Black hat hackers, spear-phishers, botnets, remote access trojans, evil maid attacks, man-in-the-middle attacks, spoofers, malware and worms. You thought effective cybersecurity was difficult, complicated and strange-sounding before. Well, get ready for the future.
Aside from teaching employees about picking better passwords, many companies have gone through pains to teach their people not to click on attachments or links in potentially suspicious emails. The fear is that they may inadvertently launch a malicious program that will enable an outside party to gain unauthorized access to corporate systems. Studies have shown that up to 1 in 4 employees continue to fall for such schemes.
But get ready for this.
- A fully realistic voicemail and accompanying email from the CFO to the controller directing a funds transfer between corporate entities but with deviating wire instructions.
- A convincing artificial intelligence (AI) powered deepfake video showing your CEO engaging in very questionable conduct shows up on YouTube, with your share price immediately impacted.
- A caller ID spoofed phone call from the executive offices to a securities analyst sharing news of the CEO’s unexpected resignation ahead of a major earnings announcement.
Enter the Internet of Things (IoT), the next generation of wireless broadband technology (5G), and the latest versions of ransomware into the mix and you soon realize that broader thinking about effective cybersecurity and different types of threats will be required. New habits will need to be adopted. Major catastrophes may not so much be failures of technology but failures of the imagination. Tie the above together and start thinking about worst case scenarios.
We are all vulnerable.
Rather than hoping and praying that these types of crazy-seeming fraud attempts will not happen at your company, your law firm, your non-profit organization, or your government agency, assume that they will. We are all vulnerable. Start thinking through how you would respond. What would you do in such an instance and how would you do it? Who specifically would be on point to respond? Are there outside vendors you need to bring in at a moment’s notice? Scramble an internal task force? I encourage you to make plans now, to bring in experts to validate those plans, and to brief the Board of Directors on the organization’s readiness and strategies for effective cybersecurity.
There are decidedly non-technological strategies for limiting the damage in these cases. There are straightforward policies and powerful habits your company can adopt that will make it very difficult for nefarious outsiders and that will give you the upper hand if disaster strikes.
My Advice.
If you serve on the Board of a major company, consider enrolling in NACD’s Cyber-Risk Oversight Program, run in collaboration with Carnegie Mellon University’s CERT Division of the Software Engineering Institute. It will teach you what types of questions to ask in the boardroom without seeking to turn you into a effective cybersecurity analyst. I went through the program several years ago when it was first launched and found it to be an excellent investment.
If you are part of a small business or non-profit organization, consider the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Corner. It is full of free educational resources from the Cyber Readiness Institute and the Department of Homeland Security.
Most of all, as you head into the New Year, keep learning and adopt new habits with cybersecurity in mind.
Michael Marquardt has earned the Certificate in Cybersecurity Oversight from NACD, Ridge Global and Carnegie Mellon University’s CERT division and is an Advisory Committee Member of the University of South Florida’s Cybersecurity for Executives program.