Cybersecurity: People, Debt, and Culture
Bolstering your company's ability to withstand a breach
Special Supervisory Agent Gabe Gundersen manages a Cyber Task Force and the Cyber Program at the FBI. According to his field intelligence, the annual costs of cybercrime exceed $600 billion, an average of $4 million per breach. Only 1–5% of these crimes are ever brought to justice.
Beyond the monetary costs of cybercrime are the impacts to reputation, trust, and respect. Climbing out of the financial hole caused by a breach in your cybersecurity is only the first step toward recovery.
With all that is at stake, does your company have a handle on how to prevent, treat, and bounce back from a cyberattack?
Cara Snow is the Chief Community Engagement Officer at the Technology Association of Oregon (TAO), a nonprofit helping to establish the Northwest as a global hub for innovation by supporting the regional tech industry through business and policy development.
"Your number one risk factor and your number one threat is your employees," says Snow. "It's your single weakest link and point of failure. The threat evolves every day, making it difficult to keep employees trained on best cyber practices."
Snow frequently hears stories from organizations where well meaning employees open phishing emails disguised as an invoice from a familiar vendor only to have their hard drives captured.
Computers are connected to the larger network, spreading the virus to units throughout the enterprise within minutes. IT teams have to rebuild every hard drive in an office to get the system back up and running.
"These things happen every single day," says Snow. "And since the majority of companies are small businesses without dedicated tech support, an attack like the one we suffered could put you out of business."
Computers are no longer the only network devices. The Internet of Things (IoT) is widely thought to exist in some future state. But IoT is now.
"If a connected thermostat is running the HVAC in your office building," says Snow, "it could be connected to your network."
This highlights the fact that cyber is cross functional and interconnected. Every business has countless touchpoints that interface between the internal network and the outside world.
"HR has its own systems. Finance has its own systems. Same goes for engineering and development, marketing and sales. But all of those systems," says Snow, "are on the same network and pose the same level of threat from a vulnerability standpoint."
Failure to understand the comprehensive, interconnected landscape of various systems can blindside a company. And when business leaders neglect to make cybersecurity and cyber readiness company priorities, they only exacerbate the deep and systemic threat.
Wu-chang Feng is a professor in the Department of Computer Science at Portland State University, where he works on topics in networking and security.
"You have people deploying software and hardware left and right in your organization," says Professor Feng, "and if you can't track all of that stuff, you could be vulnerable. That's just the world we live in-connectedness, the ability to deploy so much software in so little time. The attack surface of any organization is enormous."
Employ enough software engineers over time, and a company begins to accrue what Professor Feng calls technical debt.
"Your engineers are taking in packages from the internet, using them in your projects, deploying test and development servers," he says. "When these engineers leave the company, all of that stuff stays behind. The people who come in after are afraid to touch it. That's technical debt. 'I don't want to touch this code. I don't want to touch that server. I have no idea how much of my stuff relies on that stuff, so I'm going to leave it alone. What if I make an update and the thing breaks? The person who could fix it has left.' Technical debt makes you very vulnerable to new attacks."
Preparation as culture
Kathryn Albright is Executive Vice President and Head of Global Payments & Deposits at Umpqua Bank. She works with clients to identify solutions and technologies that they can employ to gain efficiencies in capital management.
Albright emphasizes the importance of a security breach business plan from start to finish. "It has to be in every company's strategy to build in some measure of training prevention and education. They should know what to do if something does happen and who to call first. I think the more timely a company is in detecting and acting on a fraud loss, the more effective they're going to be at trying to recover at least some of the loss," she says.
Equally, it's important to understand that there is not a single, monolithic step that companies can take to protect themselves. In that way, cybersecurity is no different than staying healthy. Eat right. Exercise. Get more sleep. And even then, that's no guarantee. Cybersecurity, like personal well being, is a lifestyle.
"You can tell people to be more secure," says Professor Feng, "but if it impacts workflow, you're going to get push back." Which is exactly why cybersecurity has to be baked into the foundation of your company culture.
This is a fight. And your business needs smart, pragmatic, and resourceful allies at your side. Financial institutions hold a pivotal role in counseling, educating, and guiding businesses through the minefields of cybercrime. At Umpqua Bank, we take this job seriously.
Learn what your business can do to face the new realities of cybercrime.