Early in 2013, US Attorney General Eric Holder issued a report on online theft in which he said that companies fall into two categories: Those who have been hacked and know it, and those who have been hacked and don’t know it.
In March 2013, the director of US National Intelligence, General James Clapper, went before the US Congress and said, “We have a new Number One threat: It’s not terrorism or nuclear weapons. It’s cyber attack.” Appearing with Clapper was Keith Alexander, the four-star general in charge of the US Cyber Command, who said cybercrime constitutes the largest transfer of wealth in history.
Much of the cybercrime activity these experts warn about takes the form of cyber espionage. Espionage used to involve recruiting a guy who worked for another country to spy for you. You’d pay him a lot of money and he’d get a little bit of information, but eventually he’d get caught and killed. It was a messy business. But with cyber espionage, spies sit at home, in Shanghai or Kiev, and hack their way into American, European and Japanese companies, targeting research and development (R&D) data and plans.
I recently saw one company that had spent eight years and US$1.3 billion on just one R&D project, only to have Chinese hackers break in and steal it all in one afternoon. And it’s not just R&D. Every company has valuable information: Customer lists, plans for new products, etc. But those firewalls, and that antivirus system and that intrusion prevention system you bought? None of that is stopping them from getting in and stealing the crown jewels.
What can you, as a company, do to fight cybercrime and cyber espionage? First, use your muscle and your voice to create better technology that works. We’re still using the same generation of technology to defend our networks that we were using in 1998.
I’m advising my clients to stop thinking about the perimeter defense. Stop thinking you can protect yourself with antivirus and firewalls and intrusion-detection systems. Think instead about two things: What are the crown jewels of your company? And what is the worst-case scenario?
Every time I do a crown-jewels exercise with a company, we find a different answer than the CEO expected. Determine what and where your crown jewels are, then harden and protect that.
Once you identify the crown jewels, determine the worst-case scenario.It might be losing the crown jewels,or it might be something else. Design systems to minimize and prevent that, and to be resilient when it happens. Then, train for it. I’ve been in too many companies where they just realized they’ve been breached and there’s no plan. They’ve never drilled it. Don’t make your first crisis situation be the real one: Address it in advance of that disaster happening. Because it’s only a matter of time.
