Three Things Hackers Know About Your Business (That Gives Them All The Control)

As we move into the end of summer, cyber attacks are rising like the temperatures outside our front door. The bad actors are organized, well-funded machines, and they’re after your critical data, your money, and your business. And the business of cybercrime is changing for all of us, good and bad actors alike. Economic uncertainty, war in the Ukraine, and political unrest is fueling the winds of cybercrime innovation and audacity. We as business leaders are being pressured to be better and to meet the challenges of an invisible foe hellbent on destroying everything we’ve built.

One of the first cybersecurity incidents I was exposed to happened almost 20 years ago. It involved a Russian hacker who social engineered an employee in distress. This employee didn’t actually work for the target client. They were part of a larger third-party contract and had access to the target client’s critical data. In this situation, the bad actor knew; 1) the employee’s spouse had been recently laid-off, 2) they had children in college, and 3) the consultant was in financial distress and on the verge of conducting lay-offs. Most of this is readily available knowledge, even in today’s world.

In this case, the Russian bad actor manipulated the employee into sending controlled, critical data in exchange for two direct wire transfers into the distressed employee’s banking account. I believe the amount was a little over $80,000 USD.

At the time, the victim company had best-in-class endpoint, perimeter, and data leakage protection deployed an in use. None of that helped as the employee was inside the gate with credentialed access. An independent third-party vendor had direct access to all the controlled data. Even though the job they were contracted to do didn’t require this type of access. That’s where the database encryption technology broke down. It broke down at the point of use. In order to use, the vendor had access to the whole database just to use a little piece. Yes, this was 20 years ago. Unfortunately, the situation hasn’t changed much. Just look at the statistics and the news stories published daily. “X number of Y’s customer records leaked as part of ransom demand…” You can do a Google search and fill in X and Y for yourself.

So why are data events, incidents, and breaches still happening? It’s largely because the hackers have control of the playing field. They know three key facts about most businesses, and these facts ring as true today as they did 20 years ago.

Fact #1:  Your business is in a constant state of change. Change is the only constant.

  • Growth (or contraction) related change
  • Technology change
  • Financial change
  • Leadership change

Fact #2: Compliance is less expensive than cybersecurity.

  • Compliance is not cybersecurity. Compliance is a minimal guideline to cover minimal expectation. It is the “good enough” approach to true cybersecurity.
  • Compliance is hard, total cybersecurity is impossible, doing nothing is the most expensive. Acceptable, manageable, defensible risk posture is somewhere between compliance and total cybersecurity.

Fact #3: You have a limited staff with limited expertise.

  • The cybersecurity industry is currently in the midst of a huge staffing shortage.
  • Our educational institutions are the best they’ve ever been at turning out cybersecurity experts. That said, they’re still playing catch-up to the demand.
  • Experienced cybersecurity experts are expensive, and for good reason.
  • Your focus on your business is the attackers gateway to your business. To better explain: you produce and sell widgets and/or services, not cybersecurity. Your budget, both human and financial, will always lean toward generating revenue (better, faster, more efficient ways to sell more widgets and/or services). Don’t forget or deny that trust, reputation and customer delight are core to generating revenue. In 2022, cybersecurity is required at the table with the entire business plan. If you get hit with an event or breach resulting in data theft, it will impact your ability to provide services or make money (2021 cost per company related to data theft = $4.35m on average according to the IBM and Ponemon Institute 2022 report). Your cybersecurity executive needs to be part of the business planning process.

Ouch, that’s not good. So, where do we go from here? My business must operate, so there will always be change. True cybersecurity is impossible while running a changing business, so what is enough? The staffing shortage is out of my control, how can I work that challenge? Especially when I have to adjust my business to the current economic uncertainty.

The answer is one step at a time. I’m going to suggest something that is very fundamental. Know your business. Start from the center. Work the challenge from the core outward. Data is the new currency and it’s time we treated it like money. Your local bank has a lot to teach us when it comes to access controls. It is hyper focused on the currency within their protection. If you go to the bank to withdrawal $100.00 in the form of three $20.00 bills and four $10.00 bills, they don’t take you in the vault and let you pick from their entire reserve. The teller doesn’t even go back into the vault to pick from the reserve. The teller has minimal access to what they need, and you are only given access to the $100.00 you needed, in the denomination you requested. All other currency is held from your view and your access. The critical data in your possession is the same. Like your local bank, the critical data is the currency. You must give access to it in a very controlled manner. Critical data is the core of your business. It’s fundamental to your entire operational process. We collect, archive, and leverage critical data because it directly relates to your success.

Look from the core, critical data out to design your cybersecurity architecture, programs, policies, and procedures. If you have a CISO, I’m sure they’ve been telling you this for years. It’s time to listen. Invite them to the executive table. Work the challenge with them.

It’s also time to add a cybersecurity expert to your board of directors. The SEC is already proposing rules that would require publicly traded companies to include and disclose cybersecurity expertise on the board of directors. This is seen as the first step toward better cybersecurity alignment, disclosure and accountability. It’s fully expected that this will be adopted in some form by other cybersecurity governing bodies. Don’t wait for a compliance mandate. Adding cybersecurity expertise to your board of directors is healthy and will help you manage the pitfalls you face related to cybersecurity.

Is it going to be enough? This is one of the hardest questions to answer. If you ask your cyber attorney how much is enough, their answer is probably going to be “Can we defend it?” In the event of an incident or breach, have you done enough to defend your position? If you’ve done everything within reason with compliance being the floor and total cybersecurity being the ceiling, you’re on the correct path.

Can you staff it? This is another challenge. Of course, building from the core out in partnership with your CISO’s lead will assure that you’re addressing the correct gaps. One suggestion, send your cybersecurity team to training and support their growth. Yes, if you incentivize and support them to grow, they may leave. But if you don’t incentivize and support growth, you will want them to leave. Smarter, motivated employees are more productive, loyal, and secure. They’ll also attract better talent to your teams. That is a key component of the healthy culture equation.

Like you, here at Paperclip we are faced with the same operational and data security challenges. Six years ago, we took a hard look at our core and realized that our reputation, our entire business was based upon the fundamental trust our clients assigned to us as we managed their critical content and documents. Yes, we secured our databases with the best available solutions such as encryption at rest and in transit, and we met all compliance requirements. We even had a history of patenting a few technologies related to capturing and securing critical data. All that said, we still didn’t feel it was enough. After all, many companies suffering data theft related to ransomware attacks, and other techniques were also leveraging the same encryption at rest and in transit strategies we used. This is when we decided to do something about it. We spent the next four years taking the daunting task of protecting data in use, or “encryption-in-use” as it’s more commonly referred to. We found that leveraging off-the-shelf encryption protocols, combined it with block-chain style shredding, multiple key vaults, and wrapping it in a cocoon of machine learning cybersecurity monitoring was exactly what securing our critical data required. We were able to minimize any access to plain text down to the teller handing the customer three $20’s and four $10’s. Several international patents and U.S. patents later, and the team at Paperclip is now not just good enough (standard encryption of critical data), we are now better.

This is the genesis of the Paperclip SAFE® encryption-in-use solution. Two years ago, we began using Paperclip SAFE® internally. That’s when we realized that there was a hole in the market and companies were — and still are — looking for a better solution. The market is demanding a better way to protect their core critical data from those that want to steal and control it. So, two years ago we began working with teams of analysts and testers to assure that Paperclip SAFE® would meet commercial expectations. Now, after two years of extreme testing, Paperclip SAFE® is being released for commercial use. Paperclip SAFE® secures the core and stops the breach!