Cybersecurity is dead. Let’s face the facts here, folks – it’s hopeless. The bad guys have won and anyone who depends solely on prevention is doomed. Cyberattacks are, at their essence, just like any other type of crime: you can make all the efforts to prevent it from happening but in the end it’s going to happen anyway so you have to be prepared for it.
I mean, really – do I have to remind anyone of the companies that supposedly protected their data and, well, didn’t? Equifax is just the latest. Has everyone forgotten about Target, Citibank, Sony or the almost comically colossal screwup of THREE BILLION records revealed at Yahoo!? Ok, if you’ve been living in a cave for a while how about this: The NSA – yes, that’s right, the top-secret, James Bond-ish superspy arm of your U.S. government was hacked. And let’s not forget that the government agency tasked with making sure that public companies disclose everything – the SEC – has been breached, too.
Is there no safety from hackers anywhere? Actually, no, there isn’t
Crime prevention goes back to prehistoric times when cavemen would light fires to keep animals from stealing their food stocks. More recently, since the days of the Lindberg kidnapping high-profile individuals have taken precautions against being taken hostage. Sophisticated diversion schemes, armored vehicles, escape plans and other preventive measures slowed it down, sure, but ultimately kidnappers can’t be stopped and the best we can do in many cases is to put a child’s photo on a milk carton. That’s not prevention – it’s recovery.
Ditto the approach towards robberies. Banks with huge vaults, massive automated locking doors and armed guards don’t stop about 4000 attempted robberies per year, roughly 25% of which go unsolved. So even though banks and law enforcement try as hard as they can to prevent the robberies, it’s the FDIC that protects customers’ money (now up to $250,000 per account). Again, prevention fails a great deal of the time so recovery – this time of money – is the ultimate plan.
Pick your crime: Kidnapping (ransom), robbery (theft of money or property), assault (attacking someone with the intent of doing them harm) or even shoplifting (grabbing something off the shelf and dashing out the door) has its equivalent in cybercrime. And in all cases the real-life crimes foreshadow the cyber versions in intent, execution, prevention (or lack thereof) and recovery.
The problem that the cybersecurity industry is perpetuating, in my opinion, is that there’s too much focus on the prevention and not enough on the recovery. In an earlier article I wrote, “Yogi Berra was never in the cybersecurity business” I noted that the “Four Rs” of cybersecurity are: Resist. Restrict. Recover. Report. Too many people forget that third “R” and don’t plan enough for the recovery.
Don’t get me wrong – I’m all about educating employees not to click links, showing people what phishing emails look like and how to report them to the IT department, tightening up firewalls, installing virus detection and putting up whatever other obstacles can be erected that will block, delay or divert a hacker. But in the end, just like a house with a sophisticated burglar alarm system, dead-bolt locks, crash-proof glass and a really mean dog, if a pro wants to get in, they’re getting in.
Recovery takes planning and planning takes analysis. What you need to do is to take a close look at your own situation and decide how you’d best recover when you get hacked or held hostage by a ransomware attack (probably the most likely scenario today). Ask yourself (and your IT department) these questions:
1. If you were hacked, what would you do?
If your internal operations – everything from HR to manufacturing – were held hostage by a hacker who slipped ransomware into your network (which is appallingly easy to do) what would you do? Do you have the backups and the plan to roll back your system to a snapshot taken prior to the hack? Does your team have workarounds planned in the event that all Internet-based data is offline and unavailable for several days? Can you remain off the grid and still in business?
2. How frequently is your data backed up?
Are there so many things changing on an hourly basis (pricing, inventory, travel plans, payroll, medical records, etc.) that a nightly backup isn’t sufficient? What precautions have you taken to keep your backups current… and to make sure that they are maintained long enough to allow you to roll back to a point prior to when the cyberattack occurred?
3. Will you pay the ransom?
Have you developed a strategy and decision tree that prepares you to determine whether to pay up when a ransomware attack hits? Has your Board approved of this strategy in advance? Wasting precious hours of non-operational time while trying to get a quorum of your Board together for a vote to determine whether to pay a million-dollar ransom could be devastating to the company. Know your limits… are you willing to pay $10,000, $100,000, $1,000,000 as ransom payment for your system – or nothing at all?
4. What about the companies and people you work with?
Have you checked the security status of the vendors, divisions, contractors and everyone else connected to your company’s network? Do your C-Level executives understand that it’s not just your cybersecurity but that of everyone who is connected to you that determines your overall resistance to cyberattack? Bad cyber-hygiene affects everyone that touches the infected system, not just the original victim.
5. What's your communication plan?
Finally, do you have a plan in place to report – to the public, the media, the Board and others – what happened, how much damage was done, whether or not you paid any ransom and what you have done to prevent a similar attack from occurring again? Covering up is frequently worse than the consequences of the actual hack. Don’t think for a minute that the news won’t get out. It will. Plan for it.
If you’re the CEO of the company pay special attention to the recovery and reporting aspects of a cyberattack. Not only will it determine the public perception of the company and the amount of long-term damage to its business and reputation but it might have a lot to do with how long you keep your job.
In short, my mind has changed about cybersecurity. While someone looking at this out of context might think that I’ve thrown in the towel, I haven’t. Instead, I’m looking at this as a change in strategy. It’s a fundamental shift in thinking from “How do I stop this?” to “It’s going to happen so what do I do to prepare for it?”
It will almost certainly happen to your company. The only viable approach to take is to raise the level of cyber awareness and then plan for the inevitable. A solid recovery plan is the best form of damage control in today’s cybersecurity environment. Get ready.