Steven began his working career some twenty years ago. Learning business ropes from his father and taking every opportunity to learn from previous bosses and mentors, Steven had a high level of confidence that one day he would own his own company.
Ten years into his career, Steven finally quit working for the man and branched out on his own. After a slow ramp-up period, things started clipping along and Steven was eventually making money – a profit, even. In the grand scheme of things, Steven knew that he should probably be surrounding himself with other smart people who could help him make informed decisions about important areas of his company that he wasn’t really all that familiar with. But ‘knowing’ and ‘doing’ are two different things. Steven ultimately and unwittingly became one of the greatest risks to his own organization.
Steven had heard mention of cyber security. He thought there was a slight chance that his company could be vulnerable but he also thought he had a better chance of winning the lottery than he did of being hacked and since the lottery was already a several-million-to-one shot, he pushed cyber security thoughts out of his mind. His naïve beliefs actually blinded him to the realities of how vulnerable his company really was – and at his own hand, no less.
On his way into his office one day, Steven found a jump drive in the parking lot. He picked it up and after grabbing a cup of morning joe, he plugged the jump drive into his computer to see if he would be able to figure out who it belonged to so he could return it. Unfortunately, someone didn’t ‘accidentally’ drop the jump drive – it was intentionally left there, seeded with a virus that sent out a beacon to its cyber-criminal owner to transmit where it was plugged in. The innocent act of simply plugging the jump drive into his computer ultimately bypassed security and provided the criminal with full access to Steven’s company as well as his family’s personal files. And just like that, Steven became a statistic.
What You Need To Know
The article below discusses factors that impact businesses, business owners, and members of their Board of Directors, and it also discusses areas that may significantly increase cyber risk, potential liability, loss of business and reputation.
It’s safe to say that data breaches are getting worse and we hear about another major breach somewhere around the world almost every week. For some, breaches have become commonplace, a part of doing business. If that’s true, I would argue that ignoring the risks rises to the level of negligence.
The level of concern, especially among business owners, is definitely ramping up. Despite this concern though, far too many CEO, executives and Boards are not taking the risks seriously.
“Optimism Bias” & Complacency
The first factor that adds to your risk is a theory called, “optimism bias.” Below are some survey questions I frequently use when speaking at conferences:
- Do you believe your firm or business will be breached this year?
- If yes, is there an 80% or 30% chance of the breach?
- Do you believe another firm/company, or, “the other guy,” will be breached this year?
- Is there a 30% chance or 80%?
Most surveyed believe they will not be breached or there is a low probability. Conversely most believe the “other guy” will be breached and there is a very high probability. Why? What have you done differently? Is your security better than Target, Home Depot, NSA, the Pentagon, Lockheed-Martin, your local merchant?
So ask yourself, “Do the standard security practices work better on my network, or do I use magic security practices that no one else is aware of?” Whether you are the victim of a random drive-by breach or specifically attacked in order to gain mergers and acquisition data on your clients, you are under attack and you will likely fair no better than most.
If you think your security is better, why do you believe that? Most businesses surveyed believe their security is pretty good, certainly better than their neighbors’, and the chances of suffering a breach are fairly low. In reality most companies either will be or have already been breached. Amazingly, a large number of business owners who claim they won’t be breached also had little to do with the implementation of their own security and likely do not truly understand it.
According to the FBI, cyber crime will eclipse terrorism. In the past, the saying was that “there are only two types of companies: those that have been hacked and those that will be”. Sadly, even that is merging into a new category: those that have been hacked and those that will be again…
Don’t Assume Someone Else Has Taken Care Of It
Passively assuming that someone else, like your outsourced IT company or your in-house IT department, is identifying and addressing the threats and risks is not an adequate form of risk management. Some IT professionals may be skilled and thus able to serve a dual-role as security and IT professionals, but most are not. So, the battle begins — that is, the battle for budget. Your IT guy’s primary focus is likely “uptime” and making sure everyone can access the network. Security, unfortunately, plays second fiddle.
