As the scale and complexity of the cyber threat landscape is revealed, so too is the general lack of cybersecurity readiness in organizations, even those that spend hundreds of millions of dollars on state-of-the-art technology. Investors who have flooded the cybersecurity market in search for the next software “unicorn” have yet to realize that when it comes to a risk as complex as this one, there is no panacea — certainly not one that depends on technology alone.
Spending millions on security technology can certainly make an executive feel safe. But the major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris. These human forms of malware can be present in any organization and are every bit as dangerous as threats delivered through malicious code.
With any cyber threat, the first and last line of defense is prepared leaders and employees, whether they are inside an organization or part of an interconnected supply chain.
And yet organizational leadership all too often demonstrates outright technology torpitude. An unprepared, lethargic leadership only amplifies the consequences of a security breach. The scale of the Yahoo breach disclosed in 2016, combined with the fumbling response, cost the company and its shareholders $350 million in its merger with Verizon and nearly scuttled the entire deal.
To prepare for and prevent the cyberattacks of the future, firms need to balance technological deterrents and tripwires with agile, human-centered defenses. These vigorous, people-centric efforts must go beyond the oft-discussed “tone at the top” — it must include a proactive leadership approach with faster, sharper decision making. As cyber threats grow exponentially, comprehensive risk management is now a board-level priority. Indeed, the iconic investor Warren Buffett highlighted cyber risk as one of the gravest concerns facing humanity during Berkshire Hathaway’s annual meeting.
Firms must recognize and react to three uncomfortable truths. First, cyber risk evolves according to Moore’s Law. That’s a major reason that technology solutions alone can never keep pace with dynamic cyber threats. Second, as with all threat management, defense is a much harder role to play than offense. The offensive players only need to win once to wreak incalculable havoc on an enterprise. Third, and worst yet, attackers have patience and latency on their side. Firms can be lulled into a dangerous state of complacency by their defensive technologies, firewalls, and assurances of perfect cyber hygiene.
The danger is in thinking that these risks can be perfectly “managed” through some sort of comprehensive defense system. It’s better to assume your defenses will be breached and to train your people in what to do when that happens. Instead of “risk management,” we propose thinking of it as “risk agility.” The agile enterprise equips all organizational layers with decision guideposts and boundaries to set thresholds of risk tolerance. All employees should not only understand what is expected of them regarding company policy and online behavior but also be trained to recognize nefarious or suspicious activity. The key attribute, particularly when it relates to cyber risk, is the concept of sense something, do something, which makes all people in an organization a part of a “neural safety network.” For example, the defense against the SWIFT banking hack, which saw some $81 million be stolen, was launched by an alert banking clerk in Germany who recognized a misspelling.
When we say all employees have to be risk agile, we mean all. C-level executives, board directors, shareholders, and other senior leaders must not only invest in training for their firm’s own employees but also consider how to evaluate and inform the outsiders upon whom their businesses rely — contractors, consultants, and vendors in their supply chains. Such third parties with access to company networks have enabled high-profile breaches, including Target and Home Depot, among others.
A skeptical executive could push back on this idea — won’t that cost a lot? The fact is, cybersecurity training is vastly undercapitalized, and the lack of investment in quality cyber education programs is manifest in the sheer volume of breaches that continue to be rooted in human failure. Worse, the volume of breaches is woefully underreported — even when they are identified early because firms are reluctant to amplify reputation risk. In a 2016 survey conducted by CSO magazine and the CERT Division of the Software Engineering Institute of Carnegie Mellon University, respondents reported that insiders were the source of “50% of incidents where private or sensitive information was unintentionally exposed.” Insider threats can include malicious activities but also mistakes by employees, such as falling for a phishing scam.
In short, there will be some investment required in enhancing personnel readiness. But it can be cost effective over time, particularly when compared to implementing cutting-edge cybersecurity technology that may become obsolete. To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.
Moreover, businesses slow to adopt stronger security measures may find themselves pushed into it by regulators. The latest regulations promulgated by the New York State Department of Financial Services, for example, requires that covered businesses “provide regular cybersecurity awareness training for all personnel.” This is just the tip of the iceberg of what is likely to come from other states and government agencies around the world, which are increasingly harmonizing their view of a “carrots and sticks” approach to cybersecurity compliance.
Artificial intelligence, machine learning, and self-teaching algorithms may represent the latest trends in hot IT investments, but technology exists for and is utilized by people. Corporate leaders would be wise to understand that the future of cybersecurity lies not in a single-pronged approach or miracle tool but in solutions that recognize the importance of layering human readiness on top of technological defenses.
By Dante Disparte and Chris Furlow