Don't Gamble with Your Tech Security
This week's cyberattacks in Las Vegas are yet another
reminder that you can't be passive about protecting your network and other
digital assets. You need to relentlessly remind all team members that they each
have a role, every day, in protecting the company--and their jobs.
BY HOWARD
TULLMAN, GENERAL MANAGING PARTNER, G2T3V AND CHICAGO HIGH TECH
INVESTORS@HOWARDTULLMAN1
Watching the hapless
victims of a cyberattack as portrayed on The Morning Show -- running
around like headless chickens while clueless executives demand instant
protection from the just-arrived outside team of white-hat hackers -- I was
painfully reminded of just how interconnected we all are by our devices. And
how exposed and vulnerable every business is to network intrusions by
criminals, along with the extortionate ransom demands that typically accompany
them.
When people returned to
the office, they brought with them all the shortcuts, compromises, simplistic passwords and other bad habits
they've adopted working remotely, along with all the crap and viruses their
kids have inadvertently loaded on their laptops and home networks. Now's the
time for companies to refocus and redouble their efforts to protect themselves, their
people, their customers, their networks, and their digital assets from the
risks and increasing likelihood that they are cyberattack targets. Remember, it
wasn't raining when Noah built the ark.
The trouble is that
until they've been the victim of identity theft or had a check ripped off from
the mail, everyone and every business of whatever size thinks that it won't
happen to them. You can explain the risks, the economic
and reputational costs, the relatively inexpensive preventative steps, and
everything else to smart and otherwise prudent and rational entrepreneurs and
corporate executives. But you can't understand for them.
An excellent case in
point: two of the largest casinos in Las Vegas just got hit by cyberattacks
with Caesars paying millions in ransom (without sharing any of that information
on the Strip) shortly before MGM got hit with a similar attack. We've
been led to believe by Hollywood heist movies that it's incredibly tough to
take on a casino because of massive security and surveillance technology. Guess
not. You can't really stop what you can't see and keeping ahead of the hackers
is more difficult every day. You either pay up front for the protection that is
available and keep your fingers crossed or you pay after the fact for the failure
and hope it doesn't happen again.
In the recent Morning Show episode,
the head honchos at the UBA network were ultimately unwilling to pay a $50
million ransom although it appeared that the network could come
up with the cash. Obviously, this is far from the case for most companies
and institutions. And, in the typical circumstances of any startup or
relatively new business, a substantial and unpayable demand would very likely
mean the death of the firm.
Startups are rarely
sitting on piles of cash; investors never want to see their funds going out the
door to pay ransoms; and new business builders almost never spend scarce
dollars on insurance. Apart from the D&O insurance which their
investors demand, it's a one-in-a-million prospect that they've purchased
sufficient business interruption protection to cover cyberattacks.
Entrepreneurs believe in passion and promotion, but rarely commit appropriately
to downside protection. One of the clearest COVID-19 lessons was just how
strapped and skinny millions of startups are and how little thought and money
they had committed to resilience and backing up their businesses and their data
securely offsite.
To me, the show actually
had a far more important message, especially for executives and senior managers
charged with cybersecurity responsibilities. The episode tracked the responses
and reactions of the various junior and senior staff members to the crisis.
Whether through stupidity, selfishness, or inadvertent subversion, several main
characters completely ignore the experts' very specific directions to surrender
their mobile phones to contain the spread of the virus. Worse yet, despite
being told that the corrupted phones represented further risks of damage, they
stealthily snuck off to make personal calls. Which reminded me of an old
truism: men are not against you; they are merely for themselves.
The point is that no one
has the luxury of acting alone because there’s really no digital environment
that’s absolutely isolated, insulated, or secure. Every system is subject to
human intervention, frailty, ignorance, and self-interest. If your team
doesn’t seriously commit to help secure your systems, it’s just a matter of
time before you suffer. A little inconvenience and some simple precautions can
avoid a ton of disruption. And, as a recent Deloitte survey shows,
the risk isn’t where you expect it. Gen Z is, in fact, many times more likely
to fall for these schemes as older employees. Turns out, they only think
they’re a lot smarter and computer-savvy than you.
There are three major
messages that senior management needs to carefully and consistently deliver,
and also demonstrate and validate through their own actions. An example or two
of conscientious compliance by the boss is worth a million words.
First, make it
absolutely clear that the concerns expressed about system security aren't nags
or nuisances, they're necessities. They represent existential risks to the
business, and the safeguards that have been implemented aren't casual or
suggested, they're mandatory and will be strictly enforced with zero tolerance.
But just saying it doesn't make it so. Your whole organization needs to live
it.
Second, it's far too
easy for people to assume that these matters are someone else's
responsibilities and especially to hand it off to the IT guys and let them worry about
it. That's misdirected: the vast majority of breaches
aren't super-sophisticated or driven by complex technical intrusions. They're
the result of simple sloppiness, stupid reuse of the same passwords, laziness
in terms of updating software, and, of course, social engineering, which rarely
has anything to do with the technical aspects of your systems. You want your
people to be helpful when asked, but, in these precarious times, a fair amount
of caution, suspicion, and confirmation makes a lot of sense. Keep in mind
that 91% of all known cyberattacks start with email phishing.
Third, one ongoing
problem is that the fraud phishers and the hungry hackers have increasingly
adopted two strategies: (1) they constantly use fake Microsoft logos and
language to misleadingly alert users to the falsehood that their passwords need
to be changed before they expire or are turned off by Microsoft; and (2) as the
year ends, they will again be sending millions of fake emails with titles
relating to year-end comp changes, salary adjustments, and bonuses, which
appear to be coming from internal HR departments. They're not, but they
are close to irresistible in terms of the temptation to open them. Now is a
very good time -- since October is National Cybersecurity Awareness month - to
remind your team about these two schemes in particular and also to consider how
best to distinguish your legitimate communications from the noisy and cluttered
mess.
None of this is easy to
pull off, but all of this is critical right now to get out ahead of the
problem, to the extent that's possible. Sharing stories from other companies
and articles about attacks and breaches that have been hit is somewhat helpful,
but sadly, most people still won't believe that these things can happen to them.
Until they do.
SEP 26, 2023
