Any good security program starts with the right leadership
How hard is it for cyber criminals to wreak havoc? Not very. United Nations experts investigating multiple cyberattacks including one that compromised the SWIFT interbank financial system “stressed that implementing these increasingly sophisticated attacks ‘is low risk and high yield’, often requiring just a laptop computer and access to the internet.” (Edith Lederer, “UN probing 30 North Korean cyberattacks in 17 countries.” AP August 14, 2019)
It’s a big and growing problem. According to Symantec’s 2019 Internet Security Threat Report (Vol. 24, February 2019):
- One in ten URLs are malicious
- Web attacks are up 56%
- An average 800 websites are compromised with formjacking code each month
- Mobile ransomware is up 33%
- Supply chain attacks are up 78%
Cyber attackers generally fall into one of three categories: nation-states, usually engaged in espionage or manipulation and motivated by geopolitical gain; non-state organizations, often focused on intellectual property, business information and disruption, and monetizing stolen data; and independent, rogue attackers who typically want to create disruption and make some money.
Michael Miora, Vice President and Chief Information Security Officer at Korn Ferry explains, “The nation-states generally are out to get information they can use to advance their own agenda. For example, the Chinese stealth fighter looks exactly like the US stealth fighter because they compromised aerospace defense firms and got the plans.”
Another state-sponsored attack according to the Center for Strategic & International studies is WannaCry, a ransomware worm believed to be the work of North Korea. Using stolen and publicly released National Security Agency hacking tools, WannaCry encrypted computers in 150 countries, and disrupted thousands of operations including the UK’s National Health Service.
In the summer of 2019 state-sponsored hackers from China conducted campaigns against major US utility companies, several German industrial firms, and government agencies across East Asia. (“Significant Cyber Incidents,” CSIS, Washington, D.C.)
1 in 10 URLs are malicious, Web attacks are up 56%, An average 800 websites are compromised with formjacking code each month, Mobile ransomware is up 33%, Supply chain attacks are up 78%.
The Stuxnet worm is considered to be the world’s first cyber weapon. Believed to have been created by the US and Israeli intelligence services, Stuxnet was able to sabotage centrifuges in Iran’s nuclear enrichment program by manipulating computer-controlled mechanisms.
Organized, non-state attackers are more likely to profit from attacks. According to Miora, “These highly organized and wellfunded organizations try to compromise information in such a way that they have a regular pipeline into an organization. If they gain a foothold, they can, on an ongoing basis, steal funds, redirect funds and get sensitive information. The attacker is similar to the nation state, but the goal is different. The goal is profit.”
Miora adds, “When you read about these major breaches, for example Equifax, usually that information is harvested so that they can try to do further damage as well as sell it on the open black market. Buyers of that data use it to compromise identities, open up credit accounts, and make a profit on it.”
The eBay breach of 2014 exposed the credentials of 145 million users including user names and passwords. An attack on UK company Dixons Carphone affected 10 million customers and employees. Attacks of this nature happen with increasing regularity worldwide. It is likely that the data collected has been sold to other cyber criminals who will use it to compromise other accounts and/ or engage in ransomware attacks, identity theft, and other profitable endeavors.
Rogue attackers in general are out for a quick profit. Miora explains, “They tend to release ransomware to organizations so that they can profit by selling the decryption key. Many companies pay for it because it’s easier to pay than it is to try to recover their data. Another example is rogue groups that try to compromise email systems and then find invoices that were sent, and then follow up with a ‘correction’ with different banking information so that the client then pays them instead of the company who sent the invoice. That is a very successful attack vector.”
John Iatonna, Chief Information Security Officer at Spencer Stuart adds, “Cyber activism is another issue, in which an attacker’s goal is to disrupt. You’re attacked and the intention isn’t to steal information or extract money, but it’s simply an effort to knock your systems offline. That could be cyber activism.”
Attackers come from many directions, with many motivations. Iatonna says, “It could be credit card information being stolen by organized crime. It could be an insider threat looking to take competitive advantage. It could just be run of the mill hackers that are encrypting your machines and demanding a ransom.”
Attackers have an evolving range of weapons at their disposal.
