Almost every week we read in the news about another organization that has been hacked. Cyber espionage is at an all-time high, and businesses across the United States are being targeted and breached. Many of these attacks are nation-state sponsored or otherwise known as advanced persistent threats (APT). However, organized crime and other hacker groups are also responsible for many of these attacks. Their goal is simple: Breach an organization and steal its intellectual property, trade secrets and other business sensitive information to gain economic advantage.
In February, security firm Mandiant released a 60-plus page report detailing its investigations over a six-year period into an extensive cyber espionage campaign conducted by one of the many APT threat organizations inside China. This one particular group, which the firm identified as APT1, allegedly stole hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since 2006. The point here is very obvious. If your business is connected to the internet, you are at risk. Every CEO, C-level executive and board member must know and understand this risk. Too many businesses are of the opinion that only government organizations or defense contractors are at risk of being targeted by an APT. In fact, it is the modus operandi of APT operators to go after smaller vendors in the belief that their security posture is lower, making them an easier target to breach and then use as a pivot point to reach a larger organization. This was the strategy used against security organization RSA. One of its smaller supply chain vendors was breached. The attackers then sent an email attachment with malware from inside the breached organization to RSA, consequently infecting the security firm. But, even in this example, RSA was not the final target. It too was merely a pivot point used to breach a much larger defense contractor.
CSOs and CISOs must fully understand the threat and the method of operations of these malicious actors. It is extremely important that they educate the executives of their organization on these threats. When presenting to the C-level management or to board members, the CSO/CISO must keep in mind that cyber security is not an IT function. Rather it is a business function. The threat must be explained in terms of the impact that it can have on the business. Not only can the cost of containment and mitigation of a breach be extremely expensive, but the loss of intellectual property, trade secrets, sensitive business information, and years of R&D work, not to mention brand or reputational damage, can put an organization out of business.