Cybersecurity presents an unprecedented risk costing companies billions of dollars in market valuation, lost revenue and expenses. Every 39 seconds, there is a cyberattack and 64 percent of companies have experienced a web-based attack.
As the world becomes more interconnected, we make ourselves more vulnerable. More than 85 percent of the Internet belongs to the private sector and it’s estimated that by 2020 there will be roughly 200 billion connected devices, creating risks and vulnerabilities in areas we haven’t considered before. Additionally, while the rise of teleworking has been revolutionary from an efficiency and cost perspective, it also means that more data is potentially exposed on employees’ devices, creating another landscape that needs to be protected.
Spectacular data breaches and hacking undermine trust in the fundamental institutions of our society and democracy. Even though global spending in cybersecurity is set to reach $1 trillion between 2017-2021, many companies admit they feel under-prepared to deal with sophisticated cyberattacks and that most efforts are treated as an afterthought or simply an IT problem. Leadership of every company should make cybersecurity a top priority — the sake of their company, its shareholders, this country and their jobs depend on it.
The cost of a major cyberattack could be on par with a major natural disaster, but rather than being “acts of God,” cyberattacks can be prevented and disrupted. It is believed that on average, the cost of a data breach by the year 2020 will exceed $150 million and that number will only continue to climb as most business infrastructure becomes connected.
The major challenge is that we are not simply dealing with basement hackers. The breaches are sophisticated and often conducted by state-sponsored actors backed by adversarial foreign governments. These governments are not simply employing cyberattacks as a means of spying, but actively supporting hackers to target the commercial sector in rival countries to create chaos and disruption.
Russian-backed hackers sought to influence elections in the United States and France. The Chinese military has carried out multiple cyberattacks against U.S. companies. State-backed Iranian hackers conducted an attack aimed at denying services to U.S. banks, while not directly attacking the banks themselves. The fact of the matter is many of our adversaries, looking to destabilize and create chaos for the American economy and military, are looking for asymmetric advantages against the United States. Vulnerable IT systems in the private sector could provide such an opening and as such should be considered part of our national security strategy.
National defense and the private sector are not as segregated as you think. Economic issues are security issues. Let’s assume there is a major attack on our banks and the entire banking system is down for 24-48 hours, leaving everyone without access to capital, or if the power grid is destabilized, plunging entire cities into darkness without any electricity. These kinds of attacks create short-term chaos but can have lasting long-term economic effects that will cost billions of dollars and take years to recover from. Additionally, commercial cyberattacks affect military readiness, as much of our military relies on the private sector for staffing, technology development, logistics and acquisitions.
When dealing with sophisticated state-sponsored actors, we cannot placate a problem with a Band-Aid solution. Rather than reinvent the wheel, we should adopt and integrate military-grade capabilities and best practices to protect our commercial networks.
The way companies structure and monitor their networks is the first important step toward protecting against outsider threats. Network segmentation should be employed to separate and compartmentalize a company’s most important information. Utilizing advanced analytics to track and identify network anomalies and hidden threats are also key to catch small vulnerabilities before they become massive data leaks.
Even the best-run networks can fall victim to hacks as a result of user error or malicious intent. Therefore, training employees in best cybersecurity practices and letting them know the consequences if they are responsible for a hack is just as important as having a well-built network backed by military-grade hardware. Employees with security clearances know the significant consequences of their actions and those handling sensitive information at a corporate level should be similarly aware.
The bottom line is that the U.S. government employs some of the brightest minds to handle cybersecurity issues across myriad challenges and risks. Private enterprise is an extremely vital asset, and protecting it from cyberattacks should be treated with the same level of sophistication as national defense matters.
• Kelli Kedis Ogborn is a former congressional liaison for DARPA and the president and CEO of H.S. Dracones, LLC.