PHISHING AND SPEAR PHISHING
Probably the most widely used attack vector is phishing, which is a malicious attempt to lure individuals into revealing confidential information. Phishing emails are disguised as legitimate messages, and some are very convincing.
Nischal Sahrawat is Chief Information Security Officer at Heidrick & Struggles. He says, “The threat applies to everyone, whether you are a two-person shop or a 30,000 person enterprise. Many times these phishing emails come from legitimate email addresses, but they are compromised addresses of people who either belong to a small organization or business where they probably don’t know that an email has been compromised.”
The hacked email system of a small business can have massive consequences. The Target breach that compromised the credit card information of 110 million shoppers came through an HVAC vendor who clicked on a phishing email.
Spear phishing is a highly targeted phishing attack. For example, Sahrawat says, “I could get a phishing email which would say, ‘hey, your UPS package is sitting here and to collect it, click this link.’ But if the email came from somebody pretending to be my boss and it said, ‘hey, I got you this package and it’s sitting in the UPS pickup place and here’s the link, go click it,’ because it’s coming from somebody I know, and it’s very targeted to my context, that’s spear phishing.
Spear phishing is so successful “because it takes away a layer of skepticism,” Sahrawat says.
Unfortunately, “spear phishing is very easy to do in today’s world.” For example, Sahrawat says, “Anyone can go to LinkedIn, pick up any organization, find out who the CFO is, go do a search for everyone who works in finance in that organization and then create an email from one of the compromised email accounts and pretend to be the CFO. All the attacker has to do is send it to somebody who works under his or her organization and create a sense of urgency. Somebody in that organization is likely to follow through because it looks like it’s coming from their boss or their boss’s boss. Those types of spear phishing attacks are actually very effective.”
Malicious websites are another vector, and one does not have to visit porn sites at work to compromise an employer’s network. According to the 2019 Webroot Threat Report “40% of malicious URLs were found on good domains.” Malicious code hidden on even familiar and seemingly safe sites can capture a user’s credentials or attempt to install malware. And a person who visits a malicious site does not have to download a file to compromise their computer and their network.
A drive-by download is the installation of malware without a user knowing anything is being downloaded. It can happen by browsing a website, or clicking on a pop-up window, for example a false error message.
Social media is a growing vector. Malware can be delivered through plugins and ads, even shares. Social media is also a great place for reconnaissance, where cyber criminals can learn important dates or the names of children or pets, that people often use in their passwords or password reset questions. And a compromised profile could be used to undermine a brand or attack another user.
Has anyone with a phone not received a bogus (and urgent) call about their credit card security? This is social engineering—an attempt to trick targets into giving away passwords and more. As social engineering becomes more sophisticated, workplaces are also becoming vulnerable. Miora explains, “When you get a phone call like ‘hey, this is IT support, and we need you to go to this website and update your software,’ and they give you a URL, you’ll go there if you think it really is your own IT help desk; you’ll give your credentials and you’ll be compromised.”
He adds, “That actually works, if the attackers are calling from an internal number, which is fairly easy to spoof.”
Attackers can spoof internal phone numbers. “You can get a free piece of software on the internet and you’ll make a phone call from your windows machine. You tell us what number should show up on the caller ID. So if you know the company’s number, you can make it look like it’s coming from that company, and people think it’s an internal call.”
Eavesdropping is more than a nosey neighbor. Eavesdroppers collect login credentials, payment information, and more. A man-in-the-middle (MitM) attack is a type of eavesdropping where hackers insert themselves in between two parties, for example the user in a café and their bank website. Transactions over unsecured WiFi are particularly vulnerable to this type of attack.
Like other attacks, eavesdropping is used to collect credentials, divert funds, and capture information for advantage, disruption or sale.
DISTRIBUTED DENIAL OF SERVICE (DDOS)
A DDoS attack is a large, coordinated onslaught of traffic that can disable a network or system. Ellen DeGeneres famously posted a selfie with other celebrity attendees at the 2014 Oscars that briefly brought down Twitter. That was an organic DDoS attack—the selfie taken on national television generated so many retweets, the system was temporarily overwhelmed.
