Insights You Need from Harvard Business Review Business is changing Will you adapt or be left behind? Get up to speed and deepen your understanding of the topics that are shaping your company’s future with the Insights You Need from Harvard Business Review series Featuring HBR’s smartest thinking on fast-moving issues—blockchain, cybersecurity, AI, and more—each book provides the foundational introduction and practical case studies your organization needs to compete today and collects the best research, interviews, and analysis to get it ready for tomorrow You can’t afford to ignore how these issues will transform the landscape of business and society The Insights You Need series will help you grasp these critical ideas—and prepare you and your company for the future Books in the series include: Agile Artificial Intelligence Blockchain Cybersecurity Monopolies and Tech Giants Strategic Analytics   CYBERSECURITY Harvard Business Review Press Boston, Massachusetts   HBR Press Quantity Sales Discounts Harvard Business Review Press titles are available at significant quantity discounts when purchased in bulk for client gifts, sales promotions, and premiums Special editions, including books with corporate logos, customized covers, and letters from the company or CEO printed in the front matter, as well as excerpts of existing books, can also be created in large quantities for special needs For details and discount information for both print and ebook formats, contact booksales@harvardbusiness.org, tel 800-988-0886, or www.hbr.org/bulksales Copyright 2019 Harvard Business School Publishing Corporation All rights reserved No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form, or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior permission of the publisher Requests for permission should be directed to permissions@harvardbusiness.org, or mailed to Permissions, Harvard Business School Publishing, 60 Harvard Way, Boston, Massachusetts 02163 The web addresses referenced in this book were live and correct at the time of the book’s publication but may be subject to change Library of Congress Cataloging-in-Publication Data Title: Cybersecurity : the insights you need from Harvard Business Review Other titles: Cybersecurity (Harvard Business Review Press) | Insights you need from Harvard Business Review Description: Boston, Massachusetts : Harvard Business Review Press, [2019] | Series: Insights you need from Harvard Business Review | Includes bibliographical references and index Identifiers: LCCN 2019013638 | ISBN 9781633697874 (pbk.) Subjects: LCSH: Computer security | Business enterprises—Security measures Classification: LCC QA76.9.A25 C924 2019 | DDC 005.8—dc23 LC record available at https://lccn.loc.gov/2019013638 ISBN: 978-1-63369-787-4 eISBN: 978-1-63369-788-1   Contents Introduction We’re All in This Now Cybersecurity isn’t just for techno-futurists by Alex Blau 1.  Internet Insecurity If your mission-critical systems are digital and connected, they can never be made fully safe by Andy Bochman 2.  Security Trends by the Numbers The good news is that companies are stopping more attacks than ever You can probably guess the bad news 10 by Scott Berinato and Matt Perry 11 3.  Why Boards Aren’t Dealing with Cyberthreats 12 Because they’re too busy focusing on areas they have expertise in, such as retaining talent and monitoring the regulatory environment 13 by J Yo-Jud Cheng and Boris Groysberg 14 4.  