In some cases the IT department or outside company doesn’t know the full risk or extent of the vulnerabilities, but this is unlikely. What is more likely is that they do know but are hesitant to reveal how bad it really is, and how vulnerable your company is, for fear of the impression it will create. Regardless of the reason(s), the message about how much risk exists gets lost and is never fully conveyed to leadership which is a risk in and of itself. IT departments and companies are playing with fire when they don’t reveal the true risks and vulnerabilities and then allow the leaders to address them.
Have you have seen some of the TV ads for anti-virus companies that claim to speed up and protect your computer? Regardless of their true intent, they imply that they will make your computer or network 100% secure. Well, news flash, they don’t and they can’t! As a CEO, executive, or Board member, if you are given the impression that your network is secure – or if you’re told nothing and therefore assume it is secure – what will your reaction be when you are breached? You need to know how bad it is, along with the risks and the vulnerabilities in order to evaluate, mitigate and make informed decisions, so go ask!
Convenience v. Security
Technology has been both a blessing and a curse. Most of us have a love-hate relationship with our computers and mobile devices. What we love about them is the convenience, but the security, or lack thereof, threatens that convenience and our privacy. Most people find the security practices tiresome, awkward, and annoying. For instance, do you password protect your smartphone or mobile device? Believe it or not, many don’t. Passwords are annoying though, right? Many who do use passwords, usually because they are required to, use a very easy password, like 1234.
In 2014 3.1 million Smartphones were stolen. With no password or an easy password, a hacker or thief who finds or steals your Smart phone or mobile device has full access to all of your social media, email accounts, texts, contacts, etc. Think about the high volume of data that your firm deals with, creates, receives, transmits, and carries around monthly. It is all at risk. You can’t afford to put yourself at risk because you find security rules inconvenient.
Self-imposed ignorance occurs when the threat or risk is downplayed. Conversely, “optimism bias” may also be a factor here. When I speak to companies about cyber-security and the need for a risk assessment, far too often I hear: “I’m not worried, I don’t have anything the hackers want to steal”, “I’m not worried, my business is too small”, or “I’m not worried, our IT guys make us use really good passwords and we have cyber insurance.” Wow! That’s like saying; “I will never get in a car accident because I am a great driver” or “I have good insurance.” Some things you just can’t control. The old saying was: “There are two things you can count on: death and taxes.” The new saying includes a third thing: getting hacked! It will happen. In fact it probably already has and you don’t even know it.
There are many tips, procedures and techniques that you can implement to improve your security, but, in my opinion, the first place to start and the most important is to do a self-risk assessment:
- – Understand the information you collect;
- – How it flows across your network;
- – What devices it resides on;
- – Who has access to it;
- – How it is kept secure, and;
- – Who you are connected to, (e.g. ISP, Cloud provider, other services, etc.)
If an incident occurs or a client asks what you did or are doing to secure data, responding with, “I don’t know, ask my IT guy,” or, “We use really good passwords,” is probably the worst thing you can say. Statements like that will significantly increase your liability and make you look incompetent about an issue that is foremost on most people’s minds these days.
The point is, take an active role. You need to lead and manage the process. Don’t just hand it over to someone else like the IT department or an IT guy/gal or company, and forget about it. Never assume that your security is great, good, or even adequate. In all likelihood, it’s not. Security is a process that needs to be continually managed vs. a set-and-forget concept. At any given time you must be able to articulate what you have done to protect data and your company. Pointing to the IT guy – whether internal or from an outside company – is not a risk management solution or a valid response during an incident response investigation. Where does your company stand? Are you a basic, progressing or advanced organization? Take charge, take control, and manage.
This article was contributed to the National Franchise Institute by David Willson who is a retired Army JAG and an attorney. In addition to having worked at NSA, he helped to establish CYBERCOM and provided policy and legal advice for many cyber operations. As the owner of Titan Info Security Group, he specializes in risk management and cyber security to help companies and law firms lower the risk of a cyber incident and reduce the potential liability if and when the firm or its vendor is compromised and all of the client information is stolen. He also provides cyber security awareness training and assists with other unique cyber issues.
If you are seeking resources to assist in your self-assessment, email David Willson for a free “Cyber Self-Assessment” form.