Political activists, organized crime rings, and spies sponsored by foreign governments have grown increasingly sophisticated in their hacking capabilities and tactics. Their goal: to steal valuable data and intellectual property, or to inflict severe damage to the global economy and critical infrastructure.
“I don’t think corporate America understands that we are in a cyber war,” says Israel Martinez, president and senior managing partner of Axon Global.
Learn more about cybersecurity prevention and response in the legal and IT fields with a white paper from Sync titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.
Common IT security best practices fall far short in this new environment, and those under assault must change their entire perspective toward safeguarding company assets, Martinez warns, or pay a heavy price. He would know: his livelihood revolves around protecting the data and critical infrastructure of some of the largest corporations in the world. Martinez has seen that most corporate leaders don’t grasp the formidable threats they are facing, and he believes that unless that changes—and soon—C-suite executives and governance boards risk exposing themselves and their organizations to an unprecedented level of unnecessary risk, jeopardizing company assets, reputations, and careers. Fortunately, Martinez has a plan for them to fight back.
“Today, it takes about 200 days on average to identify a targeted threat, and more than 80 percent of the time it’s discovered by someone other than the victimized company. That’s unacceptable.”
As a cyber counterintelligence firm, Axon has encountered just about every kind of hacking technique yet devised. Many major national and global corporations are attacked hundreds or even thousands of times every quarter. Most of these attacks are inconsequential; but increasingly, targeted attacks are evolving into serious compromises and breaches. Many companies respond to warnings about these incidents in a surprising way. “About half of the time, after we advise a company that we have specific information about a dangerous compromise or breach, instead of moving to remediate it, they choose not to want to know about it,” Martinez says.
Why would an executive not want to know about an intrusion? Plausible deniability to reduce legal liability, Martinez says. If a person or company’s leadership knows of a security breach, they have a duty to shareholders to remediate it—an action that most presume to be expensive. On the other hand, if the person and organization remain in the dark, they reason, the threat could be ignored and the resulting costs to remove it avoided. Moreover, traditional methods of detecting malware produce a backlog of false positives that must be manually investigated. In the meantime, any one of those could result in an embarrassing cyber breach scenario.
In the long run, though, the ignorance-is-bliss attitude is likely to backfire, Martinez says. The impact of doing nothing could be much more costly than the price of neutralizing the threat. The stakes are even higher considering that government agencies—notably the Securities and Exchange Commission (SEC) and the Federal Trade Commission—have begun to crack down on security negligence. That has meant large fines for failing to protect sensitive information, and lawsuits from customers and shareholders. No longer will top executives and boards be able to pass the buck on
security to the CIO or chief information services officer; they will have to take an active role in managing cyber risk, setting policy, and monitoring the results.
According to Martinez’s vision, C-suite executives and corporate boards must develop holistic strategies to make their companies’ cybersecurity plans more effective. This initiative should begin with some basics, including board-level education about the impact of cyber risk and a process for defining and prioritizing the nature of attacks.
“Board-level education goes to the lexicon of how officers of a company have a conversation about cyber risk management,” Martinez says. “Words like ‘breaches’ and ‘incidents’ are often not properly understood or defined within a company.” Legally, those two terms have different implications: the former implies that personal data has been stolen; the latter implies that a device has been infected with malware. Employees who use them interchangeably in e-mails, for instance, could be exposing their company to unnecessary liability. Other challenges include knowing when and how to report to law enforcement or the government.
Organizations should also reexamine their overall approach toward remediating advanced malware infections. With companies constantly bombarded by false positives, trying to stop every possible intrusion after a compromise is an impossible task and a waste of resources, says Martinez. “Security models and resources must shift from cybersecurity defense to offense; that is, to detect and deny targeted attacks earlier in the kill chain. Processes will have to systematically prioritize what to protect, and the playbook about how to respond to threats will include more about automated prioritization of targeted attacks and resiliency.”
“About half of the time, after we advise a company that we have specific information about a dangerous compromise or breach, instead of moving to remediate it, they choose not to want to know about it.”
Martinez advocates for a strategic approach to cyber crime. Organizations should clearly identify their most sensitive assets. This encompasses intellectual property, customer data—including credit card account numbers—and any other information that could cause serious harm if stolen. Protecting these assets should be given the highest priority, while intrusions aimed at less sensitive data can be secondary, so that security specialists direct their efforts to safeguarding the crown jewels.
Further, the corporate philosophy on security should shift from a reactive stance focused primarily on detecting and blocking intrusions of known, or signatured, malware to proactive methods that detect unsignatured malware, and should also include gathering intelligence about the most dangerous bad actors. Knowing the most dangerous enemies’ aims, plans, and tactics allows companies to anticipate threats and implement plans to counteract them. To that end, Axon has formed a global alliance to gather and share threat intelligence about substantive targeted cyber attacks and undetected malware already existing within organizations.
The idea is for cyber counterintelligence companies to anonymously report serious attacks to the alliance so other organizations can be notified to be on guard. In addition, alliance members who monitor the activities of cyber criminals through social media detection and other sources can disperse alerts when appropriate.
Martinez asserts that the way security is performed in most organizations has to change, and has proven that this proactive strategy of emphasizing intelligence gathering about cyber criminals will be far more effective in stopping the most serious threats—and is a more cost-effective method of allocating security resources. “Today, it takes about 200 days on average to identify a targeted threat, and more than 80 percent of the time it’s discovered by someone other than the victimized company,” Martinez says. “That’s unacceptable.”
The Expansion of Responsibilities
In 2012, the SANS Institute reported that the most serious network intrusions are the result of seemingly harmless user actions, such as clicking on an e-mail attachment from an unknown sender or downloading an app from a questionable source. That fact is still true today. “The majority of malware is coming from phishing or spear phishing,” Martinez says. (Spear fishing is when a bad actor monitors and profiles an individual using sources like social media to collect information or passwords for a targeted attack.) “Technology can protect to a certain extent by identifying malware or hackers attempting to penetrate a network, but it’s hard to protect against human mistakes that inadvertently proliferate malware by clicking on seemingly harmless links.”
Martinez says the solution begins with education. The IT department should spearhead organ-ization-wide security training, but even such measures are useless without a comprehensive plan that involves an educated leadership team and a top-down strategy that includes the company board. Martinez believes that officers of companies should be taught to share responsibility for cyber risks, and should be made aware of the common tricks hackers use to gain network access and how to avoid them.
And in the age of bring your own device to work, when multiple hardware devices connect to corporate networks, user education is especially critical. Malware can enter a system through phones, cameras, and other network-connected devices, requiring IT to step up efforts to deploy the best available defenses. “The entire process of acquiring innovative security technologies must be accelerated,” Martinez says.
With many companies moving to cloud models for data storage and application services, risk is being systematically spread to vendors via an information supply chain that is sometimes not clearly defined. Exactly where the vendor’s responsibilities lie concerning security needs to be delineated. “IT will need a new level of expertise about how to write contracts to reduce liability,” Martinez says. New cybersecurity strategies require a comprehensive approach that crosses all functional areas, including legal, risk management, ROI, audit, compliance, budgeting, contract language, governance, and policy best practices, as well as technology.
All cybersecurity issues are amplified by the undeclared cyber war. Consider that recently the US Justice Department accused China of stealing sensitive information from five US enterprises and a trade union. “If you’re not optimizing the cleaning up of advanced malware, you are helping the enemy steal from us,” Martinez says. “When other countries systematically and illegally acquire valuable intellectual property because of a failure of a company to protect its data, our entire economy is harmed.”