There are plenty of new challenges to keeping a company afloat while the world endures the 2020 coronavirus pandemic. Here are just a few:
- Applying for government assistance to keep paying payroll.
- Developing a work-from-home system for employees following stay-at-home orders.
- Working out accommodations and new digital venues with customers and suppliers that will help everyone come through a cataclysmic crisis still in business.
Add to the list a new one: Cyber security threats.
InterimExecs RED Team executive and CISO, Zeeshan Kazmi, says times like these are prime for opportunistic hackers.
Just look at financial technology company, Finastra, to see a cyber security nightmare in action. After coronavirus hit, the company was in the middle of developing an emergency plan to operate when hackers found a backdoor into their servers. Malware quickly spread locking down server after server on their network, taking down many of their customers which include 90 of the world’s top 100 banks.
“We haven’t taken cyber security threats as seriously as they should be taken,” says Kazmi, who has spent 15 years working in the cyber security space. “Companies have been reactive. They protected their business transactions and their reputation. It became a corporate risk management function.”
Executives would debate the cost/benefit of the risk probability and the cost of avoiding that risk. If the ratio was acceptable, they said “we can’t be 100 percent,” he says.
Then came COVID-19’s social distancing requirements. Suddenly, all of the secure transactions and communications that were relatively easy to protect in-house or in-person are being handled by private computers over home wifi or a vast array of vendor/supplier computers.
The Newest Cyber Security Threats to Business
Even something as simple as keeping hackers out of your email isn’t so simple any more.
In the office, an employee could have walked over the boss and asked, “Hey, did you send me this suspicious email?” Human nature being what it is, the chances are much higher the worker at home will simply click on the email without first picking up the phone or sending a message to find out whether it’s safe, added steps are psychological equivalent of “friction” Kazmi says.
“Phone calls, VPNs, Zoom meetings, documents that are not secure, emails that may not be from the origin they say they are, transactions with suppliers and vendors that are not verified, unsecure emails, gratuitous phone calls. All are easy for hackers, and they understand how to prey on habitual weaknesses” he says.
But that isn’t even the weakest link in the cyber security chain. The weakest link is likely with suppliers, vendors, and customers conducting business and placing orders via their home computers or improperly secured terminals.
Customers are using web browsers to access information. The customer’s virus software might warn that a site is not secure, but the message can be so cryptic that the customer clicks anyway “because that’s where they want to go.”
That’s when the hackers find a way in. Here’s how it works:
The hackers already know the customer’s home computer is the weakest spot in this cyber security threat. They observe what the customer is doing at home online and how he is interacting with the business. Then the hacker plays a game, getting the business to trust that the hacker is a real person. Once that happens, the hacker can transmit a link to click or something similar and the business has been hacked. Once inside the business’ system, the hackers repeat the process. They look around the business, get into the CFO’s computer, download the customer data sheets and more. The intent can be more than just financial details. Hackers listen in and get product launch details, get pricing, intellectual property theft, make private information public, etc.
What Happens When My Business Has Been Hacked
What can you do after your business discovers it’s been hacked? Very little, Kazmi says. You can call your insurance company or the police, but they will ask: Did the hackers steal money? Did anyone get killed? Did they delete anything? The answers to all of those questions will be “no,” so neither the insurance company nor the police will get involved in the traditional way. Cyber insurance can help some, but even that has many caveats as we saw during NotPetya ransomware with Mersk, which to date is one of the most devastating pieces of malware we’ve seen.
And the hackers will have the data. Depending on what they’ve got, they can sell it on the black market or to a competitor, or use it to blackmail individuals, Kazmi says. (“I know what disease/secret you have and if you don’t pay, I’ll put it on the internet for everyone to see.”). If you see it in a different light, the FUD (fear, uncertainty, doubt) is not inherently in the Cybersecurity industry, but it is the primary tactic of predatory intent from cyber criminals.
How to Improve Cyber Security
The solution to this challenge?
It comes in several forms, Kazmi says.
- Business leaders need to shift their thinking about cyber security threats. It is much more than a risk assessment equation. Cybersecurity should be part of the revenue conversation and the cost of security transactions should be rolled into the cost of the product.
- Antiquated 1990s cyber security laws need to be updated to reflect the new realities of cyber safety so that police, insurance companies, and various law enforcement can have clear guidelines on harm and repudiation.
- Companies need to develop a wholistic approach to cyber security. “It takes long term experience, human psychology, an understanding of selling, running organizations, technology and change management to make this cyber security stuff work,” Kazmi says.
And, he says, there’s no time like the present to start. Hacking threats have jumped 15% a month since the beginning of 2020, bumped up even more to 20% in March, and are predicted to keep going up. It could take 18 months or longer for business to return to anything close to its pre-COVID-19 form. That means executives, employees and customers likely will be working remotely, using unsecure servers and home wifi for many months to come.
Even if it takes 3 to 4 months to get a strong cyber security “threat hunting” program in place, Kazmi says there will be many months of benefit from that before life returns to normal. An Interim CIO or Interim CISO can be retained as a cyber security expert without adding to permanent overhead to assess an organization and accelerate implementation of a cyber security plan. From hospitals to manufacturing, financial services to restaurants, no industry is immune to these threats, as cyber criminals continue to prey on crisis-distracted owners and investors.
InterimExecs RED Team is an elite group of CEOs, CFOs, CIOs, and CISOs who help organizations through turnaround, growth (merger, acquisitions, ERP/CRM implementation, process improvement), or absence of leadership. Learn more about InterimExecs RED Team at www.interimexecs.org/red-team or call +1 (847) 849-2800.