In his new book, Thomas R. Köhler discusses the critically important issue of cyber risk and how corporations can mitigate this growing threat. Köhler is the director of CE21 Consulting, a German firm providing many leading corporations cyber-support.
Cyber criminality is a serious problem that afflicts nations, big business, family business and private investors. According to Forbes, as much as twenty-eight percent of international families, family offices and family businesses have already been a victim of some form of cyber criminality. (Recently, a large family office was purported to have lost ten million USD in a falsified wire transfer, and this is just one of many examples.) According to the same article, the global cost of cyber criminality is no longer in the billions but in the trillions.
Köhler offers a historical perspective on corporate espionage and a set of recommendations to better cope with today’s growing cyber security issues. At the core of cyber risk is the economy’s ongoing digital transformation, which has opened up a new era of industrial espionage. According to Köhler, “The one problem of our current situation is simple: the standardized Internet-based processes for communication, so-called Internet protocols, are not designed for secure communication.” Therefore, despite impressive technological progress, tapping into the flow of information coming through the Internet remains relatively easy.
As a side note, the author speculates why industrial espionage tends to remain out of the limelight: companies do not wish to signal that they are vulnerable to such attacks, and a security breach can be embarrassing. The prevailing way to handle crimes such as industrial espionage seems to be through non-public settlements rather than going through the courts.
A major part of the book is devoted to case examples of industrial espionage in the past and present. This evolution clearly points toward today’s digital espionage, featuring identity theft; eavesdropping equipment; advanced bugging; software attacks; phishing; malware; and perhaps most dramatic, bugging wireless speech communication devices (our mobile phones).
Köhler delineates a variety of cutting-edge espionage approaches, such as involving “dangerous places and devices” (e.g., memory sticks, copiers, power plugs, Internet cafes, Wi-Fi, drones, cameras, smartphones and so on). Perhaps most critical might be the social factors. Counteracting irregularities and risks involving social interactions is especially difficult. On this note, I would like to present an anecdote from the 1990s: As some may recall, one of the first hackers to gain celebrity status was Kevin Mitnick, who played cat and mouse with the US authorities in the early 90s. He broke into countless systems, and those who hunted him long wondered how it was possible. When they finally caught him, they asked him how he had managed to hack into all the systems. They were expecting exceptional code-breaking skills. The answer instead was remarkably simple; he simply called key employees and asked for passwords, pretending to be an internal IT technician or something of that order.
Köhler flags several potential categories of “exposed” people in organizations, such as trainees and disgruntled employees. However, I would like to add that the C-suites also constitute a major risk. Top executives have access to much more sensitive information than the average employee; they are more visible and therefore more exposed to social engineering attacks, and they are much more mobile (and therefore targeted for theft of or physical access to their devices). Finally, their positions in an organization often exempt them from security rules, thus placing them at further risk.
Areas potentially vulnerable to cybercrime include wire transfers of funds. Here, cyber criminals attempt to impersonate executives with authority to instruct wire transfers out of the firm. A prominent example of such a heist just surfaced in the last days, whereby €19mn were stolen from the Dutch subsidiary of a French cinema chain, Pathé. Other forms of attack include cyber hackers “phishing” for passwords, bank accounts, security codes and the like. Last, ransomware can cripple the productivity of a firm, by crippling a firm’s entire IT system until a ransom is paid, usually using anonymous cryptocurrency. Even if ransom is paid, the loss of productivity and other indirect costs vastly outweigh the direct costs. The 2017 attack against Maersk comes to mind, after which the company was forced to reinstall 4000 servers and 45000 PCs! Unfortunately, it seems cyber risk will only increase, given Industry 4.0’s self-regulated, self-learning manufacturing processes.
The author concludes with a review of various approaches and trends that might bring us toward a spy-proof company. A good beginning is always to recognize key risks involving investment decisions, new products, bidding processes, etc., that expose a company to spying activities orchestrated by competitors. Firms can better recognize dangers by looking at key indicators of sudden changes, including lost shipments, unexplained break-ins, and so forth. In the digital sphere, IT departments can and should monitor real-time business intelligence parameters. In today’s big data/machine-learning world, it is easier than ever to detect anomalous behavior, signals and events. Early detection is therefore crucial.
Köhler continues with ways to protect a company’s key procedures, including physical location-based protection, organizational measures (“need-to-know”), key people measures (security clearing), technical protection (reducing systems’ vulnerability) and basic IT system protection (firewalls and improved password protection). Two recent trends are perhaps even more interesting: some companies disconnect part of their information flow from the Internet, and others employ hackers as a defensive measure to identify and strengthen weak links in their operations.
A key dilemma without a good solution is that companies naturally work hard at having open profiles on social media platforms with relatively comprehensive homepages and online marketing, for instance. However, this very openness may lend itself to easier industrial espionage: so-called “back doors” are sometimes wide-open entrances!
Security should not be a purely technical problem for family businesses. According to Köhler, “It all begins in people’s head – in every employee’s head” (p. 123). Although the world of economically motivated espionage has changed and today’s level of sophistication exceeds our wildest dreams from a few years ago, the basic rationale for espionage remains the same—to gain an economic advantage. Nevertheless, improving a company’s protection should not hinder digital strategies, increased robotization of industries or the development of network organizations. Köhler provides much useful guidance to make digital strategies safer.
Before listing the open questions for the Lorange Network community, the editorial team has decided to share some actionable recommendations to mitigate cyber risk:
Use strong passwords, and NEVER reuse passwords. Sharing the same password between services means the breach of one service’s password will compromise all your credentials across cyberspace. Many organizations are implementing “pass-phrases” that might be even stronger than passwords - something to consider together with your IT department.
Install antivirus and firewall software. We all end up clicking on innocuous links that turn out to be compromised. Antiviruses and firewalls act as safety nets intercepting most of these threats. Make sure all devices in your firm are updated—not just some.
Rely only on secure Wi-Fi. Would you communicate confidential messages via postcards? Using unsecure Wi-Fi networks is the digital equivalent. Instead, use your mobile phone.
Do not trust USB devices. USB is inherently unsafe. Do not trust devices that have not been constantly under your control, be it a colleague’s memory stick, complimentary USB “goodies” handed at a conference or even USB outlets available in public spaces to charge your devices.
Backup automatically. Something will happen to your data, whether it is a malicious attack, a random drive failure or just erasing that crucial file late at night. An AUTOMATIC backup solution acts as a digital insurance policy, ensuring you keep an up-to-date copy of the data available.
Never discuss important negotiations over the phone. Even in a private room, turn all mobile phones OFF, not just to airplane mode.
Cover/disconnect your PC’s camera when you are not using it for voice over Internet.
Governance structures, information security policies and procedures need to be evaluated regularly. Complacency is your enemy.
Comments