In 2016 a DDoS attack on Dyn, a company that controls much of the domain name system, disrupted sites in the US and Europe including BBC and CNN, Amazon, Spotify, Airbnb, and others. The Dyn attack came from a botnet—tens of millions of hacked internet connections and devices infected with a virus that triggered the coordinated attack. How could someone build a botnet? IoT is a soft entry point. Routers and connected cameras are often used for DDoS attacks because these devices are ubiquitous, and rarely secure. According to Symantec’s 2019 Internet Security Threat Report, “Although routers and connected cameras make up 90 percent of infected devices, almost every IoT device is vulnerable, from smart light bulbs to voice assistants.” (ISTR Volume 24, February 2019)
Botnets threaten more than movie streaming or our newsfeed. In 2017 a massive botnet attack disrupted Sweden’s transportation grid.
Short for malicious software, malware is the code that allows cyber criminals to spy, steal, and sabotage targeted systems. Viruses, worms, adware, spyware, and ransomware are some of the varieties hitting victims every day. Ransomware is a significant threat, in which a computer (or entire networks of computers) are encrypted until victims pay for a decryption key. Victims of the NotPetya ransomware received the malware disguised as an update. The current damage is estimated at $10 billion, and security experts determined that this particular encryption can’t be decrypted, even by the threat actors. They don’t have the key, so don’t pay the ransom.
Miora reports that “this year and last year are known as the years of Office 365 attacks because attackers have gone after the Exchange online platform to compromise email, get the email, modify the email, send emails as if they are from the compromised accounts, and they can make a quick profit. And once they’re caught and the gate is closed, they move on to another company. In fact, they do multiple companies at one time.”
Malware approaches are limited only by the criminal’s imagination. Formjacking uses malicious code to steal credit card details from payment forms on web pages; spyware steals data; key loggers monitor everything a user types, including passwords; adware typically earns money for the attackers for each click; cryptomining uses the target’s unused CPUs to mine digital currency; Remote Administration Tools (RAT) can execute commands on the target’s computer.
SECURITY IN THE CLOUD
Cloud storage allows us to access our documents from anywhere, improves collaboration, protects files from a compromised hard drive, and it feels secure. However, as users typically share files via an emailed link, those files in the cloud are only as secure as the email that carries the link. Cybersecurity company McAfee reports “92% of companies have cloud credentials for sale on the Dark Web.” (McAfee Cloud Adoption and Risk Report, 2019)
And mobile is a new vector: According to Symantec, “One in 36 mobile devices had high risk apps installed.”
THE ROLE OF AI
“AI is the next frontier in all of this, where you’ve got attackers and defenders using machine learning to either facilitate intrusion or to defend against it,” Iatonna says. “There’s simply too much data out there for anyone to be able to ingest it, interpret it, and respond to it. Machine learning and artificial intelligence, we hope, is going to be the thing that makes it easier for people who do what I do for a living.”
“These are not comforting times,” Iatonna says, “Especially on the infrastructure front, we’re entering really dangerous territory. Consider the presumed Russian intrusion to the Georgian power grid. There was a very deep-level compromise of the power grid in the Ukraine, and they knocked out power to half the country. Those are very alarming and very real world scenarios. But, that’s the world we live in.”
According to Global Market Insights, the cybersecurity market may be worth over $300 billion by 2024. But security products are only part of the solution to the proliferation of cyber attacks.
“Security is like an onion,” Sahrawat says. “There are layers and layers of controls, which in conjunction with each other lead to a mitigation of risk against these attacks.”
A large part of protection is detection. “If you can’t detect when something that is being executed shouldn’t be, then you’re going to be breached,” Miora says. “So there are tools out there. The sophisticated ones are called EDR, endpoint detection and response. So that’s a protection that is deployed in place and can stop a second vector.”
In addition to security software tools, Sahrawat recommends leveraging the right people, “whether it’s people that you hire or services that you’ve outsourced.”
Iatonna agrees. “I am a much firmer believer in investing in talent as opposed to tech, if only because a strong engineer is very versatile and can help you solve some of the security risks very creatively. Sometimes that is the acquisition of technology and sometimes that’s a changing process. Sometimes that is a newer, creative way of looking at a problem.”
Sahrawat stresses the importance of “processes which help you on an ongoing basis to detect vulnerabilities, such as patching your systems, and making sure that those vulnerabilities are fixed.” He says, “If you’re not patching your systems on a regular basis as soon as patches come out from software vendors or hardware vendors, then you are providing a mechanism for somebody to exploit that vulnerability.
