Five things executives need to know about defeating cyber criminals

 

We have always looked to size, operational longevity, and market share as indicators of success in the corporate world. Perhaps it is a sign of arrogance, but we tend to marvel in those metrics and even think we are untouchable, once achieved. Now that we have moved from the industrial age into the cyber age, those measures of success are constantly being challenged and it should be evident that no one is immune from a fatal blow to both the personal ego and corporate existence.

 

Take Verizon for example. They are one of the world’s leading service providers and delivering cyber security consulting and managed services to their clients is an important piece of their offerings portfolio. We therefore look to organisations like this as the noble warriors who are leading the way and guiding those of us for whom cyber security is an alien concept. Each year Verizon produces the Data Breach Investigations report which is read by a large portion of the cyber security industry, almost as if it were the answer to life and the universe. We expect companies like Verizon to be on top of cyber crime yet they too have become a victim in late March 2016, with more than 1.5 million of their client contact records stolen and put up for sale on the cyber criminal black market; a place known as the Dark Net. I guess that means Verizon will be one of the features in this year’s report.

 

High profile entities such as The Pentagon, FBI, NSA, and Department of Defence in recent years have also been successfully breached by cyber criminals. All had a considerable budget to deal with cybercrime yet these heavy weights were no match for cyber criminals. Of course this is not a new phenomenon. Since the dawn of time, we have seen the almighty warriors we considered infallible fall apart in the face of what was mistaken for a lesser threat. Think about the battle of the puny David versus the almighty Goliath and it is easy to see that there is no guarantee of victory even for the greatest of warriors. Although it frequently does, this should come as no surprise. After all, behind the armour and weapons, we are human. We are flesh and blood. We have weaknesses. We make mistakes.

 

It’s easy to throw our hands up in the air and proclaim that if the almighty, who possess the biggest budgets and best weapons money can buy can be so easily toppled by cyber criminals that there is no hope for the rest of us poor, underfunded and underprepared souls. But that attitude will not get us very far. We have a problem. We are in the midst of war. Whether you like it or not you are an unfortunate opponent who has been dragged into this war. The moment you started to use the Internet, you enlisted for war. It’s time to be thinking of solutions to this problem. In the end any war, whether it be: a game of Chess; a full fledged aerial assault; the final playoff in the World Cup; or an encounter with cyber criminals, is won by the opponent who has the best strategy. Strategy is well within your budget. As an opponent in the war against cyber criminals the real question is how good is your strategy for cyber resilience?

 

First of all, before I delve into strategy, let’s focus on cyber resilience. Why cyber resilience and not cyber security? The problem with security is that it is binary. It either exists or it doesn’t. The moment a single weakness has been identified and compromised, security no longer exists. Think about a bank vault. You may say that a bank vault is secure until a bank robber breaks into it. From that point on, nobody would ever call that same vault “secure”. That means, to achieve cyber security, your organisation needs to prevent every possible cyber crime. If you entered 10,000 battles against cyber criminals and lost just one of those, you could not claim to be secure. Resilience on the other hand is a measure of how efficiently and effectively your organisation can recover from cyber crime. It is a measure of survivability; not a measure of utopian perfection.

 

Now, back to strategy. Here are five things you need to know about a strategy for cyber resilience:

 

  1. Your cyber resilience strategy has to exist. That is, it has to be documented, reviewed, updated as required and communicated to all necessary stakeholders. A strategy that exists only in one’s mind is not a strategy but a short lived idea. If you do not have a documented strategy, you need to get started.
  2. Your cyber resilience strategy must align with and be an enabler for your business strategy. All too often I see cyber resilience strategies align with, at best, an IT strategy. If your cyber resilience strategy aligns with IT, it will miss the bigger picture. Cyber crime has consequences that go beyond technology which is could result in an operational impact. It is also possible for cyber crime to have physical, personal, legal, reputational and financial impacts. I don’t know about you, but I do not see IT as subject matter experts for impacts such as legal, reputational, or financial. All of these need to be factored into your cyber resilience strategy and that means getting subject matter experts involved that may fall outside of IT. In most cases, cyber resilience strategies fail to even align with IT. In any case, if your strategy is not aligned to the business strategy, it is time to go back to the drawing board.
  3. Your cyber resilience strategy needs to be owned and guided by the executive team. It can take input from those in the organisation, or even third party advisors, but in the end the executive team is ultimately accountable for the strategy. Far too often, I see this delegated to IT people who, at best, create a wishlist of technologies, much like the list of toys you wrote to Santa each December as a child. If the CEO and board of directors are not guiding your strategy, it’s time to start over.
  4. Your cyber resilience strategy needs to be more than a list of goals. It is not just the outcome you are seeking, but a map to get there. I can not begin to count the number of times I have seen strategies as hollow goals without a time line for completion and a path to follow. It is completely understandable that the path to get to those goals may change, but strategy accommodates twists and turns, as long as we get back on course following unexpected detours. If your strategy is a list of goals, now would be the time to beef it up with some real substance.
  5. Your cyber resilience strategy needs to define actions. Without actions it is like that rotting wooden fence that never saw a coat of paint, despite the unopened tin of paint being purchased specifically for the fence at the time it was constructed. Without defining actions, you may as well not have a strategy to begin with and you should be able to guess that I am going to tell you to take action by defining actions within your strategy.

 

There is a significant chance that by now you are contemplating starting a new cyber resilience strategy that will take these five elements into consideration. It is worth spending some time on this and doing it right. If your strategy is inferior to that of your opponent, cyber criminals, will challenge and could have a serious impact on the size, operational longevity, and market share that have become the cornerstones of your success.

About Andrew Bycroft

Andrew Bycroft

Check Also

Find new clients and grow using businesses’ most underutilised tool.

There is a powerful tool with the ability to take any business from mediocre to ...