If you ask any CSO or risk officer in today’s global enterprises about the threats that keep them awake at night, almost without fail everyone one of them would rank cyber-attacks high on that list. Even other C-suite leaders and board members would undoubtedly rank the threats posed by cyber criminals as one of the greatest risks to their business given the near weekly headlines everyone reads about the latest ransomware infection and other schemes designed to scam businesses and consumers out of their hard earned money.
But for all of the lip service that corporate leaders give to cybersecurity today, very few companies have taken the threats seriously. To demonstrate just how far corporations today have to go in securing their networks and employees against various attacks, Dave Tyson, the current Senior Vice President of Apollo Information Systems and a former CISO of SC Johnson, spoke during an educational session at GSX 2019 in Chicago on Tuesday about the steps one of his firm’s multi-billion dollar clients had to take to reduce their risk exposure.
“People play Russian roulette with their business decisions all day,” says Tyson, who also formerly served as President of ASIS International. “Cybercrime is more profitable than the drug trade.”
In fact, statistics show that a business falls victim to a ransomware attack about once every 40 seconds and these attacks, according to Tyson, have begun to move to more vulnerable end-users, such as small and mid-sized businesses, hospitals, and local and state government agencies that don’t have the resources to wage much of a defense.
“It’s the place to be if you want to be a bad guy and it takes almost no effort to make money,” he says. “If you think about all of those tools people are putting into their buildings – whether it is a robot or some other thing that is connected to the network – these things are all being targeted. The old days of being able to get out of a malware attack for $50,000 are gone. It has become significantly more expensive.”
A Real World Example
Though he couldn’t divulge specifics about the company, Tyson used the example of a large global corporation that recently sought out the services of his firm to show just how inadequate the cybersecurity of posture of many of today’s organizations are. Among the critical findings that Tyson and his firm uncovered included the fact that an IT device connecting the firm’s building to the internet was misconfigured and exploitable in a number of ways, which also, in turn, exposed the building automation system (BAS) and internal data network. In addition, the BAS was also found to be vulnerable to comprise to the point that it would have allowed a hacker to gain complete control of all building systems to make them unavailable at a whim or to demand a ransom payment.
Tyson says one of the biggest contributing factors to the vulnerabilities found in this company and others can be traced back to the concept of mutual trust. In physical access control, for example, just because someone has access to one door doesn’t mean they should have access to every door. The same should also hold true in the IT world, according to Tyson, in that just because someone has access to this system or database doesn’t mean they should have access to all of them but unfortunately, that’s oftentimes not the case.
“Imagine someone comes into your building and walks around the hallways all day and nobody knows they are not supposed to be there,” Tyson says. “People say, ‘well, IT knows what is going on.’ Not necessarily, if you don’t have quality tools and you don’t know what to look for, often you won’t even know that they are there. If the system we are talking about is your camera system, access control system or duress alarm system, those things are important and you want to know they are going to be working when you need them to.”
One of the problems in commercial buildings today, according to Tyson, is that there are too many alarms and people don’t know where to focus their security efforts. “We begin to have not enough people and way too much information for them to be able to be able consume and it becomes noise, in many cases, and we turn it over to IT or a third party to manage but the question is, are they?” Tyson asks.
And while physical security professionals have been consumed recently with how to stop and/or mitigate active shooter incidents given the number of mass shootings of late, Tyson says cybersecurity hasn’t exactly figured how to address an “active hacker.”
“If someone comes up and punches a hole in the front door of your house and you can reach through it and unlock the door, you’re probably not going to leave that hole there. At the very least you’re going to slap a patch over it or something. Well, that simplistic view is what doesn’t happen in IT,” Tyson adds.
Addressing the Problem
According to Tyson, organizations need to assess their “real” risks and not just the things that the mainstream media tends to focus on when it comes to cybersecurity.
“You’ve got to understand what your real risk position is, not the scary stuff you see on TV or in the movies or in the Wall Street Journal, which is often what your board members will react to, but you’ve got to understand what that real risk looks like and you do that by looking, testing and asking questions,” Tyson explains. “
In addition, Tyson says that companies have to develop clarity on what their risk tolerance is for cyber attacks. And, most importantly, if a risk is discovered, don’t leave it to someone else to fix.
“Don’t assume someone else will look after it,” Tyson says. “This is perfect example where you had three or four different sets of parties that all thought someone else was doing it. We could have deployed ransomware and taken the entire network of a $4 billion corporation off the face of the world. There is nothing that could have been done. They did not, by the way, have really good backups. They had good backups but it probably would have been a month before they were back up.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
