Another day, another cyber attack – success for the hackers and another failure by city governments to have adequate protection. This past weekend a couple of dozen cities in Texas suffered a ransomware attack. The financial fallout from this attack remains to be seen.
These attacks are on the heels of attacks on state and local entities in New York, Louisiana, Maryland and Florida. The city of Naples, Florida was hacked resulting in a loss of $700,000 to the city coffers. An employee was “tricked” into making a payment to hackers. For a city with a population of about 22,000, and in a city as wealthy as Naples, almost three quarters of a million dollars is a lot of money – no matter how you look at it.
So, have the horde of super technologists (aka hackers) suddenly turned their attention away from elections to the hapless towns and cities in the US? No, there isn’t a horde of super technologists holed up in some mountain hideaway in a faraway country breaking into the information systems of companies, cities and states. Oh, sure, there are teams of super technologists in various countries like Russia, China, Iran, and even in the US that work around the clock to gain advantage over defense systems, utilities, power grids and other highly valued assets.
However, that’s not the case with most cyber events. These recent attacks on these small cities and municipalities are actually fairly simple and unsophisticated, but to be successful in their cyber attack, the hackers only have to be a just a little bit more complex and sophisticated than their victims.
What underlies the cyberattacks we read about almost every day? Let’s break it down.
- Yahoo!’s failure was a policy decision to not require regular password hygiene. It resulted in the loss of millions and millions of private records breached and a fine for the company and board of directors of over $100,000,000.
- The Equifax breach was another failure of policy and process. There was no ingrained policy to prevent making internal information available through publicly accessible servers. The result was 140,000,000 breached personal records, affecting almost every household in America. The cost to Equifax itself is $700 million and counting, and the final cost will likely surpass $1 billion. The cost to the American public may not be measureable.
- CapitalOne’s breach last month will certainly be a big one – over 100 million individuals’ personal information were exposed, including names, addresses, dates of birth, credit scores, transaction data, Social Security numbers, and linked bank account numbers. How much will the losses to CapitalOne be? No one really knows. What we do know is that it was another failure of policy and process. It will be big, perhaps bigger and more personally damaging than the Equifax breach.
- The 2017 NotPetya breach in Europe affected Maersk, DLA Piper, the Ukraine government, and others, and the losses suffered were well over $1 billion. It too reflected a failure of policy, process, and people, not technology.
So the question remains? Why aren’t companies and cities protecting themselves and their customers? The answer is simple. As crazy as it sounds, they really think they are protected. But while most cities and companies use technology solutions effectively, the gaping hole for all of these breaches is not having the right policies, processes, and people in place. This is the human factor. This is the one thing that technology cannot withstand if these three things are not in place.
the gaping hole for all of these breaches is not having the right policies, processes, and people in place
In 2014, the US government addressed this issue of policy, process and people when it released the National Institute of Standards and Technology Cyber Security Framework (NIST CSF). This Framework was created with the participation of thousands of experts from government, academia, and private enterprise. After its inception, several sibling frameworks were developed, such as the FFIEC’s Cyber Assessment Tool (CAT) used in the banking and financial services industry. These frameworks were developed to shore up cyber resilience.
Gartner estimates that by the end of 2020, half of all companies in the US will use the NIST CSF and its sibling frameworks to manage cyber risk. By all accounts, that is a mere 13-16 months from now. Clearly there is a lot of work to be done to make that happen.
But what about the other half? Why isn’t the NIST CSF more widely used today? Incredibly, decision-makers in private companies and government hang onto the belief that cyber risk is simply a technology problem. Protecting the perimeter and adding layer and layer of cyber technology is generally what companies and cities do for protection. They believe they are cyber adverse and that their risk is minimal. Employing effective technologies is important, but it is only a piece of the solution. It doesn’t take into account the human factor by addressing policy, process, and people issues that invites disaster.
Full disclosure: My company developed and offers an automated software platform to implement and manage the NIST CSF and sibling frameworks. But there are dozens of companies that can help, from PWC and Deloitte to local managed service providers. The government even offers the NIST CSF framework without cost.
What should your city or company do? Building your cyber risk management program with NIST CSF as the foundation will lead you to address the technology issues and the policy, process, and people issues. You operate at your own peril and put your customers at risk if you don’t address both.