When it comes to the cyberwars, are the good guys or bad guys winning? I recently moderated a panel at the Techonomy 2015 conference in California that explored this question, as well as the impact technology will continue to have on our security.
The answer isn’t a simple yes or no – and in light of the recent events in Paris, the question of our security feels even more critical. All of us on the panel cited many examples that suggest we’re making progress. But it’s still a constant struggle. In our wide-ranging discussion—on topics from cybercrime and privacy and regulation, to the “Internet of Things” (IoT)— we agreed that the industrialization of cybercrime is upon us and that vast numbers of today’s criminals are networked and well equipped. This cyber war isn’t going to be won quickly or easily. All organizations must prepare themselves for a series of battles. Here’s why.
In the past year, there’s been a lot of buzz around the positive potential of the Internet of Things, or IoT—the increasing connectedness of physical objects ranging from airplanes to washing machines and even children’s toys. Everything is getting embedded with software, electronics, and networking. These new developments are promising, and I hope will make our world more efficient through their interconnectivity.
But there’s also been cause for concern. This past July, Wired broke a story on two researchers, Charlie Miller and Chris Valasek, who exploited a vulnerability in a Jeep Cherokee that allowed them wireless access to the vehicle’s air-conditioning, windshield wipers, radio—and even its brakes and steering wheel. The story went viral, and within a week, Chrysler was forced to recall 1.4 million vehicles.
This was a crisis averted, but as the IoT expands, such threats will become more prevalent. Cyber-criminals will continue to exploit vulnerabilities in new technologies, and may cause irreparable damage to both organizations and individuals. And so I believe enterprises, and more specifically executives and board members, must prepare to be more resilient in the face of inevitable attacks.
These risks are not new. The annual cost of cybercrime is already estimated to be well over $400 billion. For context, that’s as if the largest-ever bank robbery—the $1 billion heist in 2003 from the Central Bank of Iraq—was pulled off more than once a day, every day.
Part of the problem rests in companies’ shaky digital foundations. In the rush to digitize the business, companies often address cyber threats by “patching” software written thirty years ago, rather than re-writing code to combat the threats of today.
Directors have added cybersecurity to their agendas, but there is no standard methodology for boards to think about cybersecurity, or guidelines to help them navigate this issue. To meet increasingly complex cyber threats, companies must empower directors and executives to be accountable for cybersecurity, systematically evaluate assets to understand which are most important and vulnerable, and prioritize for varying levels of cyber protection based on risk. Organizations should also assess their third-party relationships to limit digital exposure through business partners. They should proactively hunt for signs of compromise in their environments and immediately address any issues they find.
And perhaps most importantly, companies need to formulate rigorous incident response plans to minimize and mitigate damage when a breach inevitably does occur. When all of these things are done consistently, only then will we be prepared for existing and new challenges. The technologies and the criminals are increasing in their capabilities as quickly as companies are improving their responses.
Another key point the panel discussed is how important it is for consumers and employees to be educated about the dangers of cybercrime to minimize human errors that increase vulnerability. Employers must invest in a real risk management program—combining information security products with continuous cybersecurity awareness, education, and training programs. Similarly, owners of smart objects–which increasingly means all of us–must also educate themselves on ways to limit their risk exposures.
The cyberwars impact everybody, every day, whether we like it or not: in 2014 alone, it’s estimated that 47% of all American adults had personal information stolen by hackers, primarily through data breaches at large companies. To win key battles in this cyberwar we must change our business behavior and mindset to focus on cyber resilience, as consumers and as enterprises that provide products and services.
This means we need to be smartly defended, but also be ready to respond to inevitable cybercrime as quickly and effectively as possible. Living in an increasingly interconnected world will allow us to do many innovative things, but we need to be cautious and prepare for the potential risks. We are most certainly safer and more efficient because of the connectivity and automation we get through computer technology—but we need to do more to stay ahead of cyber criminals’ exploits.
Michael Patsalos-Fox is CEO of Stroz Friedberg, which does computer forensics, investigations, and electronic discovery focused on cybersecurity.