Executive Protection in a Virtual World
Another day, another howl of reports detailing how a company has lost its most critical data or how some crucial part of our modern life is newly vulnerable to cyber crime.
The exponential growth of our connected selves has arguably created a golden age for bad guys: one huge cyber pond for them to fish in.
There are different ways to read the signposts presented by recent attacks and each security industry professional and government spokesperson seems to take a different perspective. But the angle often neglected is the protection of the individual, which is the issue I raise in this article. Re-thinking how we protect individuals who hold valuable information within our organisations, or even how we can protect ourselves, should start to be the focus of our work.
The Target Corporation attack
One of the most significant reported corporate cyber attacks to date was the 2013 attack on the Target Corporation. The headlines are now familiar: removal of the CEO Gregg Steinhafel, removal of the CIO Beth Jacob, 40 million credit card numbers stolen, 70 million customer records gone, 46 percent drop in Q4 profits, $100 million, and growing, cyber remediation cost to Target, and a $53.7 million income made by hackers.
This was a shock to big corporate America as the warnings of cyber disaster were realised.
Of all the lessons, the one which is worth highlighting, and which offers guidance for the future, is one rooted in the theoretical mechanics of how it happened. Cutting a long and technical description short, the attackers gained access to Target’s corporate data via the employee of an HVAC vendor contracted with Target. The individual working for the HVAC vendor was the weak link in the digitally-connected realm of Target operations, allowing the attackers a way in.
The FIN4 attacks
Of a similar nature are the FIN4 attacks, which were revealed towards the end of 2014 although they began in early 2013. The FIN4 attackers broke into the email accounts of key advisors with insider information about publicaly-traded companies. The attackers targeted lawyers, accountants, and various other advisors with a weak personal or corporate cyber security framework in order to glean information from the companies they worked for (their clients).
This information was in turn used to trade on public markets for the benefit of the FIN4 actors. What these attacks have in common to the Target breach is the use of loosely- defended peripheral entities to access the primary victim of the attack. In a highly networked world, your lawyer and your HVAC vendor are new vulnerabilities to consider.
Pushing the perimeter
Cyber security has grown up defending a certain corporate perimeter, but what has become increasingly apparent is that this perimeter needs to be thoughtfully pushed outward to defend the data and the communication nodes that sit outside the corporation’s core. Often these nodes are individuals who are working outside the corporate environment, sitting on their home networks or using the free Wi-Fi offered by the hotel they are staying at. These individuals need protecting.
While the perimeter has changed, so too has the essential nature of the assets that require protection. Financial assets and sensitive data have a long history of being defended, but in an increasingly digital world, other virtual assets have significant value to the individual. Email, family pictures and video, and your Internet connection itself are all commodities which can be fraudulently acquired and traded on black markets for profit or ransom. The age of the roguish hacker has given way to the highly-monetised (highly-commercialised) world of the cyber crime market, which provides methods and incentives for the numerous attackers arrayed against our corporate and individual systems.
The challenge, which applies to both corporations and individuals, is that more devices are connecting to the Internet at an increasingly rapid rate. Each new device adds a new attack surface, which can be exploited to access the network behind it. Smart thermostats, webcams, even health wearables all add a new layer of vulnerability. And what’s more, even if you practice good digital hygiene as an individual or an organisation, you can still be insecure from a leak elsewhere, which allows for a targeting attack against you. The only response is to have an adaptive defensive system that can handle this fluid environment.
The problem is complex, but by placing the individual back at the heart of a defensive cyber strategy some gains can be made. Using adaptive cyber defences around individuals and providing them with cyber safe-zones, in which to conduct critical information tasks, is surely a sensible response to the growing threat.
There is significant security industry experience in protecting individuals in the physical realm and that level of expertise now needs to migrate into the digital space. Whether it be as corporations or as individuals, it is critical that our digital selves are defended in order to safeguard our own assets and those of our employers.
Roderick Jones
CEO, Concentric Advisors