Cyber security is not just a technical problem. It is a business risk that requires attention of a team including top management to ensure protection from cyber risks
There is no getting around it. Cyber threats are increasing. They will continue to do so. The world economy is slowing. The reason is emerging markets, including Russia and China. As other opportunities recede, talent will migrate to those areas that still provide employment. Since cyber theft is a growth industry in many of these countries, it will flourish as other sectors of the economy wilt.
Besides as the industry matures it is becoming more efficient. It is segmenting and industrialising. It is not just a few talented programmer or über hackers practising their craft. Services provide everything from email design for ‘phishing’ campaigns to downstream money processing services.
To combat this problem the technology industry has created advanced software and hardware that are wonderful example of creative genius. Still no matter how high the walls, the defense still has to be manned by people. To insure that your firm will be protected there are five areas that require management’s attention.
Osaka castle was a wonder of its age. It was able to withstand a siege by one of Japan’s greatest leader, Tokugawa Ieyasu, in 1614. The secret of Osaka was defense in depth. There was not just one moat, but two. The same is true of any good cyber security system. It is not just the perimeter that needs to be defended, but the interior as well. You do not want the proverbial hard candy shell and an ooey gooey center.
The second important area has to do with the type of business. Cyber security spending has to match the security failures of your particular business. Do you have sales people that are constantly losing laptops on the road? Then full disk encryption is a necessity. Does your business have auxiliary devices like printers, digital scales or even medical equipment connected to your network? Just because these machines are not considered computers does not mean that cannot be used to compromise your information.
Third, has to do with the most important part of your cyber defense: people. When I was at Darden the UVa business school, there was a computer simulation of a failing business. The only input that actually helped save the business was more training for the employees. This is especially true for cyber security. People cause the vast majority of cyber breaches. Awareness of the tricks of social engineering can prevent circumvention of the rest of your security controls.
Fourth, it used to be said that the only time that you wanted your name in the paper was when you were born, when you married and when you died. The advent of social networking has changed all that. Now your friends, relatives, business associates, Google, the NSA and every would-be cybercriminal knows who you are, where you are, what you ate for lunch. This is exceptionally valuable information if I want you to click on a link and infect your computer with malware. Less is more.
Finally, one of the best defenses is strategic, specifically strategic governance. Cyber security is not just a technical problem. It is a business risk. Like any other business risk it requires the attention of a team including top management. Enterprise risk management capability requires a larger focus than one specific area of expertise. To achieve the strategic goal it is necessary for all experts in any discipline to be multilingual. They have to understand other problems, but just as important is the ability to communicate in ways which other non-technical stakeholders can understand.
While it is impossible to eliminate this threat, especially as it metastasizes across industries and boarders. The risk can be substantially reduced if it is seen in context. It is not just a technical problem with a technical solution. It is a business problem that requires a management solution.
(William Gamble is president of Emerging Market Strategies. An international lawyer and economist, he developed his theories beginning with his first-hand experience and business dealings in the Russia starting in 1993. Mr Gamble holds two graduate law degrees. He was educated at Institute D'Etudes Politique, Trinity College, University of Miami School of Law, and University of Virginia Darden Graduate School of Business Administration. He was a member of the bar in three states, over four different federal courts and speaks four languages.)