There is little question that cyber security is more important than people ever imagined it would be. Just a few short years ago, having up-to-date firewalls and anti-virus software was considered more than enough protection for most companies and organizations. Today, however, C-Level Executives are faced with a new, more simplified information security-focused raison d'etre: "Keep us out of the news."
A recent report indicates that cyber-attacks increased by 48% in 2014 alone, and that number has rapidly increased through 2015. In addition, almost every major company (whether in retail, sports, entertainment or even the Federal government) has faced at least one cyber-attack in their past; if successful, those cyber-attacks yield damages in the millions to billions of dollars, as well as create public relations nightmares.
Hack me out to the Ballgame
The most recent negative headlines involve America’s Pastime. The St. Louis Cardinals, with the best record in baseball this year and a perennial playoff contender, are under investigation by the FBI and Justice Department for hacking into the Houston Astros database (called Ground Control) to garner closely guarded information about the inner workings of the Astros front office, and specifically General Manager Jeffrey Luhnow.
The biggest question is: why would one of the most successful franchises over the past 20 years want to steal information from one of the worst teams over the past 10 years? The answer is Luhnow. He did not come from a baseball background when he joined the Cardinals back in 2003, but his use of analytics in drafting ballplayers figured prominently in the sustained excellence of the organization. After moving to the Astros in 2011, Luhnow built Ground Control to help revamp that struggling franchise. It was from Ground Control that information began to spill out for 10 months until June 2014 when the FBI was called in. While it is still an ongoing story, rumors swirl that the hackers were able to infiltrate by using passwords from the system Luhnow had used in St. Louis, and that the hack was not as much a theft of baseball operations data as it was more of a character assassination attempt on Luhnow.
The Cardinals officials who orchestrated the hack will certainly be prosecuted by the Justice Department, and the team itself will have fines levied and lose draft picks; never mind the public relations hit they will take being branded as cheaters. According to Luhnow, Ground Control’s security has been upgraded. Better training in security, including a greater password creation methodology, might have made this hack a big whiff.
Caveat Emptor
As the 2013 holiday shopping season began in late November, hackers installed malware on Target's Point of Sale (POS) registers that was designed to capture customer contact and credit card information used at their almost 2,000 retail store locations. By December 15th, Target confirmed the data breach had resulted in over 70 million stolen customers information (including name, address, email, phone, etc.) as well as 40 million compromised customer credit and debit cards.
Three days later, CEO Gregg Steinhafel sent the following letter detailing the breach to their customers:
In the weeks that followed, Target, once associated with "quality for less" and praised by Forbes in 2010 for "getting the simple things right (and a lot more)", incurred a constant and sustained barrage of media coverage that resulted in a public relations disaster that brought about a 46% drop in quarterly year over year profits.
On March 4th, Steinhafel, in an effort to restore the company's reputation among wary shoppers concerned about the security of their personal data, announced the resignation of CIO Beth Jacob. By May 5th, Steinhafel himself was gone, having been forced to resign his positions as President, CEO and Chairman of the Board of Directors.
Steinhafel's ouster demonstrates that cyber-attacks and the damages they inflict place BOTH organizations and their executives (not just Chief Information and Chief Information Security Officers) at risk.
Ultimately, the Target breach was wholly avoidable, as a recent purchase of a $1.6 million dollar installation of FireEye (an advanced persistent threat anti-malware system) would have detected and deleted the malicious software. Unfortunately for Target, they had turned off the feature that would have stopped the attack. The great Target lesson is that company managers need to be armed with the knowledge required to understand the importance of preventing and combating cyber-attacks - as well as the requisite knowledge and training with which to contribute to security policy decision making. All C-Level Executives need to understand more in-depth technological concepts to collectively solve information-security challenges to ensure that their company does not fail both their consumers and shareholders.
