PARKVIEW Technology Merchant Bank organizes the NetForum to provide a Peer to Peer learning network to CxOs of Digital Businesses and Corporate Development & Strategy executives in larger, established companies.
The NetForum NY monthly breakfast was hosted at Bank of America on June 25, 2015 — many thanks to Bina Kalola, Managing Director, Global Banking & Markets Financial Technology Investments at BAML. The topic was CyberSecurity, and our guests were Mark Clancy, CEO of Soltra, and George Orlov, CTO of DMGInfo.
This discussion was not a technical “How To.” I was more interested in obtaining a framework for understanding the threats to which our company, our portfolio companies and our clients’ companies are exposed and what is a “commercially reasonable” response. Thanks to our guest experts and the other members of the NetForum who contributed from their experience, we all got a fantastic education. Read on to see what we learned. (The NetForum guarantees confidentiality to members’ discussions and thus no one is quoted.)
The Math Favors the Bad Guys.
A steady number of hackers are joining the “hack-force.” Few are taken out by law enforcement which is either ill equipped or, when in an unfriendly country, looking the other way. So the number of bad actors naturally increases.
It is easy to acquire the tools of the hacker trade — they are available online from many sources, not prohibitively expensive, and one doesn’t have to be a technical genius to use them. In many instances, hackers’ tools are provided by people, organizations or states that are encouraging the activity for their own ends.
A single hacker can inflict damage on many targets. Once a vulnerability has been discovered, it can be exploited on a large scale by simultaneous attacks on many targets that may be similarly vulnerable. In other words, “hacker productivity” is high.
This “simple math” — a growing, easily equipped and productive workforce — is the reason why the threat level is rising.
Understanding Your Risk Profile
The starting point in defending yourself is determining your risk profile — based on the hackers’ motivations. Hackers can be generally classified in 4 big groups based on their motivations (that you can remember with the acronym CHEW): Crime, Hacktivism, Espionage and War.
Crime. If you store credit card numbers, you have a higher risk profile than if you stored scores and stats for your local baseball team. The perpetrators here are economically motivated and are looking for something they can sell or currency they can use. They are rational — if the cost of doing business rises, the activity may decrease or they may look for easier prey.
Hacktivism (hacking for social or political purpose). The hacking is not done for a direct pecuniary gain but is targeted at what you represent. If you are involved in political activity, you are a target. But you could become one overnight with an unfortunate tweet that will offend someone’s social or political agenda. The perpetrators’ motives are hard to influence.
Espionage. The perpetrators are seeking specific information for a corporate or state client, are usually very well equipped and may want to cover their tracks. Military actors are aware of their exposure. However, the scope of companies exposed to this type of threat is increasing due to the low barriers to entry previously described. Many companies are not realizing they might be contributing to reducing their competitors’ R&D budgets…
War. This category of actors intend to inflict direct harm by interfering with the proper functioning of an organization, process, machine or system. You will know when attacked but you might not know you are a target until it is too late. You might not realize that you are critical to a system or that you are a back door to a critical system.
Your exposure to risk, and the extent and type of protection that you must acquire, is directly related to your exposure to these various motivations and these perpetrators. The risk exposure to some actors may be permanent and to others may rise and fall based on actions you take, public statements or world event. Understanding the matrix of risks can give a CEO or a Board a framework for measuring the required level of investment in defense and the type of actions that may decrease the risk profile.
Responding to the Threat
One of the striking comments that emerged in our discussion is that the responses to break-ins that we are reading about in the news nowadays may be overkill and wasteful, often a reaction to having been embarrassed. Since the level of preparedness is so low in many businesses, break-ins expose stupidity if not criminal negligence. This leads to over-reaction and waste but it does serve to increase the awareness among Boards and executive suites that there is an issue they need to get ahead of.
As mentioned earlier, we did not delve into specific technical solutions that would prevent a breach. It was almost a given that a motivated hacker would break through into any system. But we did not absolve anyone from meeting a minimal standard of preparedness, and some of the war stories we heard reflected pure and simple stupidity, and that is not excusable. On the other hand, no one had a handy short list of todo’s — the security questionnaire is a long document with many questions. Having seen several of them, I am not sure that the average CEO even knows what is the acceptable “score” on the security questionnaire, what is the right number for the business in question.
Under these circumstances, a number of approaches were suggested.
Minimizing the damage with proper data governance. Many businesses, and technology businesses in particular, take a liberal approach to data collection and data retention. The prevailing notion seems to be to collect as much data as possible — since data is the new gold, the more the better, right? So, collect and store it. But with data collection and storage should come responsibilities. The data is the user’s data and the business is a guardian of that data. But without incentives to safeguard the data, and a cost to do so, bad data collection and retention policies continue and the result is harm to users. Could it be that in the absence of governmental regulations or a workable market mechanism the hackers are effectively rebalancing the scales and forcing companies to think twice about collecting and storing unnecessary data?
Federated Defense. In light of the hackers’ cost advantage — “invest” once in discovering a single vulnerability and in building a process to exploit it on a massive scale — a solution to raise the cost to hackers would discourage them. Soltra raises the cost to the attackers by crowdsourcing attack detection. It is creating a network of clients who instantly and automatically share with the network the fact that they have been attacked and how, enabling others to immediately raise their defenses and fix vulnerabilities (Soltra is working on automating the entire process). Hacker’s productivity is severely reduced if their investment is recoupable only against the first target they hit.
Insurance. We could have spent an entire hour on this topic alone. What was established in our short discussion was that the insurance response is promising but that the market is still embryonic resulting in mispricing of the risk for most companies. A solution that involves meeting minimal security standards, joining a real-time, federated response network like Soltra’s, having good data governance, and joining an insurance exchange, sounds quite promising to me — but I am not an expert…
A Framework for CEOs and Boards
Coming into the meeting, I was looking for a framework to help me assess the adequacy of a company’s investment in security. If we start with the generally correct assumption that all companies are underinvesting, then what is the spending gap and how does it affect a Board’s priorities or an investment committee’s decisions?
I was not handed a handbook but I think that our experts planted a framework in our minds that will be quite helpful. Thanks again to Mark and George and the NetForum members who contributed to the discussion.