(The Four Rs of Cybersecurity And How To Build A Culture Around Them)
‘Tis the season for making predictions. I love predictions. I love the crashing sound they make as they fall flat on their faces. They are very rarely right and wrong so often that it prompted Yogi Berra to say, “It’s tough to make predictions, especially about the future.”
One thing is for sure: Yogi was never in the cybersecurity business. How do I know? Because making predictions in the cybersecurity business is easy. Here’s mine:
Your company will get hacked in 2017.
In fact, the corollary prediction is that you may not even know it. At the end of the year you’ll look back and say, “not us – we weren’t hacked.” Uh-huh. Maybe you think not but in the end there are only two kinds of companies:
- Companies that have been hacked.
- Companies that have been hacked and don’t know it.
What can you, as a C-level executive or even a Director on a company’s board, do to prevent this prediction from coming true in your company?
In short, nothing.
Hackers will do what hackers do – they will probe, attempt, retry and poke until they find a back door to enter, or they’ll find a single computer that doesn’t have two-factor authentication installed on it. (Think that’s not a big deal? Ask JP Morgan Chase, who suffered a $150M breach as the result of a single computer being exposed.) They will steal credentials, send phishing emails and set up phony websites in an attempt to lure someone in your company into clicking a link or entering critical info and then… you’re toast.
So let’s talk about reality and what you – particularly the aforementioned C-level execs and Directors – can do to build a culture of cybersecurity within the company that will minimize damage and expedite recovery. It’s a question of resolutely following what I call “The Four Rs Of Cybersecurity”:
Having the right culture revolving around these Four Rs will help you minimize the frequency of successful hacks, mitigate the severity of the damage and facilitate recuperation after the fact.
RESIST – Resistance is your most important tool because the more successful it is the less the others will be needed. How to resist? Foster a culture within the company of “safety first” in the same way that manufacturers do. In a manufacturing plant everyone must wear hard hats or hair nets, protective shoes and eyewear and must remain within safety lines painted on the floor. Manufacturers create policies and procedures that, if followed, prevent accidents. Cybersecurity requires a “safety first” attitude, too. Set up firewalls, don’t allow specific types of attachments in emails, encrypt your messages, develop password policies and reinforce how important it is to never click links in emails. Resist means to always be thinking “cyber-safety first.”
RESTRICT – If hackers penetrate your defenses you need to minimize the damage by containing it. Make sure that you have procedures in place to limit access privileges to only areas that are necessary for someone to do their job. Don’t let “access creep” create needless exposure. On the physical side you make sure that employees no longer with the company turn in keys, badges, authentication dongles, laptops and cell phones. Similarly, on the electronic side, change the passwords of any area that they have access to, make sure that they haven’t “backed up” (that’s code for stolen) any files to external sources such as thumb drives or cloud services like Dropbox or OneDrive. The best way to think about this is to imagine a ship with watertight compartments. Water may get into one compartment but it won’t sink the ship. That’s how you want your cyber-ship to be built, too – putting in the electronic equivalent of water-tight compartments keeps the ship afloat.
RECOVER – After hackers have successfully breached your defenses, even if you have done a good job restricting access and containing damage, you must be ready to recover quickly. Regular, preferably real-time, backups of your data are critical. Think about how much work – and what a hit to your reputation – it would take to recover if you lost an entire day or order entry, call logging, sales prospecting and everything else on your system. To be clear, you’ll need much than backup tapes with a snapshot of yesterday’s system. If you’re hit with ransomware you might have to roll back days or even weeks to make a practical recovery. My personal philosophy is to backup in real-time, plus daily, weekly and monthly snapshots. When I get hacked (or a computer gets destroyed or stolen) I’ll be ready to restore my system on a new computer or hard drive from five minutes, five days or even five weeks ago. Call me paranoid if you like, but I call it realistic because eventually I will get hacked (and so will you).
REPORT – This isn’t the time to be shy or clandestine. Fess up and the sooner the better. Once you have minimized the damage and put your recovery procedures into action tell your employees, your customers and your shareholders. If you get the message out early you can control the damage. Realize one thing: The information always gets out and you want to be in front of it, not behind it. Prepare separate statements to each of those constituencies and tell them what happened, why it happened, how much damage was done, what steps you have taken to recover and what you are doing to prevent being hacked that way again.
I’ll make one more prediction. Follow this advice and you will be a lot better off than if you don’t. Hacking is an unfortunate fact of both business and personal life. Be prepared, be vigilant and be cyberaware.