A Blog by Jonathan Low


Jun 13, 2022

How Leadership So Often Contributes To the Cybersecurity Threat

Leaders, by dint of personality and experience, tend to focus more on opportunities than consequences. Positivity - and the compensation design that usually reinforces it - encourages such an outlook. 

But that also tends to sublimate concerns about threats, especially if they require investment of time, energy and financial resources that may not directly contribute to sales and profit growth. And it promotes easy plug-and-play/this is a tech problem solutions. Smart leaders now recognize that every company is a tech company and that preparing for the worst is a strategic priority that may be the optimal means of securing desired outcomes. JL 

Keri Pearlson and Stuart Madnick report in the Wall Street Journal, image Vadim Ghirda, Wired:

Much of the problem comes from managers seeing security as buying the right software, or tightening defenses, instead of taking steps to make safety a top priority for the whole company. Leaders often see tech as the province of the technology group alone and leave it up to them to maintain security systems. Reports to the board must cover higher-level metrics to help directors understand the risks they are accepting, how those risks will be mitigated, what cybersecurity strategy is being followed and if cyber investment is adequate. Leaders need to make sure the organization is resilient. It should expect  a cyberattack will happen and make sure the organization can recover with minimal impact.

Every manager knows it by now: Cyberattacks are frequent and dangerous. You need tough defenses to stay safe.

Every manager knows it. But they still get things wrong with cybersecurity. All the time.

In our research at the Massachusetts Institute of Technology’s Sloan School of Management, we study how managers should build organizations that are resilient to cyber threats, and have found a number of concepts that managers routinely get wrong, leading to wasted resources, poor decisions—and potentially catastrophic cyber vulnerabilities.

Much of the problem, we believe, comes from managers seeing security as simply a matter of buying the right software, or tightening defenses, instead of taking steps to make safety a top priority for the whole company and strengthening the business so that it can withstand attacks and bounce back strongly.Here’s a look at six of those mistakes—and how to avoid them.

1. Focusing on tech instead of employees

Managers often believe cybersecurity is mostly a technological problem, and the best way to protect the company is to invest in more, or newer, cyber defenses. But that ignores the biggest security problem companies face: their own employees.

Certainly, there are tech solutions that can be crucial in keeping data secure. But the reality is that 80% to 90% of all cyberattacks are aided or abetted by company insiders—usually unintentionally. Employees click on phishing emails, visit websites that sneak malware onto their computers and do many other small things that can have a big cost.

That means companies must focus on changing attitudes and values, as well as protecting networks, so that everyone in the company understands the importance of security and works together to keep data safe.

2. Relying on training instead of changing attitudes

But even when companies do try to get employees invested, they usually do it the wrong way. At many companies, making employees a part of cybersecurity means one thing: basic training. In other words, requiring everyone to watch a short video once a year.

Those efforts just aren’t enough. Managers told us time and again that employees who successfully completed training exercises still were fooled into opening up suspicious websites, downloading malware and more. Many employees sheepishly admitted to writing email or playing online games while completing the online program.

It is more effective to build a cybersecurity culture—an effort that goes beyond training and gets employees to see security as part of their job.

There are any number of approaches, from large to (seemingly) small. One financial institution we studied, for instance, began to use the term “data protection” instead of “cybersecurity.” The reason was that many employees didn’t understand what role they had in cybersecurity. But protecting company and customer data was something that every employee understood—the company had emphasized it to them daily for years—so the change in wording had a significant impact in getting the workers on board.

Regular testing, with tangible consequences, can also be important in reinforcing attitudes and habits. In one company we studied, employees were given regular phishing tests. After one failure—clicking on a malicious link in an email—employees had to take a short online course about recognizing dangerous emails. The next two failures meant a talk with their boss, and then human resources. With the fourth mistake, employees got a warning that they might be terminated—and the next time they screwed up, they were fired. The policy sent a clear message and significantly reduced the amount of successful phishing.

3. Leaders who set bad examples

For all of those security initiatives to take hold with employees, though, the company’s higher-ups must be on board, too. And that frequently doesn’t happen. Leaders often see tech as the province of the technology group alone and leave it up to them to maintain security systems and make sure the company networks are kept safe.

But every leader in the organization must continually beat the drum and keep their teams vigilant. In one company we studied, the chief executive started every all-hands meeting with a cybersecurity story, often from the news: a massive security breach, perhaps, or the latest big ransomware attack.

Talking about the attacks right off the bat showed employees that cybersecurity was important to upper management—so employees knew they should make it a priority, too.

