In the world of cybersecurity, as in so many other facets of life, those who possess the knowledge possess the power.
Rarely has this been more clear than in the ongoing legal battle between the FBI and Apple over access to an iPhone belonging to one of the people who killed 14 in San Bernardino, Calif., last year.
While the FBI may seem to have the upper hand, since it has a court order forcing Apple to create a new software to unlock the iPhone, Apple has been able to retain its power by so far refusing to create such a software.
Whether Apple is successful in fighting the court order remains to be seen. But what is interesting about this case is how clearly it showcases the power of technology when wielded by the people who are experts at using it.
Control over cybersecurity has come to define who has power in our ever-connected world, for better or for worse.
Using cybersecurity as a weapon
While Apple says it is refusing to create the unlocking software on the principle of protecting freedom, others with control over cybersecurity and technology know-how have sometimes abused it for their own nefarious purposes.
A recent example is the malware ransom case involving the Hollywood Presbyterian Medical Center in Los Angeles. A hacker breached the medical center’s computer system and demanded a ransom fee to undo the damage. Hollywood Presbyterian ended up paying the hacker $17,000 in bitcoin to get its computers back up and running.
Experts say many companies are giving hackers what they want simply because they see no faster way to restore operations to normal. This is the route Hollywood Presbyterian took in the wake of their hack.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” chief executive Allen Stefanek told the Los Angeles Times.
Holding information and access hostage is one way those who are tech-savvy — and amoral — can extort others for their own benefit. They wield their knowledge as a weapon, and people and companies without the knowledge of how to stop hackers are at the mercy of those hackers.
Cases like Hollywood Presbyterian’s indicate a clear need for cybersecurity professionals in everyday industries.
Defense before offense
While it is not wise to imply that all hacking incidents could be prevented or solved by having a strong team of cybersecurity experts on hand, a lack of competent staff or built-in technology obviously contributes to companies falling victim to hackers.
In its recently released 2016 Cyber Risk Report, Hewlett Packard Enterprise discussed the increasing trend of malware being used to extort money, like the incident at Hollywood Presbyterian.
“Ransomware attacks targeting the enterprise and individuals are on the rise, requiring both increased awareness and preparation on the part of security professionals to avoid the loss of sensitive data,” the report read.
HPE also emphasized the need for strong defensive, rather than offensive, tactics that are woven into companies to protect their data from being compromised.
“We must … build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth,” HPE security products senior vice president Sue Barsamian said in a statement.
While medical centers like Hollywood Presbyterian have become ripe for hacking, many other businesses do not feel they are at the same risk.
“I still walk in the door of companies … who say, ‘Who would come after us, we’re not Target, we’re not Sony?'” Russell Reynolds Associates’ global cybersecurity practice leader Matt Comyns told CIO last week. “But I think to myself, ‘I’m not so sure that’s the right question.'”
Tech knowledge is not enough
Nonprofit organization Educause, whose focus is on information technology in educational settings, said in the 2016 edition of its annual Top 10 IT Issues publication that the number one issue this year is information security.
Part of the problem, Educause says, is that organizations, especially schools, are not able to keep up with the changing methods of hackers. To keep hackers at bay, merely having technically minded IT employees is not enough.
“Information security has evolved from a largely technical field to one that encompasses not only technology, but also risk-management practices, user training and education, and business acumen,” the 2016 report read. “Adapting both the workforce and the organization will require special skills of CIOs and IT managers and will place more emphasis on the partnership between the human resources and IT organizations.”
In other words, information security staff must have more than tech-savvy smarts. They must also be adept at implementing smart business approaches to keeping data safe.
To accomplish this, the position of a chief information security officer, or CISO, has become an important facet of many companies. But others are missing out on this vital role, according to information security analysis blog Security Intelligence.
“Should every company have a chief information security officer? The short answer is yes, there should be one in every company,” Prevendra CEO Christopher Burgess wrote in a 2014 column.
Part of the CISO’s value, Burgess says, is in his or her ability to create and implement cybersecurity efforts in everyday business.
“The valued CISO leads the information security efforts first, then manages those efforts. Today’s CISO cannot and will not be successful in his or her efforts without buy-in from both the corporate leadership team and those who are most affected by the information security policies and procedures: the operations teams,” he said.
Having a dedicated leader who can create information security policies and then ensure they are used is perhaps the most important weapon in companies’ arsenals against hackers.
As has been seen in the Apple vs. FBI case, knowledge is power, but the type of knowledge needed to protect information has shifted from mere tech know-how to an ever-changing grasp of strategy to protect users from those who desire to abuse data.
