Getting hacked sucks, cybercrime is rising, and we need to savvy up
We live in a world that is becoming ever increasingly digital, particularly as companies undergo digital transformation. When I was growing up, there was no concept of data security or cybersecurity – Intel had only just released its first microprocessor and the personal computer hadn’t yet been invented. Now, I find myself with 3 smart devices, a car controlled by software, more online accounts than I can keep track of, and a fear of having my credit card hacked yet again.
With apps, smart devices, and digitization, there is more data on everything, on everyone, and everywhere. With outcries over use of personal data, the recent GDPR changes in Europe, and data breaches from giants such as Anthem, eBay, Uber, United Airlines, Fedex, Target, and JP Morgan Chase, we as digital citizens should be more concerned, aware, and savvy about data. As an individual, a company, or the government, we need to collectively step up our game, myself included.
Pervasive, Never-ending Data
There is a lot of talk on data these days: big data, data breaches, data science, personal data, etc. Perhaps the first step to talking about data security is to understand what data is: data is any and all information including files and documents, and it’s generally stored in files on computers or on servers, including “the cloud.” The transition from analogue to digital and now digital to online/connected means that the amount of data being produced has exploded; more data means more risk of being hacked because there’s more to be stolen and more value therein.
Companies, organizations, and governments, and certainly executives and managers, should understand what data they have as well as their hacking risk as a function of quantity of data produced, what they do, and what industry they’re in. Further, corporate culture and jobs aren’t aligned with risks posed by hackers and thus the demand for greater cybersecurity – that needs to change.
As individuals, we really have to wrap our heads around the invisible banks of data we’re producing and collecting in a digital environment with multiple devices and connected systems. Our habits and actions are not aligned with the real risks of hackers because we don’t understand hackers and the value of data.
Understanding Risk and Responsibility
Given what hackers want to do and why they hack, some industries are more at risk for being hacked than others. Thus, depending on an organization’s role and industry, or a person’s employment and personal situation, some people are more at risk. Here are the top five industries that are hacker targets:
- Healthcare: data on patients, hospitals, and R&D information are highly valuable and can be used to demand money, profile, or blackmail.
- Manufacturing: data on intellectual property, R&D, and business secrets are valuable in a highly competitive industry and also one that produces the hardware and software for consumables and commercial goods such as cars, planes, IoT devices, medical equipment, etc. Hackers could demand ransom, install malware, use information to make money on stocks or by starting copy-cat businesses, gain competitive advantage, or seek to control certain produced goods.
- Financial services: data and access namely to steal money or make money.
- Transportation and logistics (aviation, maritime, mass transit, highway infrastructure, tracking/positioning systems): data and access could mean terrorism, mass chaos, inflicting harm and damage, stealing goods, tracking people, or making money.
- Government: data and access mean the ability to profile, blackmail, hold for ransom, or influence.
Bitcoin has become a target recently in the financial industry, yet I’m not sure that Bitcoin buyers understand their personal risk increase the moment they make their purchase. I feel bad for writer John Briggs, a victim of a SIM hack who opens his article on bitcoin hacking with the line “A year ago I felt a panic that still reverberates in me today.” He goes on to detail how the hackers stole his bitcoin as well as how another victim, Michael Terpin, lost $24 million in a similar ordeal.
Arguably, this begs a question of whether the initiatives to understand digital security risks lies with the customer and us as individuals, or whether it lies with companies to educate potential and current customers. Cybersecurity is a huge issue as we move into an ever more digital world and wising up to hacking is not just a matter of personal security: it’s a matter of business. There’s no area of an organization that won’t be affected by a hack. Hacks disrupt business, cost money (sometimes billions), demand product or service changes and additional work, cause chaos, upset customers (notably through frustration and a loss of trust and confidence), and can possibly lead to death, destruction, or injuries.
Savvy-up Internally: People
It doesn’t matter if you’re a manager or a CEO; everyone should know the four kinds of hackers (cyberterrorists, hacktivists, state-sponsored actors, and cybercriminals) and what each could do with data and access when they’ve successfully hacked. Further, we should all know their attack toolkits, methods, and resources. If you or your team can’t explain both to someone else, you’ve got work to do. Arming ourselves with such knowledge helps to build a stronger (though invisible) wall of protection against hackers. In an age where connected devices, dependence on software, and commercial IoT is upon us, it’s up to all of us to savvy up about digital security.
Realigning Job functions and performance
Companies, organizations and governments must pay attention to their security and the risks to which they are or could be exposed. Though it doesn’t stop there. There’s a huge responsibility on those who make products to build them well – particularly software engineers, product managers, and anyone working with networks or IoT. Are you setting up appropriate KPIs, reviews and/or training if you’re an executive or running teams of managers and engineers? There’s a responsibility on those who run companies to manage them well: organizational design is part of cybersecurity. Anyone hiring should hire well, particularly if you are in an industry of higher risk for attacks. Hiring isn’t just about quality, it’s also about spending appropriately to hire based on cybersecurity risks. If you’re in FinTech, you should calculate and analyze if it’s worth hiring a few extra engineers, architects, or network security specialists as they might reduce losses due to hacks and in the end be a NPV investment. To give Tesla credit, they did exactly that.
