Signs in power plants, manufacturing facilities, and office buildings around the world remind employees that “Safety is our top priority.”
The same cannot be said for information security, and it reflects the fact that data breaches are often the result of, and exacerbated by, organizational and management issues and not technical issues.
“We build a culture of safety, but not security,” said Dr. Keri Pearlson, executive director of MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, or (IC)3. “People open email attachments without thinking, but they wouldn’t put their fingers in the gears. You need to make sure the people in your organization are cyber-prepared and cyber-resilient.”
The recent WannaCry ransomware attack illustrated this need all too well. The National Security Agency had previously identified a vulnerability and let the cybersecurity community know about it.
But just last week, malware nonetheless shut down public and private institutions around the world, including parts of the United Kingdom’s National Health Service. What’s worse, WannaCry targeted systems that had not been updated with the latest security patches, particularly impacting older Windows technology that companies should have long ago replaced — Windows XP and Windows Server 2003.
When a hack becomes a breach
In today’s security environment, hacks are inevitable. In fact, large enterprises probably face hundreds of hack attempts at any one time, said Pearlson, who joined (IC)3 in January.
Anti-virus software, firewalls, and other technology can protect against hacks. The trouble begins when the hackers get in and a breach occurs — when an employee opens that email attachment, leaves important data unencrypted, or fails to upgrade network security.
The infamous 2005–2007 TJX breach, for example, was the result of substandard wireless LAN security that went undetected for 18 months. The 2013 Target breach, meanwhile, happened after employees ignored warning signs identified by a third-party software vendor. In the wake of the Target breach, both the CEO and CIO resigned.
Pearlson referred to the cybersecurity framework [PDF] developed by the National Institute of Standard and Technology with five key steps — identify, protect, detect, respond, and recover — but added that response and recovery aren’t always adequately covered by a company’s cybersecurity plans.
“You have to do all of that, but a lot of companies don’t have sufficient plans to respond or recover from a major incident,” said Pearlson, who will moderate a panel on effectively responding to such incidents at the May 24 MIT Sloan CIO Symposium.
Along with adopting the cybersecurity framework in full, executives should build a strong relationship with their cyberinsurers, Pearlson said. Insurers have developed an “ecosystem” to minimize the chances of attack, but also to effectively respond and recover. They can also advise executives about how to notify law enforcement — since that’s not always the first phone call to make, she said.
“Hackers might go dark once they figure out that the authorities are involved,” she said.
People prep and backup plans
One reason it’s important to plan for major incidents is that a lot of second- and third-order things can happen, Pearlson said. The tsunami that hit Japan in 2011 had such a devastating impact in large part because the Fukushima nuclear plant lost its primary and secondary power sources, which caused the cooling system failure that led to radiation exposure.
The (IC)3 aims to address the security of infrastructure — electricity grids, water and sewer systems, and so on. Right now, public and private entities may have plans in place to address power outages or mechanical failures that last a few days. A cyberattack on infrastructure, on the other hand, could knock these systems out for months, MIT Sloan Professor Stuart Madnick wrote in Harvard Business review this month.
“A lot of the prep is people prep,” Pearlson said. “You have to assume that tech may or may not be available, so you need to have a backup plan just in case.”
In that sense, cybersecurity today is similar to the early days of the Internet and IT management. “It’s people, process, and technology,” she said. “You need people who manage, not who wring people’s necks if there’s a problem. You need a culture of security. You need to do an audit, and put things in place so people know what to do and what not to do.”