendation is to simulate a cybersecurity incident. Set aside a few hours, actually role play and have every person in your company figure out what they would do in a series of bad events.
And you know what? One bad day in cybersecurity usually leads to several bad days. It becomes a bad week and a bad month, because it usually goes much deeper than any individual first responder is able to find when they first see that indication of a cybersecurity risk in a system, or a risk that’s been exploited. By going through the exercise of actually planning and rehearsing what companies would do, can make a big difference in terms of feeling confident. They at least have gone through the motions of the most common sorts of attacks, know how they’d respond and aren’t caught flat-footed.