It’s also up to executives and managers to examine application, information, and operational security; disaster recovery and business continuity; and end-user education – those are company-wide tasks in today’s digital world, not just those of the CTO. Job functions and performance evaluations need to shift so that the monitoring and analysis of digital security is more than what’s listed in the CTO’s job description. Is the marketer reporting on cybersecurity-related KPIs? Does the COO’s job include operational security KPIs and reports as well as plans for disaster recovery? Further, are company executives and managers measured as to how they handled the immediate and long-term aftermath of a hack? It’s time for leadership to shift job training, organizational structures, KPIs and job functions so that they reflect the philosophy that digital security is everyone’s business.
Executives need to have a global understanding of digital risk for their companies and know when it’s time for them to invest in R&D, services, or additional products to mitigate their digital risk. Companies spent $86.4 billion on information security in 2017 and there’s more predicted for 2018. A UC startup Lastline tackling enterprise security at the network level has already received $54 million in funding – clearly, there’s a need and an opportunity. We are now in an age when the CEO needs to be able to converse technically with the CTO and her team and truly understand the technical side of digital risk for her firm.
Hacker Scenario Planning
Whether you work for a startup or a Fortune 100 company, are you really prepared for a hack hitting your business? Target, eBay, FedEx, and Anthem have all had major data breaches in the last five years, as has the federal Office of Personnel Management. Was the CMO of Target ready to address the hack when it came – from press to internal communications to customer communications? Was the COO of Anthem ready to implement real-time responses to leaked patient data? Was Target’s customer support team ready to handle millions of inquiries from their credit card holders? Perhaps it’s time for hacker scenario planning in addition to a much deeper understanding of technology for all employees, managers, and executives.
Hacker scenario planning might sound silly, but I’d argue that companies who aren’t scenario planning don’t understand the risks hackers pose. Theft of IP, trade secrets, personal identifiable information, or valuable data, or access to systems and thus control of hardware and/or networks (and any device on those networks) are high risk items for a business. Imagine you work for a utility company and hackers gain access to your network. They gain control over the water system and electricity grid for thousands of homes. As CEO, does your entire organization know how to respond to ensure that impact, damage, and costs are minimized? Is there internal chaos or execution of a scenario plan?
The NotPetya hack is one of hundreds of examples as to how companies need to be prepared in every department to respond when a hack occurs. Andy Greenberg shares an inside view from Copenhagen as Maersk realized they were experiencing a cyberattack. There was panic, people running through the hallways, and worst of all, 800 seafaring vessels with enormous amounts of cargo were dead in the water as Maersk’s network went down. It turns out that Maersk was in good company as hackers propagated NotPetya malware that hit worldwide including food producer Mondelez, carrier TNT express, and pharma giant Merck. The hack cost an estimated $10 billion. Were any of the giants ready to respond to such an attack? I don’t know but I sincerely hope that, today, they measure and monitor their risk exposure and the probability of damage, that their company culture has shifted to an attitude where everyone is responsible for cybersecurity, and that their CFO is considering a line item in their books for anticipated costs due to (potential) hacks.
A Customer-Centric View to Security
In a world of customer centricity, companies can’t underestimate the value of customer support and communication when a hack occurs. I’ve had my credit card information stolen more than once, and it is a major inconvenience. It takes an enormous amount of time and energy to remedy the situation, close accounts, open new accounts, set up alerts, input new credit card information into automatic bill payment systems, etc. - a serious hassle. What’s worse is that now I fear getting hacked because I don’t want to go through the same hassle all over again. From a customer relationship perspective, my bank is not doing well in my eyes – and that’s exactly what companies need to address: the customer relationship and confidence in use of their product.
I “drive” a self-driving vehicle and I love it! I just want to make sure that I’m always in control of my destiny, and hacked cars are the antithesis of that. Would they lose my business if they got hacked? More than likely, yes. I don’t want to live in fear every time I get in my car. The question is, what are companies doing about the human side of hack impacts – and that is exactly the question Tesla faces after a recent discovery of how to hack their Model S key fobs.
Shift in Our Attitudes on Digital Security
Continuing the car company example, organizations need to shift their attitude to self-definition and their company cultures, particularly in how they relate to data security and cybersecurity. For example, companies who manufacture vehicles are also developing smart vehicles and autonomous vehicles, making them arguably a technology company. I’d be willing to bet that most employees of a car manufacturer wouldn’t put cybersecurity as a company priority, but if you asked employees of a typical technology company, far more would name it as a priority. Companies are shifting to become technology companies, thus executives need to shift company culture to include a much greater awareness and responsibility on cybersecurity given the enormous risks involved. It’s time for companies to develop cultures of digital citizenship, more than just awareness of cybersecurity, but an internalized responsibility and ownership that recognizes and acts to reduce digital risk.
As an individual, too, it’s time to be a digital citizen: in the same way that people take measures to protect their physical belongings and possessions, there should be the equivalent effort, if not more, to protect digital possessions – your data and devices. Individuals should conduct annual digital audits, reviewing all online accounts, data and data storage, access and passwords, devices and connections or access granted, etc. It’s up to individuals to understand what’s at stake and to minimize their risk knowing there’s a trade-off between security and short-term convenience. Finally, it’s time to make a commitment to passwords: stop using the same password more than once and start using 16-character super-complicated passwords - no two the same, ever (password managers are available to help with this inconvenience.)
Overall, we have a lot of work to do when it comes to data security and change in our attitudes, actions, jobs, and companies. We are active digital citizens, and it’s time we really understood the risks of data theft and access, connected devices, and the implications of both on themselves, society and business. After all, tomorrow’s generation can only benefit from technological advances if they are adopted: cybersecurity will remain a hindrance until we, collectively, address it better.