Don't Gamble With Your Tech Security
Don't Gamble With Your Tech Security
This week's cyberattacks in Las Vegas are yet another reminder that you can't be passive about protecting your network and other digital assets.
Watching the hapless victims of a cyberattack as portrayed on The Morning Show -- running around like headless chickens while clueless executives demand protection from the just-arrived outside team of white-hat hackers -- I was painfully reminded of just how interconnected we all are by our devices. And how vulnerable every business is to network intrusions by criminals, and the extortionate ransom demands that typically accompany them.
When the workforce began returning to the office, people brought with them all the shortcuts, compromises, simplistic passwords, and other bad habits they'd adopted while working remotely, along with all the crap and viruses their kids inadvertently loaded on their laptops and home networks. Now's the time for companies to redouble their efforts to protect themselves, their people, their customers, their networks, and their digital assets from the increasing likelihood that they will be cyberattack targets. Remember, it wasn't raining when Noah built the ark.
The trouble is that until you've been the victim of identity theft or had a check ripped off from the mail, every individual and business thinks it won't happen to them. You can explain the risks, the economic and reputational costs, and the relatively inexpensive preventative steps one can take. But you can't understand for them.
An excellent case in point: two of the largest casinos in Las Vegas just got hit by cyberattacks, with Caesars paying millions in ransom (without sharing any of that information on the Strip) shortly before MGM got hit with a similar attack. We've been led to believe by Hollywood heist movies that it's incredibly tough to take on a casino because of massive security and surveillance technology. Guess not. You can't really stop what you can't see, and keeping ahead of the hackers is more difficult every day. You either pay upfront for protection and keep your fingers crossed, or you pay after the fact for the failure and hope it doesn't happen again.
In the recent Morning Show episode, the head honchos at the UBA network were ultimately unwilling to pay a $50 million ransom, although it appeared the network could come up with the cash. Obviously, this is far from the case for most companies and institutions.
For many startup or relatively new business, a substantial and unpayable demand would very likely mean the death of the firm. Startups are rarely sitting on piles of cash. Investors never want to see their funds going out the door to pay ransoms. And new business builders almost never spend scarce dollars on insurance. Apart from the D&O insurance which their investors demand, it's an unlikely prospect that a startup has purchased sufficient business interruption protection to cover cyberattacks. Entrepreneurs believe in passion and promotion, but rarely commit to downside protection. One of the clearest COVID-19 lessons was just how strapped and skinny most startups are and how little thought and money they commit to resilience and backing up their businesses and their data securely offsite.
To me, the show actually had a far more important message, especially for executives and senior managers charged with cybersecurity responsibilities. The episode tracked the responses and reactions of the various junior and senior staff members to the crisis. Whether through stupidity, selfishness, or inadvertent subversion, several characters completely ignored the experts' very specific directions to surrender their mobile phones to contain the spread of the virus. Worse yet, despite being told that the corrupted phones represented further risks of damage, they stealthily snuck off to make personal calls. Which reminded me of an old truism: men are not against you; they are merely for themselves.
The point is that no one has the luxury of acting alone because there's really no digital environment that's absolutely isolated or secure. Every system is subject to human intervention, frailty, ignorance, and self-interest. If your team doesn't seriously commit to securing your systems, it's just a matter of time before you suffer. A little inconvenience and some simple precautions can avoid a ton of disruption. And as a recent Deloitte survey shows, the risk isn't where you expect. Gen-Z is, in fact, more likely to fall for these schemes than older employees. Turns out, they only think they're smarter and more computer-savvy than you.
There are three major messages that senior management needs to consistently deliver, and then demonstrate through their own actions. An example or two of conscientious compliance by the boss is worth a million words.
First, make it absolutely clear that the concerns expressed about system security aren't nags or nuisances, they're necessities. They represent existential risks to the business, and the safeguards that have been implemented aren't casual or suggested, they're mandatory and will be strictly enforced. But just saying it doesn't make it so. Your whole organization needs to live it.
Second, it's easy for people to assume these matters are someone else's responsibilities, and to hand it off to the IT guys and let them worry about it. That's misdirected: the vast majority of breaches aren't super-sophisticated or driven by complex technical intrusions. They're the result of simple sloppiness, reuse of passwords, laziness in terms of updating software, and of course, social engineering, which rarely has anything to do with the technical aspects of your systems. You want your people to be helpful when asked, but, in these precarious times, a fair amount of caution, suspicion, and confirmation makes a lot of sense. Keep in mind that 91 percent of all known cyberattacks start with email phishing.
Third, fraudster phishers and hungry hackers have increasingly adopted two strategies: (1) they use fake Microsoft logos and language to misleadingly alert users to the falsehood that their passwords need to be changed before they expire or are turned off; and (2) they send millions of fake emails with titles relating to year-end comp changes, salary adjustments, and bonuses, which appear to be coming from internal HR departments. They're not, but the temptation to open them is close to irresistible. Now is a very good time -- since October is National Cybersecurity Awareness month -- to remind your team about these two schemes in particular, and to consider how best to distinguish your legitimate communications from the noisy and cluttered mess.
None of this is easy to pull off, but all of it is critical to getting ahead of the problem. Sharing stories from other companies and articles about attacks is helpful, but sadly, most people still won't believe these things can happen to them -- until they do.
Comments
Post a Comment