Ideally, the modern Internet serves as the foundation supporting critical civilian infrastructure and trade worldwide. In this vision, it enables international commerce, facilitates access to information that supports all citizens, and provides a voice to those living in oppressive regimes.
However, the state of the Internet today is far from ideal. Countries harbor cyber criminals who caused $7 billion in damages to U.S. critical infrastructure in 2021. Repressive governments use ubiquitous Internet access to stifle citizen protest.
And enterprises lose an estimated $10 billion to $12 billion a year in stolen intellectual property from state-sponsored attacks.
The unfortunate truth is that the Internet today has become less free, more fragmented, and less secure since its creation, causing dramatic effects on enterprises around the world.
As a former active-duty military cyber officer, cybersecurity threat analyst, and now entrepreneur, I have sat on both sides of the digital conflict in this fragmented world. Recently, I had the privilege of joining the Council on Foreign Relations as it developed recommendations to confront reality in order to create a safer, more connected future for everyone.
We found that the main catalyst of a fractured Internet was that individual countries could increasingly control content flowing into and out of their borders, localize data, block and moderate content, and launch political influence campaigns. In between the cracks in these pools of authority exists large parts of the Internet that act as dark marketplaces for vandalism, crime, theft, and extortion. 1 This leads to a very different reality for the Internet than the open facilitator of trade and information.
What this means for businesses today is that customer, market, and product data are sources of geopolitical competition and cybercrime. This struggle over data is central to countries’ economic and national security, and it makes enterprises increasingly attractive targets for espionage, intellectual property theft, and extortion.
This is more than an enterprise, military, or government problem and requires a whole-of-nation effort to raise the bar on malicious actors. We have a shared reality, a shared risk, and, therefore, a shared opportunity. For enterprises, this means building cyber resilience into the digital ecosystem that enables your business to deliver value to your clients.
BUILDING CYBER RESILIENCE FOR ENTERPRISES
In my journey as a military officer on the digital front lines to a business leader responsible for the digital risk of hundreds of enterprises, I have taken away three key learnings applicable to all modern companies looking not just to manage this new fractured online ecosystem, but to thrive in it and help make it more resilient for all parties.
First, my time serving in uniform showed me that we cannot leave the job of defense to governments alone. Private enterprises must get better at coordinating our defenses than the bad guys are at coordinating their attacks. Last year, I wrote about how cybercrime networks operate more like a series of successful high-growth startups rather than gangs of thugs. Crimes like ransomware have been meteoric in their rise, and despite an increased effort to fight back from governments and the private sector, criminals will always innovate around our defenses to improve their margins. But it doesn’t have to be this way.
As defenders, we can do a number of things to throw sand in the gears of their business model by imposing costs on every illicit transaction they make. While we can often see criminals operate, it is harder to know who they are targeting or the tools they are using to break in. Sharing intelligence with actionable context between company technical teams is critical to being able to inoculate potential victims and make the criminals’ business model more expensive. As a cyber insurance provider, my firm, Resilience, passes along this intelligence to all of our clients, which helps reduce the frequency and severity of claims they may face.
Second, as a cybersecurity threat analyst I have seen time and time again that the largest challenge for enterprises is driving security in their supply chain. The World Economic Forum found that “only 19% of cyber leaders feel confident that their organizations are cyber resilient.” Respondents surveyed not only cited their own risk, but 88% were also “concerned about the cyber resilience of small and medium-sized enterprises in their ecosystem.” 2 Attention-grabbing breaches of organizations such as FireEye, Toyota, Target, and the MLB were all due to breaches at smaller third-party IT vendors.
As an executive, it’s critical to think about the digital risk of working with all suppliers who manage your data. They should not only provide audited certifications but also demonstrate to their customers how they manage potential risks.
For example, your vendors should be able to show that they are conducting regular penetration tests, have a credible and experienced executive leading security, and are insured enough to weather a crisis like ransomware while continuing to serve your contract.
Finally, my time as an entrepreneur has taught me how to do more with less. Securing your own infrastructure in the face of economic headwinds may seem daunting, but across-the-board cuts can dramatically increase your risk. Companies that need to decrease the headcount in their IT or security teams face a difficult situation. If you remove people, their roles will need to be filled by digital tools that can help the remaining staff maintain efficiency. However, by trading personnel for software tools, you are increasing your enterprise’s digital attack surface and providing new systems for hackers to target.
One answer to the catch-22 of swapping IT experts for automated tools is to take a cyber-resilience approach to your digital defense. Cyber resilience posits that enterprises should balance investments in technical tools and cyber hygiene with insurance solutions that can transfer any risk that is too expensive to mitigate completely.
For example, tools that capture malware on laptops are a critical IT security investment that is made stronger when your staff has received email phishing training. However, if you are hit and incapacitated by a ransomware attack, insurance can pay for lost revenue (up to 24 days on average) until you can restore your systems from backup. By not trying to defend every asset, you end up with more resources to invest in protecting what matters most to your business.
We all are navigating a more fractured and dangerous Internet, but we can’t simply abandon the tremendous digital revolution it has driven for enterprises around the globe. Rather, we must adapt to this new reality by making smarter investments in managing our digital risk so that we continue to have the resources for growth and innovation. While I have seen both sides of this digital conflict and know the challenges ahead of us, I see the path to a better and more resilient future. With collaboration and a steady march toward cyber resilience, we’ll surely get there.
Vishaal “V8” Hariprasad is the CEO of Resilience and a cyber security executive with military, startup, and enterprise leadership experience.