The Behavioral Economics of Why Executives Underinvest in Cybersecurity 15 Leaders need to stop thinking about   Introduction WE’RE ALL IN THIS NOW by Alex Blau The internet was once just an idea in someone’s head A seemingly unfathomable future where everything and everyone would be connected, and where uninhibited flows of data and information would enable unprecedented advancements in communication, health care, transportation, automation, and commerce And there would be robots, of course The world in which we live today is not that far off from the imaginings of those futurists, and because of these technologies the ways in which firms and governments operate have fundamentally changed Embedded in these cyberpunk dreams were prescient warnings about the potential risks inherent to our interconnected world Hackers, advanced artificial intelligence, and bad actors in the form of governments and megacorporations posed significant threats to the goings-on of everyday life Even the most shining cyber utopia can have a sinister underworld Today, in our real world, the same technologies that brought so much good have created new and ever-shifting cybersecurity consequences for individuals, firms, and governments These consequences range from the annoying task of coming up with new and complicated passwords following yet another data breach, to the uncomfortably real risks of a foreign adversary turning off streetlights, shutting down water treatment plants, or even taking over military infrastructure While managing risk has historically been assigned to experts and technicians, cybersecurity can no longer be delegated to a small set (or even a large team) of IT professionals Instead, all of us leaders across all aspects of business operations and government need to understand how cybersecurity plays into our roles and responsibilities, and to keep up with the fluid nature of cybersecurity risks Cybersecurity will help non-experts quickly gain a foundational understanding of the cybersecurity domain This book covers a number of critical topics that will aid any reader in becoming conversant in current and future cybersecurity issues relevant to your role, organization, and industry, and in understanding how you are both part of your organization’s security problem as well as a key player in identifying and managing solutions In more and more industries, the gathering of data and digital information on nearly everything, especially customers, is at the center of business operations and strategy But while petabytes of data can improve operational efficiency and open new opportunities, those larger amounts of data also expose individuals and firms to potential losses Cyberattacks and data breaches are commonplace, increasing in volume, and becoming costlier by the year Despite our growing capabilities to thwart most attacks through improvements to security technology and cyber hygiene, targeted breaches have not declined We need to revise our expectations about our ability to mitigate these risks and accept that breaches are all but inevitable As customer data becomes more valuable to hackers, and as governments enact regulations that penalize firms for customer data breaches and loss, nearly all firms that have an internet presence and collect information from their customers face increased risks—it’s not just about banks and financial service organizations anymore This new paradigm requires a different way of thinking, and this book is designed to help non-technical leaders, including executives, board members, and managers in roles ranging from design and marketing, to human resources and accounting, get up to speed on the current state of the field Cybersecurity introduces the basics while going deeper into a set of topics including board and executive involvement, investment and decision making in cybersecurity; the importance of addressing human factors in cybersecurity and why all team members need to play a role; communications and response best practices in the wake of data breaches; active defense and the ethics of “hacking back”; the emerging value of privacy in cybersecurity; cybersecurity considerations for boards of directors cybersecurity and, 39–48, 69 lack of expertise on, 44, 46 recommendations for, 46–47 Bochman, Andy, 1–22, 101–102, 110 Bostrom, Nick, 142 See also artificial intelligence (AI) Bourdon, Bill, 93–100 brain-computer interfaces, 144 See also artificial intelligence (AI) breaches See data breaches Buffett, Warren, 