For example, the global WannaCry ransomware attack depended on weaknesses in Microsoft’s operating systems. Microsoft had released patches to its operating systems weeks before the attack, but organizations that were slow to install the patch remained vulnerable.
“So patch your systems, everyone,” Sahrawat says. “It’s a no-brainer, but it can get lost in the day to day operations, especially in very small shops where they may not have dedicated resources who are implementing these type of processes.”
WHAT ABOUT PASSWORDS?
Hackers have impressive password-breaking methods: phishing scams that trick users into revealing their passwords, credential-stuffing programs that run stolen user names and passwords on thousands of sites to see what hits, WiFi traffic monitoring that captures usernames and passwords from unsecured connections, key logging which is a malicious program that tracks users’ keystrokes, and even “brute force,” tools that enter trial and error passwords over and over until the password is cracked.
Fun fact: According to internet security firm SplashData the most popular password in North America and Western Europe in 2019 was 123456. That password has ranked in the number one spot for six years.
A large scale research analysis conducted at Virginia Tech in 2018 found that 52% of users will reuse or predictably modify their existing passwords. So a hacker with one password has the key to many doors.
Anybody who doesn’t have two-factor authentication is going to have their emails breached. No question.
For Miora, the solution lies in two-factor authentication. “Anybody who doesn’t have two-factor authentication is going to have their emails breached. No question.”
Miora recommends generating separate passwords and two-factor authentication for every site, and using software to remember all your passwords. “So you have one massive, auto-generated, crazy 12 digit nonsensical password to remember and everything else is stored with strong encryption. That way, if one site is compromised, you only lose what’s there. And where ever possible, activate multifactor authentication so even if your password is compromised, they still can’t get in.”
Many people are using facial recognition and fingerprint scans for added security, but there is inherent risk in the increasing use of biometric data. According to Madhumita Murgia, European technology correspondent with the Financial Times, “Despite biometrics being hailed as a smarter, more secure alternative to passwords, the risks of misuse and hacking are enormous. This type of data is near-impossible to change because it is encoded in your biology. Once collected, it points to you and you alone; once lost or stolen, it is open to permanent abuse. You can always rethink a password but you can’t rewrite your DNA.” (“The insidious threat of biometrics” Financial Times Aug 21, 2019)
There may be no safer alternative than multifactor authentication. Miora explains, “I have approximately 10,000 users. If I am a genius (and I’m not) and if I was extraordinarily successful in teaching people not to click on phishing attacks (and I’m pretty good) and let’s say I achieved 99% success (which is impossible) that means 1% of my population would still click on phishing emails and provide credentials. 1% of 10,000 users is still a hundred users whose email will be compromised. So however well you train your people, it’s not enough. You need something else. Multifactor authentication is the best second step.”
DECLINE THE FREE PUBLIC WIFI
On public WiFi networks, hackers can eavesdrop on your activity, capture any login credentials or passwords you used on the network, even distribute malware.
Miora says, “When I travel, I never connect to a WiFi unless that WiFi is secure. If it’s not, then your information is being transmitted in what we call clear text, meaning unencrypted. Anybody can listen in, capture your password and hijack your session. For a search consultant that is a violation of the AESC Code of Professional Practice.”
“We tell our search clients that they should never connect to WiFi unless they’re using our VPN,” Miora adds. “Our VPN is strongly encrypted and requires two-factor authentication. So even if they’re using an insecure WiFi spot, if they are using our VPN into our infrastructure, then the connection is secure.”
“If you don’t have it, you’re crazy,” Iatonna says.
In the event of a successful attack, cyber insurance can mitigate the financial damage by covering related costs. Iatonna recommends working closely with both the executive team and the insurer to secure the right coverage. He says, “We’re not just talking about the amount that you’re covered for, but for certain types of expenses that you might expect to see in a breach. So that is the obvious stuff like attorney’s fees or forensic firm fees or credit monitoring. You can also insure for your loss of revenue.”
From a search and consulting business perspective, Sahrawat says, “Our key risks are reputation and compliance. So reputation is something that cannot be insured. Compliance risk is the one where most organizations focus on mitigating.”
