Richard A. Clarke is an internationally recognized expert on cybersecurity, national security and counterterrorism. He teaches at Harvard’s Kennedy School of Government and is the author of “Cyber War: The Next Threat to National Security and What to Do About It.” Clarke served the last three U.S. presidents as a senior White House advisor. The following interview with Clarke examines the actions required of executive leaders to transform approaches to protecting their companies in the new cybersecurity paradigm.
Given today’s environment of escalating cybersecurity risks, how should a company go about protecting itself?
Clarke: Executives must accept that the threats have evolved and the defenses have to evolve with them. The old paradigm of cybersecurity was perimeter defense and trying to figure out who is attacking you and trying to get in. The new paradigm assumes that eventually an attacker is going to get in and, therefore, places increased emphasis on securing the insides of the network.
The first step toward better protection in this new paradigm begins with the risk discovery process. Individual companies have unique risks. Companies might think they know all of their risks, but it has been my experience that going through the process of risk discovery often uncovers nonobvious areas of risk.
The process of risk discovery often uncovers nonobvious areas of risk.
The first question firms need to ask, at the board level, is: What are our crown jewels? What is it that we really need to protect from being taken over or copied? Maybe the crown jewels are customer lists or sensitive mergers and acquisitions information or something else. Whatever the crown jewels are entirely depends on the nature of the institution’s business.
The second question firms need to ask is: What is the worst-case scenario? What are the two or three things that could happen as a result of a cyberattack? Don’t just think about what has happened. Think about things that could happen.
Then, gauge your risk tolerance. Every financial institution has a different risk tolerance. No outsider can tell an institution how much to spend to mitigate the risk or how much inconvenience to employees and possibly customers the firm is willing to bear as a result of cumbersome procedures that may need to be put in place to mitigate risk.
At least within the boardroom, be explicit about the firm’s risk profile and where pain points reside. It’s much better to plan in advance in order to make constructive investments based on a risk analysis than to react after a breach occurs. Firms almost always waste money when reacting to an unanticipated crisis.
How can firms better prepare for data breaches to mitigate the damage if they do occur?
Clarke: Companies that plan ahead for breaches, including obtaining sign-off on the plan by the board, are able to walk through their playbooks, deal with situations efficiently and react competently. Participation in simulation exercises helps ensure that all players learn their roles in responding to breaches and provides opportunities to improve upon the plan.
Companies also should plan for zero-day threats – not threats that have happened in the past such as stolen credit card data or an insider threat – but those threats that have never before happened but could occur. We often find that risk managers worry too much about what happened to someone else yesterday and not enough about what might happen to them tomorrow.
In the new paradigm, what should companies do from an IT standpoint to shore up their defenses?
Clarke: Companies need a continuously evolving IT security road map that changes in response to new technologies and threats. The road map should be keyed to the company’s risk tolerance and include its risk mitigation plan.
Becoming knowledgeable about the latest defense technologies and mapping them to evolving risks are critical to wise budget allocation. Although most information technology security officers agree that systems for perimeter defense based on intrusion detection and antivirus solutions and firewalls are outmoded for today’s threats, they continue to spend the lion’s share of their budgets in this area.
Budgets must include adequate support for securing the insides of an institution’s network – not just the perimeter.
The new data security paradigm assumes that people will break into anybody’s network regardless of the strength of their perimeter defense. Once they get in, they will look at what’s going on inside the network unless the company has put interior defenses into place. My recommendation is to sit down with the IT team and IT consultants to discuss re-architecting the network by setting up subnets and internal firewalls on those subnets.
Finally, encrypt everything. It’s amazing that so many companies use encryption as little as they do to protect information so that only people who need to use it can get access to that information. Use encryption now. Don’t wait to be compromised.
How can companies more effectively defend against insider attacks?
Clarke: Whether it’s in the government or in the private sector, some sort of vetting is usually conducted during the hiring process. If people pass the background check, they get hired and no further monitoring occurs. When we look back on cases of criminal activity perpetrated by an insider, we often find that an employee has gotten into some kind of trouble – financial, personal or emotional – during the course of their employment, but the company doesn’t learn about it soon enough to prevent the insider attack.
Every company has people in sensitive positions, and all too often, it’s one of those employees who walks out with company secrets on a thumb drive and sells it to the competition. To mitigate insider threats, human resources departments should continuously monitor the behaviors of people who are in sensitive positions and be proactive about getting them out of harm’s way if they are in trouble.
Nobody needs to see everything on the network, and yet almost all IT people can see anything they want.
Companies also need to adjust their access control and administrative rights policies to mitigate the risk associated with superusers – employees who have been given access to virtually everything on the network. Nobody needs to see everything on the network, and yet almost all IT people can see anything they want, can assume the identity of anybody on the network and can erase logs to cover their tracks to prevent forensic experts from figuring out who did the misdeed.
It is possible to design networks that limit what IT staff can access. For example, data can be encrypted and access to the encryption key can be highly limited. Or, certain changes to the network can require two IT people with credentials agreeing to make a particular change.
Hear fresh ideas on risk and compliance management at FIS’ 2015 Enterprise, Governance, Risk and Compliance Summit from Jan. 26 – 28 at The Westin San Diego Gaslamp Quarter.