Cyber threats, including destructive ransomware attacks, trade secret theft and online fraud, and disinformation campaigns, are on the rise, blindsiding some of the world’s most powerful organizations whose leaders mistakenly minimize the threat or assume their systems and data are secure.
“That’s a big problem,” says multi-award-winning cybersecurity veteran Chris Painter, one of the world’s most knowledgeable experts on cybercrime, cyber policy, and cyber diplomacy. “Companies may not know they are vulnerable, but malicious hackers do, and they go hunting for unprepared and unprotected victims. Moreover, organizations often don’t understand what they have to lose from a malicious cyber incident and simply do not take the threat seriously. The good news is that organizations can do something about this looming threat by understanding the cyber threats and actors that are targeting them, prioritizing cybersecurity – including at the board level – making sure an incident response framework is in place before they are hit, and practicing good cyber-hygiene.”
A global advisor, educator and speaker, Painter helps organizations and individuals understand cyber risk, respond and prepare for cyberattacks, and establish cyber security policies. He is also an expert in discussing the international aspects and geopolitical challenges of cyber threats – particularly nation state sponsored hackers from Russia, China, Iran and North Korea and why organizations should be concerned. For example, he can discuss the challenges posed by state-sponsored economic espionage and the likelihood, particularly in light of the Russia-Ukraine crisis, of more disruptive cyberattacks by Russian actors and why organizations should care and prepare for these unique and growing threats.
Whether the adversary is a criminal group or a nation-state, Painter says there are several kinds of vulnerabilities hackers seek to exploit. Often employees and even senior managers are not attentive to cyber threats and the hackers go after this human factor by using “social engineering,” basically when hackers use information to trick someone into believing they are someone they’re not so they can gain access to their system. They also often used targeted fake emails containing a “malicious payload” allowing the hacker to penetrate a system and work their will. Hackers also often exploit vulnerabilities in critical software that an organization has failed to patch even though a fix has been widely available.
“Though the vast majority of intrusions are of unpatched systems, some adversaries use so-called Zero-Day Vulnerabilities (ZDV) – yet-to-be-discovered openings in a system that are highly valued by intelligence agencies and sophisticated actors in countries like Russia and China,” Painter explains. “Let’s say you’re using a Microsoft operating system. The code is very complex, so maybe Microsoft hasn’t discovered, much less issued a fix for, a critical issue, and no one, except the hacker, knows about yet. In short, cyber threats are real and on the rise. They can seriously impact an organization through business disruption, the loss of valuable intellectual property or the loss of customer data leading to a loss of customer confidence. Some of these threats can be prevented through better awareness, training, cyber hygiene and planning. Some hackers will succeed but, even then, preparation and planning for response is the key. At a higher level, leaders need to view cyber threats as they would any other risk to the organization and engage in appropriate risk management and mitigation.”
This has become particularly important as governments and regulators and around the world are increasingly turning their attention to cybersecurity compliance. For example, Congress has recently passed requirements for mandatory reporting of cyber incidents for certain critical businesses. The Securities and Exchange Commission has recently proposed new rules for cybersecurity risk management, strategy, governance and incident disclosure by public companies. Notably, this includes periodic reporting of a company’s “policies and procedures to identify and manage cyber risks,” evidence of management’s ability to identify such risks, and “the board of directors’ oversight of cybersecurity risk.” The proposal even suggests proxy and annual reporting of the board of directors’ cybersecurity expertise, if any. The European Union has strong cyber provisions in the GDPR and is promulgating a host of other requirements and regulations. Ignoring these risks is no longer an option.
Previously a senior official at the Department of Justice, F.B.I., the National Security Council and the State Department, Painter has been on the vanguard of U.S. and international cyber issues for more than 30 years. He chaired the G8 (and then G7) High-Tech Crime Group for more than 10 years and, as a federal prosecutor, he prosecuted, among others, the notorious hacker Kevin Mitnick. In his most recent government role as the nation’s top cyber diplomat, he worked with senior officials in countries around the globe, led the United States’ diplomatic efforts to advance an open, interoperable, secure and reliable internet and information infrastructure, and, among other things, helped lead a landmark cyber negotiation with China. Recently, he was a co-chair of the Ransomware Task Force that issued an influential report and recommendations on this growing threat area.
CYBER-PREPARING FOR THE FUTURE
While financial services companies are farther ahead in terms of securing their systems, Painter says companies in every industry must assume they are vulnerable and take every necessary step to protect customer data as well as their own. Doing so will not only prevent a public relations nightmare, but also give companies an opportunity to build trust with customers by letting them know the firm has gone above and beyond to protect their personal information.
“Cybersecurity has finally become more of a priority around the world for both governments and businesses, partly because of the recent ransomware attacks, Russian cyber threats including the so-called Solar Winds campaign, and China’s attack on the Microsoft Exchange and widespread intellectual property theft. We’ve been pushing for people, businesses and governments to take cyber seriously for many years and it’s finally happening,” says Painter. “But lately, the threats have increased. Ransomware attacks like the one on Colonial Pipeline are disrupting businesses and both criminal groups and nation states have found new and inventive ways to breach victim systems. There are also the emerging threats that are not yet on the radar. For example, when I was working in government in 2016 and the election interference happened, we never saw it coming. We were focused on potential big infrastructure attacks and theft of information. Now we know better. But the greater notoriety of cyber threats also creates an opportunity for organizations to prepare, minimize and mitigate harm. There is a lot to do before we can get ahead of it all.”
Chris Painter is available to advise your organization via virtual and in-person consulting meetings, interactive workshops and customized keynotes through the exclusive representation of Stern Speakers & Advisors, a division of Stern Strategy Group®.
Cyber threats are impacting businesses and governments every day, making it imperative that organizations prepare immediately. Stern connects you with renowned thought leaders whose insights, strategies and management frameworks help organizations fuel growth and disruptive innovation to better compete in a constantly changing world. Let us arrange for these esteemed experts to advise your organization via virtual and in-person consulting sessions, workshops and keynotes.