He explains, “For example, if company A has a million records exposed inappropriately, they have to go and notify those million people and potentially provide them credit monitoring services, hire lawyers, bring in forensic experts, and before you know it, company A has a $3 million dollar bill. That is the type of scenario where cyber insurance can come in handy. But if you’re looking to mitigate a reputational risk, insurance is not going to help. So it does have some value, but it’s limited.”
In addition, Miora warns, “Cyber insurance is a risky business. There was one company recently who was attacked and when they filed a claim, the insurer declined payment saying that since it was another country that attacked you. That claim then fell under the ‘Act of War’ exclusion.” He adds “Insurance is good to have, but it’s not a panacea.”
Companies that fall under the General Data Protection Regulation (GPDR) should pay special attention to how insurers are addressing the potentially enormous GDPR fines, or whether regulatory fines are insurable in specific member states.
Bearing all the costs of a cyber security incursion can crush a business. The breach of American Medical Collection Agency, a massive healthcare-related debt collector, exposed the private information of almost 20 million patients. In June of 2019, its parent company Retrieval-Masters Creditors Bureau Inc., filed for bankruptcy as a result of costs associated with the breach.
Mitigating risk begins with prevention. “Any good security program starts with the right leadership,” Iatonna says. “It starts with good leadership understanding what the risks are inherent to the business and then being able to map out a good strategy. That’s a combination of talent and budget and the technology to align to that strategy.”
AESC Code of Professional Practice
To understand why cybersecurity is of paramount importance in executive search and leadership consulting, consider the AESC Code of Professional Practice and the rigorous demands it places on member firms.
“The obvious correlation between what I do and the AESC Code of Professional Practice is around confidentiality,” Iatonna explains. “In more than a lot of industries, there is a very high expectation of trust from both the companies as well as the candidates who we work with day to day. If I were to consider the other aspects of our code of conduct, I would tell you that we strive for excellence and being great at what we do, to make sure that we’re supporting the business.”
For Miora, knowing that AESC member firms are a huge target for attackers only reinforces the importance of protecting clients’ and candidates’ information. “Attackers know we and our competitors hold very sensitive data about top executives around the globe. We’re a huge target, and our code of conduct requires us to protect that information. So we have to put in place as many protections as reasonable for the level of data that we’ve got. The more sensitive the data is, the better it should be protected. So we should put in place things like encryption at rest, encryption in transit, and multifactor authentication. We have to make sure everybody who works for us and with whom we work has signed a code of conduct that includes acknowledgement of the confidentiality of the information we’re sharing.”
In the practice of executive search and leadership consulting, it doesn’t take a massive breach to do damage. Sahrawat says, “A firm’s reputation could be harmed by a single email getting exposed inappropriately. You don’t need to lose 500,000 resumes or details of people’s work history. It could be one highly confidential search, which is nonpublic information. That’s what puts your reputation on the line. AESC’s Code of Professional Practice and values align with our firm’s values: always acting with integrity, having the highest levels of ethics and integrity in everything that we do, and being worthy of our client’s trust. It’s so paramount in this business. Everything flows around that.”
The profession’s commitment to protecting the sensitive information of clients and candidates is unshakable, and the threats against it will only increase in sophistication and intensity.
The best investment you can make for your security program is talent ... I think we need to invest in it much, much earlier in our education systems.
Considering assaults from nation states, organized groups and rogue attackers, Miora says, “Everyone is subject to an attack by at least one of those three groups. If you’re an organization like us, you’re being attacked by all three.”
The ability to defend against these and the next generation of threats comes in part from the profession’s area of expertise. “The best investment you can make for your security program is talent,” Iatonna says. “There’s such a shortage of talent, and yet, we talk about whole swaths of the population that aren’t trained for the workforce of tomorrow. I’m sitting here with two, three, sometimes four job openings I simply can’t fill. Training has to start a lot sooner in the food chain than simply sending some people to classes. I think we need to invest in it much, much earlier in our education systems.”
Developing talent for the future is essential, yet the threats we face are immediate, and the vulnerability of each and every organization is sobering. “It’s a constant battle that every organization is fighting and has to continue to fight,” Sahrawat says. “Literally the last protection that every organization has to have is aware and skeptical people.” Ultimately the last bastion is not made of code. It’s made of people.