TECH

What Executives Need To Know About Cybersecurity

In 2013, Target Corporation was hacked. Soon thereafter, its Chief Information Officer, and Chief Executive Officer of 35 years, were fired.

Two years later, in 2015, Sony Pictures was hacked.  Among the embarrassing details, a long history of Chairwoman Amy Pascal’s personal emails were leaked.  She was let go of immediately.

Two years after that, 2017, Equifax Incorporated was hacked.  The company’s CIO and Chief Security Officer both “retired” in its wake.  Richard Smith, arguably the most successful Chief Executive in the company’s history, also “retired” shortly thereafter.

One could go on and on with stories like these.  Corporate hacks over the past decade have, increasingly, been laid at the feet not just of IT personnel, but executives.  There is a debate over whether such cases of blame are warranted, but it almost doesn’t matter. Hacking is ubiquitous in business and industry today, and it’s everybody’s problem.  Executives, in particular, tend to be on the chopping block when push comes to shove.

Most high-level decision-makers won’t have the broad technical training necessary to attack their company’s cybersecurity head-on. However, one can reduce risk in an organization by instituting some simple best practices. Here are a few tips to get started:

1. At least do the bare minimum

During January 15th and 16th, 2009, French Navy Dassault Rafale planes were grounded when a virus hit their operational computers. The virus, called Conficker, prevented the planes from downloading their flight plans, and so they had to wait until the virus was rid before taking flight as usual.

How could this virus have penetrated a major nation’s Navy? It turns out that those computers hadn’t updated their operating software, despite public notice from Microsoft.

It’s remarkable how often companies fail to do the simple, bare minimum when it comes to cyber security.  Purchasing antivirus, setting up firewalls, updating software and operating systems. These are simple measures that even ordinary computer users often know to do for themselves, and yet organizations with millions of dollars worth of property, information and money on the line overlook them.

2. Stop thinking about tech, start thinking about people

When Target was hacked in 2013, the company had three, separate antivirus systems in place: from FireEye and Symantec, two leading cybersecurity firms, and a team in India that monitored their computer systems 24/7.

That Indian team had, in fact, notified Target HQ when the breach occurred. No further action was taken, though. The FireEye program immediately sent red flag notifications to Target system administrators. As the attack progressed, so did the warnings. None of them, unfortunately, were heeded. The Symantec software running on those same systems had a built-in feature that could delete malware upon first detection.  In this case, that feature was turned off.

It may appear simple enough, that more defences equals more protection. That is, in fact, not so, as Target learned the hard way. Having three antivirus systems running at the same time is like carrying three umbrellas in the rain: one would suffice, the others add little or nothing, and you’re approaching the problem in the wrong way.

Cybersecurity has, and always will, begin and end with people, not technology. People design malware, and people contract malware, computers are merely the vehicle of transfer. The Target hack began when one employee at a small, family owned HVAC business in Pittsburgh downloaded a malicious program from a spear phishing email. The series of events that ensued ended in millions of Americans’ credit card information being stolen. All because one person clicked on a seemingly innocuous email attachment.

And plenty of other human error occurred along the way: most notably, all of the Target executives and employees who failed to respond to the series of warning signs right in front of their eyes.

3. Invest in talent

No amount of security tech could’ve saved Target in 2013. Only competent people could have. This is the rule, not the exception.

Therefore, the most effective combatant against talented hackers are talented defenders. You don’t often hear news stories about companies with the best cyber security teams, and that’s by design. Only insufficient, incompetent teams ever make the news. If we’re to extend the example of Target 2013: it’s worth noting that the company, which in 2013 had 361,000 employees working under its roofs, had no Chief Security Officer. Its Chief Information Officer was, technically, in charge of cybersecurity at the company (whether she knew it or not). Having somebody to oversee all matters of cyber breaches could have, you’d imagine, prevented such an attack, or at least mitigated it.

4. Recognize that threats can come from anywhere

Malware can take the form of a virus, a worm, ransomware, a trojan, arriving on your computer via a USB drive, a disc, in a laced Word document attached to an unsuspecting email, or a SQL-injected webpage. There are far too many shapes and sizes malware can take, than can be described briefly here.

When an executive stands at the head of a conference room, they expect answers to questions. Many employees work very hard to come up with concrete, effective solutions to problems the company might be facing.  In cybersecurity, this is not possible. Any digital information could, in theory, constitute a malicious attack. Therefore, there is no single answer to stopping all potential breaches. The executives at Equifax, the leaders of the French Navy, could patch up all the holes that lead to the breaches of their systems, and still be totally vulnerable in 1,000 other ways. This leads us to the next, perhaps most important thing of all to remember…

5. Know that there is no such thing as being fully “secure”

The word “secure” in the world of cybersecurity is equivalent to the phrase “world famous” in the world of pizzerias. You probably have a “world famous” pizzeria near your house, that your neighbour in the next town over has never heard of. Similarly, cyber defense companies often market their products as “secure”. The word means nothing. Security in cyberspace exists along a spectrum, and no such thing as complete security exists.  Even the most secretive, offline, highly-guarded military networks are insecure in one way or another.

So if you’re a high-level decision-maker at your company, and an employee in IT tells you “our systems are safe,” they’re lying to you. If a third party tries to sell you their product by offering 100% protection, they’re selling you frontier medicine.

The harsh reality is that no digital system is ever fully out of reach of the right kind of attacker. All you can do is your best: to understand the scope of the issue, implement fundamental cybersecurity best practices, and fill your halls with talented and dedicated people. Even by giving enough thought to the problem as to seek out and read this article all the way to the end, you’re on your way to being ahead of the game.

Related Posts

8 thoughts on “What Executives Need To Know About Cybersecurity

  1. I’m not sure where you are getting your information, but great topic. I needs to spend some time learning much more or understanding more. Thanks for great information I was looking for this information for my mission.|

    Reply

  2. Woah! I’m really loving the template/theme of this blog. It’s simple, yet effective. A lot of times it’s hard to get that “perfect balance” between usability and appearance. I must say that you’ve done a excellent job with this. In addition, the blog loads very fast for me on Internet explorer. Exceptional Blog!|

    Reply

  3. Hello There. I discovered your weblog the usage of msn. This is a very neatly written article. I will make sure to bookmark it and return to learn more of your useful information. Thank you for the post. I will definitely comeback.|

    Reply

  5. Wow that was odd. I just wrote an very long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Regardless, just wanted to say fantastic blog!|

    Reply

  6. Magnificent goods from you, man. I’ve be aware your stuff prior to and you’re simply too excellent. I really like what you’ve obtained here, certainly like what you are stating and the way in which you assert it. You’re making it enjoyable and you still care for to keep it wise. I can’t wait to learn far more from you. This is really a tremendous web site.

    Reply

  7. I’ve been exploring for a little for any high quality articles or blog posts in this kind of house . Exploring in Yahoo I at last stumbled upon this web site. Studying this information So i am satisfied to show that I have a very excellent uncanny feeling I discovered just what I needed. I most unquestionably will make sure to do not forget this website and give it a look regularly.|

    Reply

  8. Hi! This is my first visit to your blog! We are a collection of volunteers and starting a new initiative in a community in the same niche. Your blog provided us useful information to work on. You have done a marvellous job!|

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe for lates posts

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

Business Tech BLOG will use the information you provide on this form to be in touch with you and to provide updates and marketing.