Hindsight

Monday, September 25, 2023

NEW INC. MAGAZINE COLUMN FROM HOWARD TULLMAN

Don't Gamble with Your Tech Security

This week's cyberattacks in Las Vegas are yet another reminder that you can't be passive about protecting your network and other digital assets. You need to relentlessly remind all team members that they each have a role, every day, in protecting the company--and their jobs.

BY HOWARD TULLMAN, GENERAL MANAGING PARTNER, G2T3V AND CHICAGO HIGH TECH INVESTORS@HOWARDTULLMAN1

Watching the hapless victims of a cyberattack as portrayed on The Morning Show -- running around like headless chickens while clueless executives demand instant protection from the just-arrived outside team of white-hat hackers -- I was painfully reminded of just how interconnected we all are by our devices. And how exposed and vulnerable every business is to network intrusions by criminals, along with the extortionate ransom demands that typically accompany them.

When people returned to the office, they brought with them all the shortcuts, compromises, simplistic passwords and other bad habits they've adopted working remotely, along with all the crap and viruses their kids have inadvertently loaded on their laptops and home networks. Now's the time for companies to refocus and redouble their efforts to protect themselves, their people, their customers, their networks, and their digital assets from the risks and increasing likelihood that they are cyberattack targets. Remember, it wasn't raining when Noah built the ark.

The trouble is that until they've been the victim of identity theft or had a check ripped off from the mail, everyone and every business of whatever size thinks that it won't happen to them. You can explain the risks, the economic and reputational costs, the relatively inexpensive preventative steps, and everything else to smart and otherwise prudent and rational entrepreneurs and corporate executives. But you can't understand for them.

An excellent case in point: two of the largest casinos in Las Vegas just got hit by cyberattacks with Caesars paying millions in ransom (without sharing any of that information on the Strip) shortly before MGM got hit with a similar attack. We've been led to believe by Hollywood heist movies that it's incredibly tough to take on a casino because of massive security and surveillance technology. Guess not. You can't really stop what you can't see and keeping ahead of the hackers is more difficult every day. You either pay up front for the protection that is available and keep your fingers crossed or you pay after the fact for the failure and hope it doesn't happen again.

In the recent Morning Show episode, the head honchos at the UBA network were ultimately unwilling to pay a $50 million ransom although it appeared that the network could come up with the cash. Obviously, this is far from the case for most companies and institutions. And, in the typical circumstances of any startup or relatively new business, a substantial and unpayable demand would very likely mean the death of the firm.

Startups are rarely sitting on piles of cash; investors never want to see their funds going out the door to pay ransoms; and new business builders almost never spend scarce dollars on insurance. Apart from the D&O insurance which their investors demand, it's a one-in-a-million prospect that they've purchased sufficient business interruption protection to cover cyberattacks. Entrepreneurs believe in passion and promotion, but rarely commit appropriately to downside protection. One of the clearest COVID-19 lessons was just how strapped and skinny millions of startups are and how little thought and money they had committed to resilience and backing up their businesses and their data securely offsite.

To me, the show actually had a far more important message, especially for executives and senior managers charged with cybersecurity responsibilities. The episode tracked the responses and reactions of the various junior and senior staff members to the crisis. Whether through stupidity, selfishness, or inadvertent subversion, several main characters completely ignore the experts' very specific directions to surrender their mobile phones to contain the spread of the virus. Worse yet, despite being told that the corrupted phones represented further risks of damage, they stealthily snuck off to make personal calls. Which reminded me of an old truism: men are not against you; they are merely for themselves.

The point is that no one has the luxury of acting alone because there’s really no digital environment that’s absolutely isolated, insulated, or secure. Every system is subject to human intervention, frailty, ignorance, and self-interest. If your team doesn’t seriously commit to help secure your systems, it’s just a matter of time before you suffer. A little inconvenience and some simple precautions can avoid a ton of disruption. And, as a recent Deloitte survey shows, the risk isn’t where you expect it. Gen Z is, in fact, many times more likely to fall for these schemes as older employees. Turns out, they only think they’re a lot smarter and computer-savvy than you.

There are three major messages that senior management needs to carefully and consistently deliver, and also demonstrate and validate through their own actions. An example or two of conscientious compliance by the boss is worth a million words.

First, make it absolutely clear that the concerns expressed about system security aren't nags or nuisances, they're necessities. They represent existential risks to the business, and the safeguards that have been implemented aren't casual or suggested, they're mandatory and will be strictly enforced with zero tolerance. But just saying it doesn't make it so. Your whole organization needs to live it.

Second, it's far too easy for people to assume that these matters are someone else's responsibilities and especially to hand it off to the IT guys and let them worry about it. That's misdirected: the vast majority of breaches aren't super-sophisticated or driven by complex technical intrusions. They're the result of simple sloppiness, stupid reuse of the same passwords, laziness in terms of updating software, and, of course, social engineering, which rarely has anything to do with the technical aspects of your systems. You want your people to be helpful when asked, but, in these precarious times, a fair amount of caution, suspicion, and confirmation makes a lot of sense. Keep in mind that 91% of all known cyberattacks start with email phishing.

Third, one ongoing problem is that the fraud phishers and the hungry hackers have increasingly adopted two strategies: (1) they constantly use fake Microsoft logos and language to misleadingly alert users to the falsehood that their passwords need to be changed before they expire or are turned off by Microsoft; and (2) as the year ends, they will again be sending millions of fake emails with titles relating to year-end comp changes, salary adjustments, and bonuses, which appear to be coming from internal HR departments. They're not, but they are close to irresistible in terms of the temptation to open them. Now is a very good time -- since October is National Cybersecurity Awareness month - to remind your team about these two schemes in particular and also to consider how best to distinguish your legitimate communications from the noisy and cluttered mess.

None of this is easy to pull off, but all of this is critical right now to get out ahead of the problem, to the extent that's possible. Sharing stories from other companies and articles about attacks and breaches that have been hit is somewhat helpful, but sadly, most people still won't believe that these things can happen to them. Until they do.

SEP 26, 2023

Sunday, September 24, 2023

We've got presidents who think that if they do something it by definition can't be against the law. We've got SCOTUS justices who feel they should not adhere to ethics rules or be criticized. We've got Senators who defend antiquated rules that grant each of them (or a minority of them) the power to stop progress on any issue ...and who value their club so much they won't speak out against obvious crimes. We have members of the House who feel they do not have to honor legal subpoenas, fulfill their duty to their constituents or honor the Constitutional definition of what constitutes an impeachable offense. We have state legislatures and governors that seek to ignore the will of the people and to reverse the results of elections without any legal grounds or justification. These abuses happen daily. Our system has become deeply and profoundly corrupt. We are in a slow motion constitutional crisis, one in which our governing ideals and principles have been gutted to serve the personal and partisan ambitions of a few--officials and donors alike. Don't underestimate the severity of this situation. Authoritarianism doesn't require a coup to assume power and snuff out democracy.