Everybody loves a juicy scandal. And what could be juicier than the Ashley Madison hack? Salacious secrets exposed, celebrities and government workers ensnared, CEO forced to resign. The media will keep this story front and center long after similar stories have run their course, and we’ll continue to read every gory detail.
But this time, perhaps, the greater good will be served if the story causes corporations to wake-up to the potential consequences they and their stakeholders face in the aftermath of a cyber incident, although I worry that it won’t.
Why? It’s easy to pass judgment on Ashley Madison and its customers and think, “That can’t happen to my company. Our business is above board. We don’t have the kind of information that hackers want to exploit in that way.” But the reality is that the Ashley Madison breach isn’t an anomaly. It was entirely predictable and it happens to businesses of all shapes and sizes.
This type of breach is predictable for two reasons. First, everyone in your company from the CEO on down is human and fallible. We make mistakes, we don’t follow the rules, we let our guard down. And just to be clear, I’m not even talking about using an online service to arrange an affair. Who hasn’t used an employer-provided device to write a personal email, send a text message, take a picture, make a purchase, or visit a website that would result in some degree of personal or professional embarrassment if it were public knowledge? It’s not just the Ashley Madisons of the world whose data hackers can exploit to extort money. Beyond the scandalous, every business has confidential data it must safeguard – and if it’s worth spending money to protect, it’s valuable to some hacker, somewhere. Bottom line, your environment contains a host of data you don’t want exposed. Some of it you know about, some of it you don’t. But it’s there.
Second, when we’re not busy creating potentially embarrassing digital data, we do other foolish things. We click on links and open documents without really knowing where they came from. We act on instructions in emails without verifying their authenticity. We’re distracted; sometimes we’re careless. Human fallibility sinks us again. Every day, hackers exploit human weaknesses to break in undetected, quietly identify what’s worth stealing, and exfiltrate data, sometimes over the course of weeks or months without ever tripping a single alarm. You’re only as strong as your weakest link and, like it or not, the people in our organizations are sometimes that weak link.
In light of our human fallibility, what should really concern board members and the C-suite about the Ashley Madison breach is the bright light it shines on the truly arbitrary nature of hacktivism in general. Think about this incident: When an adversary has little or no financial motivation, but rather aims to embarrass and disrupt, there is very little one can do to prevent the ultimate consequences once the attackers have the data they’re after.
In this environment, it’s naïve to “wait and see” whether your company is a target. Further, it’s more naïve to assume your robust security posture won’t fail. Your company is a target. Your security will fail. No matter how much you invest in software, hardware and training (and you have to do all of these things), people are still running things and people are fallible. Somewhere along the way, mistakes will be made, hackers will exploit them, and there will be consequences.
You owe it to your stakeholders to prevent breaches and to prepare for inevitable moments of crisis. But equally important – and this next point is my personal crusade – you must proactively hunt for intruders and act aggressively to stop incidents in progress before they become major breaches.
There is simply no excuse for not “hunting”; being proactive when it comes to identifying intruders is no longer optional. Your cybersecurity strategy is woefully inadequate when you don’t.