Boards of directors must also set an example. When they show interest in cybersecurity, it ensures that senior managers make it a priority, and that cascades throughout the organization. But boards often don’t ask for cybersecurity reports from managers. And when they do, they often rely on those managers to choose what information goes into the reports—which usually means day-to-day data on things like how many employees failed phishing tests, instead of broader strategic information.

For example, directors might ask operating managers what layers of protection the company has put in place and what the company would do to recover should a cyber breach occur. The boards should make it clear that they want to know how the most important assets of the company are protected, and if the cyber investment is adequate. Reports to the board must also cover higher-level metrics to help directors understand the risks they are accepting, how those risks will be mitigated and what cybersecurity strategy is being followed.

4. Not analyzing “small” decisions

Teaching people to avoid things like phishing emails is one thing. But companies make many minor day-to-day decisions as a part of doing business—without thinking through the consequences.

In one of the cyberattacks that we studied, a data theft had been going on for at least nine months—and the private information on many millions of customers was stolen—before the intrusion was stopped.

The breach happened because the company’s “intrusion detection and prevention process,” which is supposed to check for suspicious or invalid internet traffic, had not been functioning. Why? The system needs certificates—digital documents verifying that software or a website is legitimate—to give it access to internet traffic, but the certificates had expired.

So, why hadn’t the certificates been updated long ago? The company had thousands of such certificates, and keeping track and updating them was an error-prone manual task. This problem had been noted in the past and there was a proposal to develop an automated and centralized certificate-management process.

But it wasn’t considered a priority. No one thought of the possibility that the decision—along with 17 other such decisions that we uncovered—might cost the company well over $1 billion.

Managers must ask themselves: Does the company have a process for evaluating the consequences of day-to-day decisions such as upgrading desktop software or adding a new vendor to its systems? It is worth adding a step or two to the company’s decision processes to make sure new vulnerabilities aren’t opened up.

5. Focusing on prevention at the expense of recovery

Most companies focus only on cyber prevention—trying to keep vulnerabilities from becoming cyber incidents. That is certainly important. But leaders need to make sure the organization is resilient as well. It should expect that a cyberattack will happen and make sure the organization can recover quickly and with minimal impact.

They should ask: How do we respond if we lose this data? How do we react if this breach shuts down one of the core areas of our business? If managers don’t prepare for these possibilities, they might find their flashlight batteries are dead when the lights go out.

Storage tanks at a Colonial Pipeline Inc. facility in New Jersey. A cyberattack on the company disrupted fuel supplies across parts of the eastern U.S.PHOTO: MARK KAUZLARICH/BLOOMBERG NEWS

Let’s say a company gets hit by a ransomware attack that locks up its data. A resilient company would have anticipated this and have a copy of the data stored in a way that it wasn’t affected by the attack. Many companies victimized by ransom attacks haven't thought about recovery at this level, and often their backup copies are also damaged by the attack—if they have backups at all. Recovery is slowed, and maybe not even possible.

Resilience also means preparing for attacks on other companies, since a company could be disrupted by an attack on a key supplier or customer. For example, Colonial Pipeline, which supplied about 45% of the fuel used on the East Coast of the U.S., shut down its pipeline following a cyberattack last year. The move led to a run on fuel in some areas when thousands of gas stations ran out.

6. Missing the competitive advantage

Many businesses view cybersecurity as a cost to be managed. But it’s much more useful to see it as a competitive advantage.

If a company makes a point of having strong cybersecurity, it may gain an edge with customers who are looking for safety. Beefing up security may also end up saving money—since more-resilient companies don’t get hit as hard by security events.

A billboard in Las Vegas advertising Apple Inc. iPhone security.PHOTO: DAVID PAUL MORRIS/BLOOMBERG NEWS

For example, Apple Inc. has made cybersecurity a focal point of its advertising campaigns—and customers who are concerned about privacy and security see an advantage to purchasing Apple products. In addition, this has raised the bar for all of Apple’s competitors. At a bare minimum, they must meet the same security capabilities to stay competitive. But in reality, they must surpass the Apple security capabilities if they want to get Apple customers to switch.

In our research, executives have told us that they are increasingly concerned about how their suppliers manage security. Many companies ask potential vendors to complete detailed surveys about their internal and external cybersecurity practices before agreeing to purchase from them. Those companies that can’t demonstrate an acceptable level are finding it increasingly difficult to sell their offerings. Eventually it will be table stakes to have to demonstrate your security practices. Right now, it can be a competitive advantage.


Post a Comment