In the summer of 2021, in the middle of the pandemic response, while health care systems were already at the end of their tether, fighting the Coronavirus, a cyberattack took out the IT systems of the Health Service Executive (HSE), the public health care provider in Ireland. Projects were stopped, people had to use personal e-mails, and the inefficiency created no doubt cost lives, as the HSE was stretched to the limit. For example, a digital health project I was working on, which was already running behind owing to the pandemic, was further impacted by the cyberattack. The attack was reported to be carried out by a Russian criminal gang known as Wizard Spider. A number of patients’ medical records were stolen and published online. The head of the HSE was quoted in the Irish Times as saying that the breach would cost the HSE €100m to fix.
There are millions of cyberattack attempts every week of the year. In the last few weeks of completing the editing and finalizing of this book, a software vulnerability surfaced on the Internet related to Log4j, a tool, that is used innocuously but almost ubiquitously on the Internet. In the first week of the discovery, over 1.2 million hacking attempts were made to exploit this vulnerability alone. Cyberattacks are mainstream events now, and no longer a source of surprise. Consider for example, the following picture, which shows a few significant cyberattacks across the year 2021. Not all breaches are as damaging as the HSE breach, but according to an IBM report, which surveyed 500 firms, the cost of data breaches on average has risen to $4.24m in 2021, which is higher than it’s ever been before.
You might also recall that in 2015, a notorious Canadian business called Ashley Madison, which offered a platform for extramarital affairs, was hacked. The names of the customers, including some well-known people, were made public. It created an uproar and ripples across the world, ruining relationships and reputations. The bad news is that you don’t have to be a business with a morally questionable premise, or reliant on the secrecy of your customers. No matter what your business, we are getting to a point in the digital era where the chances are information security breaches and cybercrime can bring your organization down to its knees. If in doubt, see Home Depot1 or Sony Pictures2 or Experian,3 Talk Talk,4 or sadly even VTech Toys.5
Figure 12.1 A sample of high-profile cyberattacks throughout the year 2021
Source: Data gathered from Arctic Wolf, Hackmageddon, Symantec, and other well-known websites.
The bottom line is, every manager needs to get up to speed on cybersecurity.
Laxness about personal cybersecurity is probably something most of us are guilty of, surviving as we do with simple alphanumeric passwords that we share across banks, social media, and the random ecommerce site we signed up for last week. This piece isn’t about personal security though, so we’ll just leave it at that. But as we’ll see, they’re not entirely disconnected from each other.
In the past 18 months, almost every business has had to make a sharp turn toward digital, thanks to the pandemic. For a start, this has resulted in millions of people working from home, creating new attack surfaces. There’s also a surge in ecommerce and online transactions. This is in addition to the underlying trend of digitization. Previously, you might have sold a thermostat or a blood sugar monitor. Increasingly, you’re selling a connected version of these devices, with the date flowing back to your cloud-based setup, and a greater part of the value of your business is captured in the data, analytics, and insight, rather than the physical device. In this environment, the risks include your duty of care to protect customers and the regulatory requirement as a custodian of consumer data. And as an organization, your business and employee data are always your primary concern.
The motivation behind cyberattacks may be commercial or national. Cyberespionage is now an essential part of national and international intelligence. Many countries leave national fingerprints when it comes to cyberwarfare.6 There’s plenty of collateral damage involved here. You could be one of the companies targeted, for a host of reasons, or you could just fall prey to the future avatar of the Stuxnet. On the other hand, you could be a victim of a purely commercial criminal activity, where the miscreants are looking for commercial gain.
The purpose of a cyberattack could also be varied. Data theft is a common one, denial of service is another—also known as ransomware—as the hackers will usually ask for money in exchange for releasing code that will unlock your systems and allow you to use them again. For public-facing websites, a distributed denial of service (DDOS) can also be launched over the public Internet through botnets. Finally, there are also numerous variations in the method of cyberattacks. Compromised user credentials are the most common, as are vulnerabilities in off-the-shelf software, or human error by programmers or infrastructure managers. Enterprises are increasingly adopting a zero-trust model of cybersecurity—where every user has to demonstrate credentials before accessing confidential information, each time they do so.
