Protecting less and sharing more is the key to staying on top of cybersecurity according to one cyber expert. Miri Schroeter reports from the Command Control cyber conference in Munich, Germany.
To stay on top of cybersecurity, companies should start by doing less. This is the advice given by someone who knows the dark world of cyber-attacks and security well. Josh Klein is an expert hacker, a TED talker and the author of several books including Hacking Work: Breaking Stupid Rules for Smart Results.
He explains that doing less entails loosening the reins on security measures. It’s about sharing information more freely and being open to new technology to reap the benefits of advances, rather than keeping the door closed on emerging opportunities.
“Often I work with companies who decide that their approach to cybersecurity should be to prevent anything from happening,” said Klein. That includes staying away from vital technological advances. “The problem with this, is that the number-one effect from not engaging with new technology is that you don’t benefit from it. You might prevent 3D printers from having contact with anyone inside your company, but it doesn’t mean it’s not going to impact your market.
“A purely defensive strategy isn’t working,” said Klein. He identifies hotels and taxi services as industries that need to get on board with new technology so they don’t fall behind. Companies such as Airbnb have changed the hospitality sector, taxis are now competing with Uber, and music outlets such as Spotify make for an easy listening experience.
Taking the good with the bad
Technological advances are not slowing down any time soon, so Klein suggests that companies get on board, as the benefits outweigh the negatives. “When we’re talking about technologies, especially new and emerging technologies, the truth is that they’ve got upsides and downsides. There isn’t a one-size-fits-all solution.” He talks about the benefits of CRISPR-Cas9, which enables geneticists and medical researchers to edit parts of the genome by removing, adding or altering sections of the DNA sequence.
“When CRISPR-9 came out, we all knew it would have some positive implications. It’s sort of the gift that keeps on giving. In terms of leading to pre-congenital diseases it’s really proven to be an enormously positive tool.
“It’s also allowing us to do cool new things like letting us launch gene drives. A gene drive is when you programme an organism to pass on certain traits to 100 per cent of its off spring,” said Klein. “In New Zealand, they’ve got a problem with mice. There’s too many of them. They’ve decided to treat it by releasing thousands and thousands of mice that are treated to only have male offspring.” The results of this could either be that all the mice will be eradicated, or it may not work, or something completely unexpected may happen, said Klein. “If you look at humanity’s track record of going in and using blunt instruments
to change eco systems, we haven’t done so hot,” he said.
Sharing information to boost business
“All of our companies have more data than before. Sharing that information is both dangerous and difficult, but it’s worthwhile,” said Klein. “When we start sharing more, we discover markets, we discover new product lines, we discover new relationships and new avenues for our businesses.”
The rise of collaborative models is proving to be effective in businesses, he said. Having subsidiary companies in different countries and being able to see market share information easily and react in real time, is important, said Klein. In a time where companies can easily hire people for certain projects, and employees move from company-to-company to upskill, there is room to grow a business with this strategy in mind, he said.
“CP Insights did a big international study and they found the most effective companies, the most profitable companies, when compared to similar verticals, were all much more likely to buy parent solutions than build.”
In a typical model, companies sink all of their costs into the supply chain, but that isn’t the best approach, said Klein. He suggests working with the plethora of start-ups available worldwide. “Part of the reason that these partnerships are so effective is that there are so many to choose from. I suggest that we start sharing what we have. That’s because our growth is contingent on having other parties participate.” But, outsourcing comes with risks. “Most of the criminal activity inside your company, comes from the people that are employed by you. It’s a situation where both strategy and cybersecurity need to be aligned.
“If you’re going to bring people in and out of your organisation more fluidly, it demands a lot more attention to who’s doing what with what.” Cybersecurity should be available organisation-wide to help control this, said Klein. “The marketing department needs to be talking to the cybersecurity team, but conversely the cybersecurity team needs to be talking to all the other departments.”
Cyber incident simulation
Top management also needs to be more involved in a company’s security processes, said Klein. Dr Marco Gercke, agrees that CEOs and top management cannot afford to take a backbench approach. Gercke, who also spoke at Command Control, is the founder and director of the Cybercrime Research Institute based in Cologne, Germany.
Gercke teaches top management how to deal with cyber-attacks by creating interactive cyber incident simulations. CEOs need to be prepared in advance, he said. “You cannot tell a CEO to wait until there’s an attack and afterwards it’s going to be much better, because that might have been the only chance they had. We’ve seen CEOs that have lost their job after a cyber-attack.”
Simulations in a realistic environment, such as those used by pilots, are good examples of a system that works, he said. “They need to really feel it. You can’t just tell them, ‘Hey, imagine sitting at this desk, imagine you’re in the plane and the engines fail. What are you going to now?’”
Having a simulation where the pilot can see flashing lights, unwanted noises and an engine that is failing, is what’s going to help them learn, said Gercke. “You need to get the stress factor because we realise that stress plays an important role.”
He uses activities similar to those used by the military. Putting CEOs in a dark room, with a lot of screens where they are confronted by cyber-attacks will increase their stress levels, which is closer to a real-life situation, said Gercke. Important decisions such as deciding whether to pay a ransom or negotiating with the hacker, or reporting it to the police, need to be made. One option may seem like the clear winner for a company, but there can be unwanted implications, said Gercke. For instance, calling the police could cause issues for the company.
“It seems that the interest of the police and your interests are aligned as you don’t want people to commit crimes.” But there may be conflict when the company wants to protect itself and the police prioritise catching the criminal by seizing the company’s computers
for an investigation, said Gercke. He also suggests in some situations paying a ransom could be the best solution as having a strict no-pay policy can lead to damages that far exceed paying a ransom if the company’s reputation is implicated or people are hurt by the cyber-attack.
When cyber-attacks do physical harm
There was a case where an attack was being carried out on a government computer system, which effected a hospital. People were being harmed because the system vital operations in the hospital were not working properly, said Gercke. “This specific case, turning the Internet of Things (IoT) into an attack vector, not with the focus of being very powerful, but with a focus of maximising harm by attacking a government, is a recent case.
“There are many scenarios you need to prepare for. This is a real challenge for governments, for large enterprises, as well as medium and small enterprises,” said Gercke.
Larry Clinton, president and CEO of the Internet Security Alliance, based in the United States, gave some daunting figures to show the scale of cyber-attack risks. He said that five-million euros are stolen every two minutes through cyber-attacks and 12,000 identities are stolen. Two-thousand new versions of malware are also created every two minutes.
The figures are likely to rise as economics favour attacks, he said. “Attacks are cheap, attacks are easy to access, attacks are very profitable.” Clinton suggests that governments and corporations should work together to improve security measures. Cyber- attacks should also be managed, rather than attempting to stop them all together, as stopping them is as impossible as stopping bad weather, said Clinton.