Dr. Paul Michael Viollis

CEO | Risk Control Strategies

The Chief Executive’s Duty to Protect

The phrase “cheap is expensive” was immortalized after a nationally recognized professional association fell victim to an organized crime group, compromising the investment information of four of their accounts. This […]

The phrase “cheap is expensive” was immortalized after a nationally recognized professional association fell victim to an organized crime group, compromising the investment information of four of their accounts. This was shortly after said nationally recognized professional association implemented a sub-par cybersecurity platform.

From one chief executive to another, I sincerely suggest you embrace the business case used by organized crime hackers and those housed within your own organization. The electronic intrusion business plan brings a momentous value proposition and an even stouter return on investment (ROI) and all because, for the most part, we still don’t get it. The focus is on financial/proprietary data that has rudimentary protection boundaries and, once identified, move to exploit the weakness. The beauty of this “stick and move” approach is that it crosses all vertical markets and requires limited effort and investment. Hence, the ROI is magnanimous; over $100 billion annually of reported losses coming from 1.5 million victims per day.  This obviously begs the question, how? Well, several reasons.

The Big Mistake

Corporate leaders place 100% of our shareholder value in the hands of IT (f/t and contract) without conducting thorough background investigations on them and most importantly, without understanding the gross disparity between an IT professional and a cybersecurity professional (CSP). Anecdotally, the non-law enforcement IT person implements complex passwords to safeguard against hacking (so difficult that most of your staff write them down or tape them underneath their keyboard) and the cyber pro uses real-time counter-terror intelligence to fortify your environment. That said, it is imperative to remember the IT professional plays perhaps one of the most critical roles within any organization regardless of the vertical market. This professional makes it possible for businesses to function in every sense of the word. Without them, companies cease to exist. They are that important. However, they are not typically trained in cyber terror tactics or have experience investigating cyber organized crime. Hence, they don’t characteristically have the skill set to identify the most advocated methods of attack. Enter the CSP. This is the person you want to assess for vulnerabilities and assist in formulating and implementing your internal and external procedures. Further, for those that are part of that 1% that our friends with Occupy Wall Street still talk about, the CSP will be able to deploy a similar system to protect your family and your wealth from the same organized crime groups. Important to remember, the ‘data harvesting’ and ‘ghosting’ that has been spreading in 2013 routinely occurs at a person’s home in addition to the business environment. Ideally, the CSP’s skill set will augment that of your internal IT professional to ensure the cyber-criminal won’t use your own IT environment as a weapon of mass disruption.

” … it is imperative to remember the IT professional plays perhaps one of the most critical roles within any organization regardless of the vertical market.”

The Intruders’ IQ

The brilliance of the players and their financial opportunity can’t be understated. Clearly sitting in the  No. 1 spot is the Russian Mafia; it is behind approximately 40% of cybercrime. It is intellectually without peer, well-funded, and completely fixated on vulnerable corporate entities, the affluent, and those who house their financial information. Why? Because it’s minimal if any risk and maximum return; not a bad business model. The Triad in SE Asia/the Chinese are exceptionally good but their focus appears to be more middle socio-economic as well as government infrastructure. Then, of course, we have decentralized al Qeida cells looking for a revenue stream and various groups in Iran, India, and Mexico.

Paul-Viollis-Op-Ed-1The Threat Within

Last but certainly not least are those you employ (59% of ex-employees admitted to stealing company data prior to leaving previous jobs) who are driven by corporate espionage, revenge from being passed over, or simply a soft version of workplace violence with the end result to crush your business operations and brand.

One thing to remember about all of them is out of all the bank fraud cases, 68 percent were declared unrecoverable. Not good news!
That said, the following are the top five trends anticipated on this subject for 2014:

  1. An increased threat from players such as the Russian Mafia, al Qaeda, Iranians, Mexican cartels, and the Triad
  2. Incorporation of cyber intelligence into business forecasting and budgeting
  3. An increase of biometric technology for access control to desktops and laptops
  4. An increase in the investment of more thorough internal processes post vulnerability assessment
  5. An increase in social media being used as a point of entry (e.g., approximately 600,000 Facebook accounts are compromised daily)

In sum, the solutions are neither problematic nor expensive. Yet, most won’t embrace them because we, as corporate leaders, still don’t think this will happen to us and won’t invest to identify current and probable vulnerabilities. In fact, most will read this, call your internal IT professional, and once they assure you that “you are good” (as if you would have your accounting department audit itself) you will move past this. Key word here: Fiduciary.

Embrace this criminal business model with the understanding that the power of intelligence fuels counter hacking initiatives that allow us to block advanced denial of service attacks from the outer markers in lieu of exposing your brand to criminal penetrations.  Invest in identifying cyber related vulnerabilities preemptively because it stands to reason that you simply can’t implement the appropriate technology in your organization or your home unless you know who you need to protect yourself from. Remember, cheap is expensive!