Figure 12.2 A sample of high-profile cyberattacks over the past decade
Source: Data gathered from Arctic Wolf, Hackmageddon, Symantec, and other well-known websites.
The point is that this is a complex and multifaceted space, and you need to have a security risk management plan and monitoring. A simple version of this would display data on attempted cyberattacks, discovered security bugs, measures taken, and incidents reported. The actual execution of cybersafety measures should be left to the experts in your organization, but as a digital owner, you should ensure you understand and manage the risks. And needless to say, you need to bring in cybersecurity expertise in any digital project.
Privacy Versus Security
The security discussion also frequently overlaps with the privacy debate, and to make matters worse, privacy acts on both sides of the argument. On the one hand, a privacy loss is somewhat similar to a security breach—that is unauthorized people have access to your information. Yet, often privacy and security are seen as tradeoffs, as surveillance becomes a key tool against crime. Put that discussion to one side for now as well, and let’s focus on the risk of cybersecurity.
Security Versus User Experience
A lot of work goes into a cybersecurity framework, from identify and authentication, to access control, encryption, and audit trails. However, one of the emergent themes over the past few months has been the role of user experience. All too often, excessive security measures kill the user experience of applications. When that happens, you get people bypassing security measures for no reason apart from avoiding irritation, but thereby creating potentially disastrous loopholes in your security environment. It’s critical therefore that you focus on the user experience that your security regime imposes. A standard two-factor authentication system today uses the smartphone in conjunction with Web applications, with the addition of biometrics (fingerprint or face recognition on smartphones). This actually improves user experience by making the process faster.
Wanted: A Network View of Security
Another byproduct of digital business involves the blurring of boundaries. With more and more noncore functions outsourced, and businesses becoming leaner, the level of interconnects in businesses is going up manifold. Your supply chain, your distribution system, and your support ecosystem now resemble inter-dependent networks much more than chains. This introduces yet another dimension of risk, as much of your business information now flows through this network of partners. In 2015, Tien Phong Bank in Vietnam foiled a million-dollar cyber heist. The scammers sent fraudulent inter-bank transfer messages via the SWIFT system, which they accessed through a vendor’s infrastructure. You will never be able to lock down every possible loophole, but conducting regular vendor audits on information security is certainly a good starting point. Major banks are already starting to conduct detailed supplier audits for information governance and security.
All of this collectively will not make you safe. Every innovation across technology and business will open up new security vulnerabilities. After all, as the world goes more digital with every passing day, we’re opening up more opportunities for cyber harm and attacks. Hackers will get sophisticated. New tools and technologies such as AI and robotics will enter the fray. In fact, the biggest mistake one can make in this space is becoming complacent.
Tip: Talk to your organization’s cybersecurity expert about your digital project. Also, list every possible way that somebody could access critical code or data in your system. Get others in your team to do the same.
There is increasing sophistication on both sides of the cyberwar. Would-be attackers and cyberdefenders are able to deploy more sophisticated technology. This is progressing along three axes. The first is intelligence and software: AI tools cannot only look for hacking patterns and attempts at breaking in, they can also identify key stroke variations, time delay on password entry, and even unusual pressure applied to the keyboard compared to what is normal for you. Similarly, hackers are able to use and share tools that are able to spot vulnerability patterns in your systems. The second is hardware: quantum encryption is likely to take shape over the next decade, as quantum computing could break current complex alphanumeric passwords with ease. Third, the rise of biometrics: in the future, we may be identified by our brainprints, but voice, retina, fingerprint, and face recognition are all well under way. But let’s not forget that any system is only as strong as its weakest link and people can be compromised as well. When it comes to cybersecurity, therefore, a healthy paranoia may be your best friend.