made things any more secure? Although that’s an oversimplification,
that’s the phenomenon in organizations: We’re building stronger
doors but leaving keys all over the place. That’s why the organizational
and managerial aspects of cybersecurity are so critical.
But cybersecurity has to be done across the value chain, doesn’t
it? Because it’s not enough if your company has great cybersecurity policies, if they don’t extend to your suppliers.
MADNICK: You’re right. People often use the expression “e2e” —
end to end. Your piece of the puzzle may be perfectly secure, but
nowadays, everybody is interconnected in one way or another.
For example, the break-in that Target experienced took place
through a heating, ventilation, and air conditioning maintenance
company, which had access to some Target systems. Likewise, the
SWIFT messaging platform for financial institutions was exploited
through vulnerabilities at Bangladesh Bank, which lost $63 million.
Is there any industry that you see doing a really good job at
managing cybersecurity issues?
MADNICK: I’d rate industries from poor to terrible. On that
scale, financial services is probably doing a better job than most
other industries. On the other hand, they’re the ones who are
probably the targets of the largest number of attacks. So they may
be twice as good at cybersecurity, but if they have four times as
many attacks, that doesn’t mean they’re in great shape.
I don’t know which industry is the poorest, but hospitals clearly
are vying for that position. According to one recent report, 88% of
all detected ransomware attacks [where computers are “held
hostage” unless the user pays] on organizations are targeted to
hospitals, because they’re easy targets. If you’re a hospital and you’re
held up for ransomware, would you pay it or not? If your hospital’s
computers are held hostage, the patients in the hospital are now to
some extent at increased risk. You no longer have access to up-to-date medical records, such as test results and changes to medication.
So by not paying, you are possibly putting people’s lives at risk.
What cybersecurity advice would you like to give to MIT SMR’s
audience of business executives?
MADNICK: Think in terms of a three-pronged approach: prevention,
discovery, and recovery. Gartner recently came out with a report
entitled “Prevention Is Futile in 2020.” This is consistent with our
viewpoint that if the Pentagon can be broken into, if the NSA [U.S.
National Security Agency] can be broken into, if the Israeli Defense
Forces can be broken into, why do you think you can’t be broken into?
That’s why you need to think in terms of all three steps. Of course,
you want to do as much prevention as you possibly can, within
reason. But the next two steps are detection and recovery. According
to several studies, the average cyberintrusion can go on for more
than 200 days before it is discovered. I also read a recent report that
says in the Asia Pacific region it’s 520 days — more than double.
So our ability to detect that something funny is going on is
pretty poor. By the time you discover the attack, the hackers have
probably been rummaging around, stealing documents, and
doing things for a long time.
I joke that if at 5 o’clock every day, one of the people leaving
the bank walks out with a wheelbarrow full of money, do you
think someone would notice after a few days? Yes, probably! But
things like that happen all the time in computer systems, and nobody is paying attention. Maybe it’s not quite as visual, but there
are funny things going on, and often no one is even looking to see
if there’s anything suspicious.
And then finally, recovery is very happenstance. By and large,
CEOs are caught unprepared when someone shoves a microphone in front of them to talk about the cyberattack that was just
discovered at their company. And that’s just part of the recovery.
Other questions to figure out: Have we actually cleansed our
system, or is the attack still going on? How do we make sure it
doesn’t happen again next week?
Much like my comment that industries range from poor to
terrible on cybersecurity, the same thing applies to the three
prongs. Most organizations are poor at prevention, pretty bad
at detection — and probably terrible at recovery.
I jokingly say that not that long ago, cybersecurity was a task
you assigned to the junior assistant programmer trainee, and his
job was to go desktop to desktop loading the latest Microsoft
patches. Now you’re having the CEO of the company being interviewed by the news station when a cyberattack is discovered. So
it’s been a total inversion, if you will, up to the highest level of the
organization. Until recently, most CEOs barely even knew how to
spell cybersecurity! So there are lots of issues to deal with. What is
the cybersecurity education needed at each level of the organization? What is the preparation needed? How do we deal with these
attacks? Executives need to take these questions seriously.
Back in 1979, I coauthored a book called Computer Security.
What’s interesting is that the conclusion to one of the chapters
was, essentially, that if you don’t address the people issues in
computer security, you’re missing half of the problems. When I
repeated that message at a recent meeting with executives and
said that I thought that was still true today, I was criticized because, as one executive put it: “You greatly understate the human
contribution to the problem — it is far more than 50%!”
Reprint 58232. For ordering information, see page 4.
Copyright © Massachusetts Institute of Technology, 2017. All rights reserved.
What Executives Get Wrong About Cybersecurity
(Continued from page 23)