A force multiplier is a capability that when added to and employed by an entity, significantly increases the potential of that entity and thus enhances the probability of a successful accomplishment, whatever their goals may be. Every business needs force multipliers to be successful; this includes their people, suppliers, processes, and technology. Computers, networks, security, and infrastructure are indeed force multipliers. However, many organizations simply do not fully understand their capabilities, how to use them, and more importantly how to integrate them correctly to excel their business. Security is a business force multiplier that is still misunderstood by many and often poorly integrated, if at all. Regardless of the size of the organization, proper security integration is the difference between piecemeal ‘instruments’ simply generating noise and a symphony orchestra.
Perhaps the simplest way to visualize the power of ‘force multiplication’ with proper integration of controls is to envision a bullet train. Bullet trains are always noted for their high velocity, reaching record speeds of up to 375 MPH. However, it was the necessary innovations in the controls that allowed for such speeds. Much like a bullet train or a race car analogy, if you want your business to go fast, you will need well designed controls. Taking this analogy one step further, let’s look at the Shinkansen bullet train which has been operational since 1964, carrying over 10 billion passengers, has a stellar safety record, and an average delay of less than one minute.
Such performance would be impossible, if not for a nerve center and team of highly trained controllers making sure everyone follows the rules. Data is collected from sensors and analyzed in real-time giving pertinent metrics on speed and the locations of all trains. Knowing how to respond to incidents is critical. For example, Japan suffers approximately 1,500 earthquakes a year. A lot of thought was put behind the safety and controls of the system including innovation in braking technologies, twenty-one core sensors to detect earthquakes (which stop the train even before an earthquake hits), internal stabilizers to keep the bullet train from derailing and for more severe movement, stoppers are installed under each car to catch the car to keep it upright. It is important to note that the controls are not in place to impede performance. In fact, they allow the bullet train to travel faster because they put the drivers in control of its speed. Each motor on every wheel is designed to grip the track, so that with greater speeds comes greater control.
In a brutal and highly competitive business environment, businesses have been running fast but sliding backwards. A Cisco survey of over 1,000 executives found that 74% of respondents in the U.S. said that the main purpose of cybersecurity is to reduce risk, instead of enabling growth. There are several misconceptions about security such as, it is a drain on organizational resources, security is an expense and is expensive rather than an investment, cybercrime only targets large enterprises, we can hide among the masses, threats are only external and we live in a bubble, our internal IT / IT Security are able to address matters and also have the expertise to do so, despite having the best security we were overcome by highly sophisticated hackers, and we can rely on the government to protect our business, especially in the event we are impacted by cybercrime. Former FBI Director Robert Mueller even stated, “There are only two types of companies: those that have been hacked and those that will be.” We couldn’t disagree more and there are plenty of success stories to prove it. Even if you have been a victim, defeatism is best left to your competitors, rather than embracing it.
Our experience stems from responding to and assessing thousands of data breaches and cybercrimes across the globe including but not limited to high-profile business impacts, such as the Sony Networks intrusions, Target, Neiman Marcus, Banner Health Network data breach, as well as incidents involving thefts of trade secret and confidential information, ransomware attacks (which often holds an entire organization hostage), to UBS logic bombers which cause massive outages, loss of business and revenue. A commonality of security failures often happens well before a major incident occurs. Many of these incidents were avoidable and impacts could have been significantly minimized.
If your organization’s incident response plan evolves around depending on the government, think again. Government by design is inherently slow and they are overwhelmed. Well-informed businesses know, that if they ran their business-like government – they would be out of business. Why then, would any entity put their faith in government to protect their business? Still in doubt? Then, see how fast the government resolves your organization’s IT security incident, in the event your company is left paralyzed due to ransomware or similar attacks on your infrastructure. These types of attacks often cause an outage over prolonged periods of time. Government tends to have all the time in the world - does your business? In fact, government has even paid ransomware hackers to get their networks and data released from being held hostage.
Selecting a viable supplier in security is critical. Security is based on trust and all firms are not created equal. Genuine security experts understand that for an organization to have effective security, it must incorporate physical and electronic security in a cohesive manner. Organizations have hired internally and externally without properly vetting their employees or suppliers. An individual who is undertaking a penetration test and/or red team hacking exercise of your company’s environment may be great at exploiting your network for a reason. Not all experience...is good experience. Other firms whose primary focus is accounting, or other trade, have no business being in security. Based on first-hand knowledge, there are people and organizations which should not be in the accounting business, let alone in IT or the security business.
Sample Case Study Excerpts
On one of the major data breaches described above, one of the IT administrators was running an illegal warez site which distributes, and trades in stolen software. This made them an easy target for cybercriminals who already linked the individual to the organization.
In another instance, an IT administrator installed a logic bomb into a system because he was apparently not happy with his bonus and decided to take down his company’s networks. The IT Admin wasn’t done there; he still wanted his bonus and was intent on getting it. So, the IT administrator also invested in puts, betting his own company’s share price would decline when the logic bomb executed its code and effectively executed the company’s network and data. This resulted in thousands of computers going offline over a prolonged period of time for a major financial institution.
On a security assessment, we were tasked with running a risk assessment for a large company’s network and noted that there were anomalies, including in the 401k system. We went on to conduct network packet analysis and tracing which identified QuickBooks running in a rather large organization. This was strange because that company had its own accounting system, which didn’t include QuickBooks. QuickBooks was traced back to the CIO’s system. Not only was it determined that the CIO was responsible for making unauthorized changes to the 401k system to benefit his situation; but upon further analysis, we identified that the CIO was running a shadow IT company. Interestingly, the CIO’s shadow IT company was being awarded and funneled rather lucrative contracts by the same company he was supposed to be working for without authorization. It should be noted these anomalies and findings would not have been identified by other firms who run a ‘check the box’ risk, penetration and vulnerability tests, especially many of which are vetted internally via conflicting interests.
