Flashback to 1995. Marc Andreessen, a recent University of Illinois Champaign-Urbana graduate and cofounder of the startup Netscape, was committed to providing access to the internet for the common person. Netscape launched the Mosaic web browser, which opened up internet access to people outside of the defense, scientific research and academic communities.
Early on, almost no one understood the risks of connecting corporate networks to the web.
During that era, very few people understood what havoc was about to be unleashed by connecting company networks to the internet. My startup, Raptor Systems, was one of the very first commercial cybersecurity vendors. As the company’s chief marketing officer, I was tasked with educating the market on inherent risks, while positioning Raptor as the vendor of choice for early adopters in this nascent market. To introduce Raptor, I formally launched the company with an extended, highly successful media and analyst tour.
Despite the coverage that resulted, it was slow going at first. When Russian hackers breached Citigroup’s corporate network and stole $12M (lunch money by today’s standards,) the story appeared on the cover of the Wall Street Journal. Only then did businesses finally wake up. From that point forward, the market started to accelerate. Raptor quickly emerged as the fastest growing software company in America. We took the company public on the NASDAQ and eventually sold the business to Silicon Valley security giant Symantec. After the inflection point of the Citgroup hack, everything moved very quickly.
In some ways, everything has changed. Yet, in others, nothing has. So, what remains the same?
Despite the fact that the cyberattacks have been propagated on businesses for over 20 years, most companies are still woefully unprepared for an attack.
- Thorough, clear security policies
- Understanding of precisely where data resides
- Prioritization of what data is most important and requires the most protection
- Employee education on how to prevent inadvertent access through clicking on phishing scams
- Ability to prevent malicious insiders from doing serious damage
- Effective communication of the risks in language that can be understood by corporate boards and executives
- Investments in technologies to quickly recover from an inevitably successful attack
Still, Much Has Changed
Today, cyberattacks and data breaches seem to be weekly occurrences, with new threats around every corner. The frequency, sophistication and severity of these attacks have increased exponentially, with seemingly no end in sight to the acceleration of this market. In fact, research firm Cyber Security Ventures predicts that there will be an attack every 14 seconds, with an aggregate of $6 trillion in damages in 2021, up 100% in just five years.
Many high profile attacks have created havoc, interfering with ongoing operations at organizations as varied as the City of Atlanta, FedEx, A.P. Moeller- Maersk, Reckit Bensicker, Target, Honda, Equifax, the Laboratory Corporation of America and Yahoo. Many billions of dollars in losses have been incurred from this handful of the most visible attacks. According to AT&T, 62% of companies have reported breeches, although it is believed the number is actually far higher as organizations hesitate to admit to this outcome for legal and financial liability reasons. Of course, it’s not only large organizations that are under siege.
So, what is new?
- Virtually every company is doing business in the cloud, whether it be SaaS-based business applications from vendors like Salesforce, HubSpot, SAP, Workday or Zendesk, or hosting corporate databases and applications through Amazon Web Services, Microsoft Azure or Google Cloud
- A new generation of hackers is now targeting cloud services providers (CSPs) rather than attacking companies individually. The goal is to use the CSP’s networks to spread malware and spying tools to their respective clients
- Supply chain attacks have grown by orders of magnitude, up 200% in just one year, according to Symantec
- With ecommerce sites for DIY hacking kits and tools and stolen credit card information, the technical skills required to break into networks have fallen dramatically. All of this can be paid for in cryptocurrency, allowing hackers to remain anonymous
- The new, EU-led GDPR standard makes companies criminally liable and subject to large fines for data breaches
- Slow but steady emergence of metrics for measuring the health of a company’s security defenses from the US National Institutes of Standards and Technology
- Corporate boards have finally begun to hold CEOs and executives accountable
What’s to Be Done
In a recent cyberattack simulation held at Coventry University in the UK, mixed teams of business, IT and security professionals to fend off a simulated attack. The problem was that the business people were like deer in the headlights. They expected their IT brethren to do the heavy lifting – herein lies the problem.
Cyberattacks increasingly have financial, reputational and legal implications in addition to technical ones. Corporate boards and executives need to recognize that this just like any other business risk.
Executives across a wide range of departments and functions must understand the threats to their businesses and know how to proactively prevent and respond to them.
A few ways to increase your cybersecurity knowledge:
- Take an introductory 2-hour free course with ESET:
- Overview on threats, password policies, email protection, web protection, preventive measures, etc.
- Attend a Cyber security conference with a managerial perspective including:
- Boston Cybersecurity Training
- Gartner Security & Risk Management Conference
- Take an online course on a MOOC:
- Take an executive education course or certification at universities:
- Study in one of the new cybersecurity-focused MBA programs
- University of Albany, full-time MBA with cybersecurity specialization, which covers both managing risks and assessing security incidents
- Florida Tech, online MBA in cyber security
- Study in one of the new risk focused law programs, with cybersecurity courses
- Texas A&M School of Law; Masters of Law Degree in Risk Management
- If you’re an executive with an small/medium business, attend the WSJ’s Pro Cybersecurity Small Business Academy
We need business professionals to step up and take ownership of this increasingly mission critical business issue. That means peeling back the curtain, regardless of how terrifying it may appear, and learning as much as they can. Knowledge is power. It’s time to level the playing field.