Thousands of cyber-attacks on organizations both private and public will happen today. And tomorrow. And the day after that. Some attacks will fail. Others will be minor. Some will be malicious and cause significant harm. The FBI reports that more than 4,000 ransomware attacks—a type of malicious software that threatens to publish data or perpetually block access to it unless a ransom is paid—have occurred daily since 2016.
In March of this year, the city of Atlanta, for example, was hit by a cyberattack that locked city-wide systems and demanded a bitcoin ransom. Many city systems still have not recovered, and the cost to taxpayers may have reached as high as $17M. In September of this year, engineers at Facebook detected the biggest security breach in Facebook's history, and it took the company 11 days to stop it. Both governments and large private sector companies routinely grapple with cybersecurity and fending off cybercrime, and corporate security isn't getting better fast enough.
Cyber risk has also emerged as a significant threat to the financial system—a recent IMF study suggests that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, potentially threatening financial stability. Hacker attacks on critical infrastructure are already alarming, and the security of our cyber-physical infrastructure—the computer-controlled facilities that produce and deliver our energy, water, and communications, for example—are dangerously exposed.
This imminent danger is the subject of study by Stuart Madnick, Founding Director of the Cybersecurity at MIT Sloan Initiative. In a recent article for the Wall Street Journal, Madnick warned of weakest link in the defense against cyberattacks: people.
All too often, companies think of cybersecurity as a technology problem. But, in his article, Madnick tells us that companies are making it easy for the attackers to succeed. “An analogy that I often use is this: You can get a stronger lock for your door, but if you are still leaving the key under your mat, are you really any more secure?”
Madnick is referring to the fact that many cyberattacks rely on people falling for “phishing” scams—emails or messages asking for the reader to take some action, like download a file or click a link. Other security faux pas include sending or receiving confidential files via email without password protection, downloading software that wasn’t approved by the IT department, or sharing network passwords with colleagues.
In today’s landscape of escalating cybercrime, resiliency calls for a new kind of leadership and cybersafe culture, requiring the active engagement of both technical and non-technical management. As part of this effort, companies must work to create a more cybersafe culture at work. But how?
Madnick, his colleague, Dr. Keri Pearlson, and the Cybersecurity at MIT Sloan research team have interviewed many companies working toward just such a culture. Here are five of the approaches and actions that they have found most effective.
- Cooperation from everyone: At too many companies, cybersecurity is seen as the responsibility of the IT department. But cybersecurity requires the active efforts and cooperation of everyone in the business, top to bottom.
- Clearly designated leadership: Developing, supporting, and sustaining the cybersecurity culture requires strong attention and support from top management as well as a clearly designated manager and/or team who are responsible to help.
- Passive solutions: There are many security precautions that are relatively simple to implement because they require minimal, or even no, conscious action from the employee, such as segregating the network used by personal devices from the corporate network, requiring two-factor authentication to connect to the corporate network, and filtering suspicious emails into a separate folder.
- Active reminders: Madnick suggests borrowing from other successful efforts to change behavior—like the signs at the entrance of many factories that read, for instance, “542 days since last industrial accident.” No one wants to be the person that brings that number back to zero. Companies should regularly remind workers how many attempted cyberattacks their organization had today, how many were successful, and whether the trend is improving or worsening. Another example: add a note to each incoming email that says, “This email has an attachment. Be sure you know who it is from before you open it. We don’t want to aid a cyberattack.”
- Make it engaging and fun: Creativity has its benefits. If your company can encourage cybersafe behavior in ways that are fun, they will be more likely to stick. Madnick and his team have seen engaging and funny videos and songs that connect with employees; “cybersecurity superheroes” who personify and promote the organization’s commitment to cybersecurity; and periodic phishing tests where the results are posted and rewarded.
In building a cybersafe culture at work, best practices need to be built into the regular daily work processes. Success stories should be highlighted and encouraged. Cybersafety effectiveness should be valued and expected of employees and incorporated explicitly into performance and bonus reviews. And, of course, organizations need to measure their cybersafety level in order to properly manage it.
In other words, cybersecurity needs to be a way of life.
A holistic approach to managing cybersecurity-related risk is the focus of a new MIT Sloan Executive Education program, Cybersecurity Leadership for Non-Technical Executives. Taught by Stuart Madnick, Keri Pearlson, and Michael Siegal, the program provides leaders and managers with frameworks and best practices for managing cybersecurity-related risk, including actionable ideas to increase cyber resilience. The inaugural session of this program will occur on November 6–7, 2018. The course will be offered again in April and July of 2019.