"Angelina Jolie is a minimally-talented spoiled brat - between you and I"
While it is an unfortunate reality that there are new stories of cyber-attacks coming out all the time, perhaps the most embarrassing in recent memory is the Sony Pictures breach from late 2014. During that attack, (which had been going on for possibly a year prior to being found out) hackers were able to access everything from how much Sony was paying actors in their movies (and private email correspondence between Sony executives about what they really thought of certain actors, such as Angelina Jolie), the raw video footage of upcoming movies (including The Interview, which was originally supposed to be a holiday tent pole for Sony), and countless documents about internal business operations. While experts still aren't sure exactly how much the Sony breach will ultimately cost, estimates have already exceeded $100 million (and counting). However, perhaps even more important than the monetary cost (or at least as important) is the damage that Sony's reputation has suffered.
Perhaps the biggest loser from the breach was Sony Pictures co-chairwoman Amy Pascal. The release of her private emails gave intimate behind-the-scenes access of Sony Pictures day to day operations but the back and forth emails between her and other high profile Sony and Hollywood players her which derided not only actors, but also President Obama. These emails subsequently led to her stepping down from her co-chairwoman position in May.
Again, the ultimate cost to their reputation has yet to be determined, but it isn't difficult to envision actors and actresses that are reluctant to trust Sony with salary and other sensitive information, at least until Sony can prove that they have completely revamped their cyber security protocols.
Even the Feds aren’t secure
Large for-profit corporations aren't the only entities at risk of cyber-attacks. Just in the past few days, it was announced that servers of the United States Federal Government (specifically the Office of Personnel Management) were hacked over a 5 month period, with as many as 14 million former and current civilian employees' Social Security numbers, birth dates, job assignments, training records, and benefit selection decisions being stolen.
According to an assistant inspector general (Michael Esser) of the Office of Personnel Management testifying before the House Committee on Oversight and Government Reform, the agency has persistently failed to meet basic computer security standards- as Katherine Archuleta, the head of the OPM faces congressional pressure to step down. Esser stated that many of the people hired to run the agency’s IT department had no computer experience, and that the agency itself did not discipline its employees after it failed several security audits. Archuletta, according to lawmakers, was told by the inspector general on multiple occasions to shut down the hacked system, but ignored those warnings, exposing the information. Committee Chairman Jason Chaffetz, R-Utah, said that the OPM’s security strategy was on par with leaving its doors and windows unlocked and trusting nothing would be stolen, and called on Archuletta to step down.
As a response to the OPM hack, Federal Chief Information Officer Tony Scott ordered government agencies to beef up their network security by launching the “Cybersecurity Sprint”, a 30 day program to implement better cyber security protocols. The fallout from this hack remains to be seen; will this information be used as leverage to force OPM employees to spy for foreign services? Will better training shore up our porous cybersecurity defenses? Will anyone’s head roll?
How industry is reacting to the new realities of cyber security compared to how they SHOULD be reacting
It should come as no surprise that the cyber security industry has started to grow rapidly as a result of these new realities. While the global cyber security industry is expected to grow to an impressive $106.32 billion in 2015, that number will shoot up to an estimated $170.21 billion within the next 5 or so years.
The most important thing that companies and government entities should do is ensure that they have talented individuals working on their cyber security. This either means hiring and developing experts directly, or contracting the work out to a reputable IT company that has a proven track record of being ahead of the curve with regards to cyber security.
It is also important for companies to secure critical company data on proven enterprise-grade platforms. While "cloud" platforms are a viable option, these platforms require even stronger assurances that data is secure (since a hacker breach can result in a complete loss of secured data).
To stay ahead of rapidly evolving threats, companies, contractors, and government agencies alike must move aggressively to recruit, educate and train a cyber-workforce for the future, with the skills we need to tackle this problem in the years ahead. Industry certification programs like (ISC)2's Certified Information Systems Security Professional (CISSP) provide both a path to skills competency and a means to evaluate proficiency in this increasingly visible field.
Christopher D. Porter is the Chief Executive Officer of Training Camp, Inc. (http://www.trainingcamp.com). Training Camp (TC) is a leading provider of information technology and security training courses. Founded in 1999, TC has successfully trained nearly 100,000 certification candidates worldwide.
