Recently, Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, wrote a very compelling piece in which he asserts – justifiably, I might add – that large corporations have little actual incentive to invest in cybersecurity.
It’s something that has been percolating up for a while now, despite appearances that the exact opposite is true. For most corporate professionals outside the security organizations of their respective enterprises, it’s something of a (semi) open secret.
Successful businesses run on data diligence as far as cost-benefit goes and, well, the numbers simply don’t add up.
For the likes of the world’s largest brands, insecurity is an accounting pencil-whip that’s effectively coded in the books in much the same as, say, a shipment of damaged shoes coming from China. Or the inherent vice of apples that go rotten on the shelves.
What it comes down to in reality, is that it’s all about brand and reputation. Everything. Cybercrime is just one of many, many things that can affect it. A small variable in a pile of data from focus groups, market tests, product reviews, surveys, marketing statistics, demographics info and much, much more.
Market and business intelligence are more important and fundamental than any threat or cyber intelligence will ever be. These functions are used diligently and effectively to continuously plan and tweak a long-term strategy of business resilience – so that when a cyber attack strikes, as it most assuredly will, the business can hold up over the long haul.
(A little) cynicism aside, no one wants to be breached, of course. No company wants to get hit. Certainly, no one – not even the big guys – wants to lose money they can avoid losing. And no company completely disregards cybercrime.
Alarmingly, outside of the big guys with the brand, customer loyalty, market presence, universal products, financial bottom lines and resources to plan for and withstand periodic hits that are – undeniably – an unavoidable a fact of life now, too many companies today are afflicted with what’s coming to be called “Ostrich Security:”
Ignoring their cybercrime problems in hopes of being invisible to the cost of the threat such that it passes right by you. Or at least until it actually hits.
The problem?
According to the U.S. Census Bureau, in 2010 there were just under 30 million businesses in the United States. Of that number, just about 18,500 had 500 employees or more. That means that most of you reading this article likely work for a company that is not a true global behemoth of a brand.
The biggest of the big guys are working with a brand and reputation safety net that is their robust market and business intelligence functions. It’s more than likely, you’re not.
As a result, ignoring your cyber problems – especially the vital data and info it can yield about your products, customers, competitors, markets, etc. – is to ignore a big way you can act a bit like the biggest guys and build in some brand and reputation resilience through data analysis and planning.
You see, all that data trapped in the lowest levels of your security operations is very valuable for a lot more than traditional cyberdefense.
Threat intelligence data from outside and inside your company’s walls that’s evaluated, stored, diligently analyzed and reported on over time for what’s getting hit, how’s it being effected, who’s being effected and more is directly relevant to your specific operations.
When you begin to effectively link this data to specifics about your own key business areas, risk intelligence begins to happen.
For example, let’s say you’re running a healthcare-related business. Your company is a multi-state provider of SaaS-based patient portal software for doctors and dentists that allows them to offer their patients convenient access to things like records and scheduling appointments.
You have half a dozen personnel on your security operations teams focused on things like snort rules, endpoint security updates, malware, pentesting and the like.
Each month, you get a one-hour report on your cyber state of the union and, so far, all seems stable based on what your team tells you are mostly harmless things such as the daily barrage of Tomcat brute force scans, SQLInjection attempts, XML-RPC hits, attempts to recruit your WordPress-based corporate website into DDoS botnets and the lengthy lists of malware removed from your internal networks.
But what would happen if you were hit big?
More specific questions include:
• What are the most likely ways you could be hit based on being in healthcare?
• What aspects of your web apps are top targets?
• Did you overhear your IT guys saying your main website has over 100 open source components in it?
• What’s “malvertising” anyway?
• What are “malicious followers” and how many of your 2K Twitter fans of the account you use for customer support are real?
• What’s in your timecard web app that might be vulnerable?
• What was that new exploit you overheard talk about in passing last week during that meeting with those potential customers you met with in California?
• Does your outsourced development company know about it?
• What software was targeted last quarter that’s not only in your customer-facing apps, but also in your internal accounting software?
• Did that Point-of-Sale malware breach in Wyoming last month involve a chain of dentists that also use your software? Wait, or was it insider threat? How has this all changed since last year? Last month?
If you can’t answer these questions, you can’t even begin to say how your products might fare when you’re under a cyber attack.
By dividing up your company into its key business areas and working with your security team to begin to collect, track and map cyber event data to those key area characteristics that make you “you,” it’s possible to start developing a long-term brand and reputation defense strategy that’s also informed of your cyber risk.
Your products, your customers, your partners are all vectors by which cybercrime can have a direct impact on your success or failure. Developing long-term strategy to deal with the hits when they come and mitigate effects downstream on your partners, customers and clients is, as with the big guys, arguably more important than stopping the hits in the first place; a task that’s becoming more and more impossible as each week passes.
If used properly, your cyber data itself can be a treasure trove of information that’s every bit as valuable – and effective – as a survey or a focus group. Or, for that matter, your SIEM tools or that shiny new threat intelligence platform you just bought (and your team doesn’t yet know what to do with).
It’s using cyber threat data and data about your own business characteristics to practice a form of market and business intelligence that helps protect your life’s blood brand and reputation.
In a manner of speaking, it’s brand and reputation cyberdefense. A rose by any other name….well, you know the rest.
