In order to tackle the increasing threat of cyberattacks, you need to learn to think like a hacker, write José Esteves, Elisabete Ramalho and Guillermo de Haro for MIT Sloan Management Review.
Cyberattacks are becoming increasingly common. In 2013 and 2014 Yahoo Inc. was the target of data breaches that resulted in the theft of sensitive information from 1.5 billion user accounts. Other high profile companies including Ashley Madison, Home Depot, JPMorgan Chase, Sony Pictures and Target have also been hacked.
According to IT research and advisory firm Gartner Inc, global spending on cybersecurity is set to increase to US$101 billion by 2018. But tackling cybercrime is not just a matter of throwing money at the problem. You have to understand the hacker mindset.
José Esteves, professor of information systems for Madrid’s IE Business School, Elisabete Ramalho, head of programmatic client strategy for Europe, the Middle East and Africa for Google, and Guillermo de Haro, professor of applied economics for Madrid’s King Juan Carlos University, have produced a framework for tackling cybercrime based on a study that included interviews for 23 experience hackers.
UNDERSTANDING A CYBERATTACK
Hackers are highly skilled and intelligent individuals, often with backgrounds in computer science, who like to take risks. They are master manipulators with limitless curiosity and patience who work in organised groups.
Esteves, Ramalho and Haro highlight four steps to a cyberattack and suggest ways to frustrate hackers’ efforts:
1) Identifying variables. Using a process known as footprinting, hackers will leave no stone unturned in their search for the weakest links in your company’s cyber security system. They might also use footprinting on your contractors, subsidiaries and suppliers. Before launching an attack, hackers will attempt to interact with staff members to gather information such as server names, IP addresses and user accounts.
You should: regularly create a footprint of your company’s cyber security system.
2) Scanning and testing. Hackers will use scanning tools to search for weaknesses in the applications running on your systems. “Cumulatively, small security vulnerabilities and design weaknesses can add up to major security holes,” write Esteves, Ramalho and Haro.
You should: regularly examine your hardware, software and network protocols for weaknesses and regularly run penetration tests (simulated hacker attacks).
3) Gaining access. Hackers will use techniques such as phishing, using official sounding e-mails or instant messages to persuade staff members to share information like login details, for example. They might also send emails containing links to sites infected with malware.
You should: ensure that staff members, as well as contractors, subsidiaries and suppliers, are aware of information sharing policies and ways in which hackers might attempt to obtain information.
4) Maintaining access. Hackers will not be content with simply breaking into a system; they will want to turn it into a “zombie system”, i.e. a system they own. They will then be able to use the system to launch future cyberattacks.
You should: keep a close watch for suspicious activity in system logs and ensure that monitoring systems are up to date.
IMPROVING YOUR CYBERSECURITY
Esteves, Ramalho and Haro highlight five steps to improving your cybersecurity:
1) Win over senior management. “No matter how technically competent the IT department is, it can’t change the vision of the company,” they write. Senior management must persuade every department and member of staff of the importance of cybersecurity and ensure “complete buy-in” to your new focus on the matter. Senior management must first be persuaded that the company’s long-term profitability and sustainability are dependent on effective cybersecurity.
2) Develop a strategy. Look at your cybersecurity from both inside out and outside in, i.e. from both the perspective of your staff members, contractors, subsidiaries and suppliers and from the perspective of a potential hacker. Decide which areas you are going to deal with in-house and which you are going to entrust to external contractors.
3) Build awareness. Create a cybersecurity awareness training programme and make it compulsory for all staff members. US cloud computing firm Salesforce.com has used gamification (using elements of game playing) to improve the way in which staff members approach cybersecurity. Patrick Heim, chief trust officer for Salesforce.com, claims staff members who have undergone the training are 50% less likely to click on phishing links and 82% more likely to report a phishing email.
4) Build alliances. Hackers learn from each cyberattack and use their knowledge to attack other targets. It is important that your IT security staff share information within your company, within your industry, with government agencies and even with competitors.
5) Stay up to date. Cybersecurity threats are constantly evolving and your cybersecurity measures must also evolve if you want to combat them. Keep up to date with best practices and ensure your company follows them.
As Dan Chenok, former chairman of the information security and privacy advisory board for the US National Institute of Standards and Technology, says: “The only way to 100% protect yourself from attacks is to turn off your computers.” But with cyberattacks on the rise, it is vital that your company is as well protected as possible. “Cybersecurity is a game of cat and mouse in which the cat always makes the first move. But the more you can think like a hacker, the better able you will be to protect your organisation,” write Esteves, Ramalho and Haro.