At least two well-known major accounting firms audited and gave the thumbs-up on the acquisition of a Russian bank. Post-acquisition, we were tasked with traveling to Moscow, Russia to conduct incident response and cyber forensics on the newly acquired entities’ databases, computers, mobile devices and other electronic devices. After being delayed and threatened, we were eventually allowed access to the systems to conduct our analysis in Moscow. Not only did forensics help prove internal and external hackers were attempting to gain control over the bank; but our expert data recovery uncovered evidence of significant misreporting and parallel books. The result was that the newly purchased entity was sold by the purchasers at over a ½ Billion USD loss.
Organizations that attempt to completely insource their IT and IT Security have experienced epic failures; unnecessary costs, several inefficiencies and failed deployments which are not aligned to business objectives. This often occurs through a phenomenon called groupthink. In the interest of collective harmony, thinking and decision making occurs in a way that discourages responsibility and accountability. Completely insourced security also runs the risks of tunnel vision. Tunnel vision is defective sight in which objects or threats to the organization cannot be properly seen because the organization lives and breathes in a bubble or tunnel. However, in an interconnected world, no modern business from SMBs to global enterprises lives in a bubble. Global connectivity brings global threats and challenges right to the front door of your business.
Data has value. Just ask Google which is worth about ~101.8 billion whether data is valuable. While responding to an organization who was suffering from a data breach and outage from ransomware, an IT administrator said they couldn’t understand why they were a target. He stated that their business didn’t have anything of value. He was quickly reminded to look around where 100s of workers were unable to work, the business was completely paralyzed, and the owners were willing to pay the ransom to the hackers to get their business back online.
Facts and observations: the domain administrator’s password was “Password123”. After we provided a look of sheer disappointment, the IT Administrator said, “What? Well…at least the password has a capital ‘P’ in it.” “Password123” is cracked in less than a second and is listed among the 50 most common passwords. Despite the company being paralyzed, the 3rd Party IT company refused to assist the following day to restore the company, stating they had other clients they needed to attend to. It was also determined that the 3rd Party IT company caused more damage to the business via tampering with the crypto keys and files, rendering servers and data useless. Company backups were never properly tested and failed to bring the business back online. Regardless of the size of your business or your industry; your business’ data has value. It’s therefore, critical to protect it. Information and knowledge is power – Cybercriminals clearly get it; so should you.
Aligning your organization to the right entities and people who really care about your business is critical. For example, we recently purchased a multi-function network printer / scanner / fax through a reseller. When staff setup the device, we learned that confidential data (to say the least) was apparently an added benefit of the purchase. The network printer was previously owned and operated by an IT company, which provides IT and IT security services. They also recently won a government contract worth $85 Million USD. Together with their strategically aligned partner, they publicly advertise and support the following government entities: Department of Homeland Security, Federal Bureau of Investigation, the Department of State, all branches of the Armed Forces, Intelligence Community, Joint Strike Fighter Program, and the Missile Defense Agency.
Today’s multi-function printers (“MFP”) are on a different level then in the past. When documents are scanned or copied in bulk to an image, pdf, or other format – that information is copied to the internal hard drive of the device. Then, the MFP can produce as many hard copies as required. Printing material works in a similar fashion by queuing documents and writing that material to an internal hard drive of the device.
Besides copies of confidential material being copied to the printer’s internal hard drive, there is a lot of other information contained on these devices, e.g. networking information, computer/server information, user information, personally identifiable information (“PII data”), work hours and internal worker activity, permissions, security control information, and much, much more.
Many companies rent or lease multi-copier/printer machines for a period of time. What you may not realize is that a wealth of sensitive details is left available for whoever gets hold of the printer/scanner/copier's magnetic media. Consider how an adverse nation state or a competitor could benefit from by simply scooping up and acquiring these devices via a reseller or other means.
In order to help ensure that this incident wasn’t swept under the rug and that remedial actions were taken, we reached out to the CEO of the company. We stated that as a courtesy, we would support the company to fully resolve the issue. We inquired on how they would like to move forward.
Considering the title of the communications to the CEO was marked, “Security Incident / [Name of CEO’s Company]” and the body of the email contained specifics, we would have expected a better response from either the CEO or from someone within the company. The CEO eventually responded, “Hi [Redacted], thank you for reaching out, but I’m not interested”.
Our experience stems from successfully deploying security for the highest levels of government (including for the President of the United States and foreign dignitaries), critical infrastructure, major events, small-to-medium sized businesses (“SMBs”) to global enterprise class businesses. Our expertise includes deployments, managed services, and transformation of security across virtually all industries, regardless of the size of the business or whether it is for a government.
Shareholders and senior executive leadership should be asking themselves, how their cyber security is protecting the organization’s critical infrastructure and continuity, being used to enhance resilience, increase productivity and efficiency and what related products or services they are rolling out. Like all sources of risk, cybersecurity must be incorporated and addressed at the leadership level. A successful security program begins at inception, from the ground-up. It aligns and is infused into the business and becomes part of it. Leave the cybercriminals and the major impacts they cause to your competitors. Integrating the right people, suppliers, processes, controls and technologies are critical to your organizations success. Like a high-speed bullet train with its innovative controls - a successfully integrated security program is more than just a business enabler; it is a differentiator, a competitive advantage, a force multiplier.
If your business wants to go fast, then let results driven trusted experts enable your business to reach its fullest potential by going beyond what was thought originally possible. Cybercriminals and malicious threat actors are ready to engage your business; are you?