69 Burt, Andrew, 117–124, 125–130 business disruptions, 36 See also trends, in cybersecurity business exposure, 61–62, 64–65 See also risk management calendar commitments, 77–78 Cambridge Analytica, 127 See also privacy CCE See consequence-driven, cyber-informed engineering (CCE) methodology Cheng, J Yo-Jud, 39–48 chief executive officers (CEOs), 9, 18–19, 52–53, 55, 60–66 See also C-suite chief financial officers (CFOs), 61 See also C-suite chief information officers (CIOs), 61 See also C-suite chief information security officers (CISOs), 53, 54, 61, 62–63 See also C-suite chief operating officers (COOs), 18–19 See also C-suite chief risk officers (CROs), 61, 62–63 chief vulnerability officers, 64 China, 132, 134–137 CIE See cyber-informed engineering Cisco Systems, 46, 135 Citrix Systems, 135 cloud computing, Cold War 2.0, 135 consequence-driven, cyber-informed engineering (CCE) methodology, 12–19 generating mitigation and protection options, 17–19 identifying crown jewel processes, 14–15 illuminating likely attack paths, 16–17 mapping digital terrain, 15–16 overview of, 12–13 consequence prioritization, 14 See also risk management Cook, Tim, 118, 120–122 Coreflood malware, 113, 114 credit card data, 29–30 criminal syndicates, 1, 20, 60 critical infrastructure attacks, 27 C-suite accountability of, 98 cyber risk metrics and, 59–66 mistakes by, following data breaches, 93–100 risk agility and, 70 customer data, xiii–xv, 29–30 customers, failure to notify, following breach, 94–95 See also data breaches customer service, 95–96 See also data breaches customer trust, 117–124 cyberattackers See hackers cyberattacks, xiii AI-enabled, 141–142 common targets for, 29–32 containment of, 63–64 cost of, 4–5, 26, 33–37, 46, 62, 73–74 defenses against, 69–70 detection of, 63 high-profile, 9, 60, 70 increase in, 1–2, 7, 24, 27, 60, 68–69 mistakes following, 93–100 pathways for, 31 preparation for, 63, 68–72 simulated, 64 success ratio for, 27–29 threat of, 46–47 trends in, 23–37 See also data breaches cyber hygiene approaches to, limitations of, 7–11, 101 cyber-informed engineering (CIE), 12 cyber risk, 68 C-suite and, 59–66 exposure to, 61–62 cyber safety culture, 19–20 data, xiii big, 126 credit card, 29–30 customer, xiii–xv, 29–30 data breaches, xiii, 122 contingency plans for, 44 cost of, 73–74 danger of, 126, 128 detection of, 6–7 high-profile, 9, 70 mistakes following, 93–100 notification laws, 95 preparation for, 19–20 top sources of, 31, 32 trends in, 23–37 underreported, 70 See also cyberattacks data encryption, See also cyber hygiene data privacy, 120, 125–130 See also privacy data protection, 117–124 data security, xiv–xv, 118 default options, 77 Denning, Dorothy, 103–105, 107–109, 112–115 digital technologies benefits of, complexities of, 6–7 mapping, 15–16 reducing dependency on, 12–21, 36–37, 110 susceptibility to cyberattacks, vulnerabilities of, 5–7 Disparte, Dante, 67–72 emotional appeals, 51–52 See also investment, in cybersecurity employees bad habits of, 73–83 comparing with peers, 78–79 cyberattacks by, 70–71 feedback for, 79–80 interaction between IT department and, 90–91 internal security tests for, 89 simple rules for, 85–92 training, 67–72, 73–83, 88–89 trusted, 18 as weakest link, 54–56, 68, 85–86 energy companies, cost of cybercrime for, 35 Equifax, 2, 74, 94, 96–98 ethics of active defense, 111–115 of hacking back, 111–113 executives See C-suite external threats, 28, 46, 55 Facebook, 120, 127 failures, cybersecurity, 143–144 See also data breaches Federal Information Security Modernization Act (FISMA), 50 feedback systems, 79–80 financial decision makers, appealing to emotions of, 51–52 financial impact, of cyberattacks, 4–5, 26, 33–37, 46, 62, 73–74 firewalls, 8, 50 foot dragging, 94–95 See also data breaches foreign adversaries, xii, 1, 11, 20, 60, 131–132 Furlow, Chris, 67–72 future world, xi–xii General Data Protection Regulation (GDPR), xiv–xv, 61, 95 German Federal Intelligence Service (BND), 134 Germany, 33, 132, 134, 136 Google, 120, 136 governments, trade policies of, 131–139 Groysberg, Boris, 39–48 hackers, xii end goals of, 14 external, 28, 46, 55 internal, 27, 55, 70–71 sophisticated, 10–11 types of, 27, 28, 60 understanding mindset of, 19 hacking back, 101–116 hardware inventory of, 8, mapping, 15–16 Hogg, Jason J., 59–66 Home Depot breach, 70 Huang, Keman, 131–139 Huawei, 136–138 human behavior, as biggest cyber threat, 74–76, 85–86 human-centered defenses, 68–72 IBM, 74 Idaho National Lab (INL), 2, 3, 12–19 ideas 42, 51, 76 incident-response plans, 63–64, 95 industrial companies boards of directors of, 44 threats to, 3–5 industrial control systems, 2–3 information cost of losses, 36 withholding, 94–95 See also data information security regulations, xiv–xv, 61, 71 infrastructure sector, threats to, 3–5 internal threats, 27, 55, 70–71 international trade, 131–139 internet, xi, 1–22 internet of things, 5, 132 investment, in cybersecurity, 24, 35–37, 67–72, 74 See also underinvestment, in cybersecurity Iran, 11, 132 issue, cybersecurity as ongoing, 50–51 IT departments, 90–91 IT industry, 44 Johnson, Simon, 131–139 Kaspersky Lab, 134 Lee, Robert M., 103–105, 107, 109–110 Lin, Patrick, 110–111 LinkedIn, 137 Lockheed Martin, 16 Lysne, Olav, 118–120, 122 machine learning, 5, 71, 126 Madnick, Stuart, 131–139 malware, 2, 74, 103, 108–109, 110, 113, 132 Mao Zedong, 106 Marriott breach, 128 Mayer, Marissa, 95 McAfee, 135 mental models, 50–53 Mirai malware, 74 mission-critical systems, security for, 2–3 mistakes, following data breach, 93–100 mitigation measures, 17–19 Moore’s Law, 69 multi-factor authentication, 87 My Friend Cayla, 132, 134, 136 Natanz nuclear facility, 132 National Institute of Standards and Technology (NIST), 8, 50, 87 national security, 2, 118–119 National Security Agency, nation-states, 1, 11, 60, 131–132 NetBotz, 134 North American Free Trade Agreement (NAFTA), 136 North Korea, 5, 20 NotPetya malware, 2, 4, oil companies, 2, 11, 14 Opower, 78–79 organized crime, 1, 20, 60 orthogonality thesis, 142 overconfidence, 53–54 See also underinvestment, in cybersecurity passive defense, 105 password policies, 86–87 passwords, xii, penetration testing, 55 Perry, Matt, 23–37 personal information, 29–30 Petya malware, 74 phishing attacks, 80, 86, 88–89 Phishme, 80 Plan B, 20 See risk management planning, scenario See risk management PlayStation Network (PSN) breach, 97, 98 policies, cybersecurity, 86–87 Ponemon Institute, 7, 26 present bias, 78 See also employees, bad habits of privacy cybersecurity and, 125–130 regulations, 122 rights, 120, 128–129 protection measures, 17–19 psychology, 50, 75–76 public sector attacks on, 28 cost of cybercrime for, 35 ransomware, 27, 60, 110–111 regulations, xiv–xv, 61, 71, 95, 122 return, on cybersecurity investment, 49–50 risk agility, 69–70 risk management, xii, 51, 69 CEE methodology for, 12–19 risk metrics, 59–66 ROI See return, on cybersecurity investment Russia, 5, 20, 132, 135, 137 SANS Institute, 8, 11 Saudi Aramco, 11 scenario planning See risk management Securities and Exchange Commission (SEC), 94 security patches, 8–10, 75–78 security policies, 86–87 security technology, 68, 71, 74, 75 security trends, 23–37 senior executives See C-suite sense something, something, 70 See also employees, training Shamoon virus attack, 11 social proof, 78–79 software inventory of, 8, mapping, 15–16 trust and, 117–124 updating, 8–10, 75–78 vulnerabilities of, 117–118 Sony, 97, 98 Sony Pictures, 60 staff, cybersecurity, See also employees Strawser, Bradley J., 104, 112 Stuxnet attack, 132 success metrics, 53 superintelligent AI (SAI) systems, 143–144 SWIFT banking hack, 70 Target breach, 70, 73–74, 94 targets commonly compromised, 29–30, 32 identification of, 14–15 likely attack paths for, 16–17 multiple, 31 vulnerability of, 28 teachable moments, 88–89 See also employees, training technological innovations, xi–xii, 75 technology, 68, 71, 74, 75 Telegram, 136 terrorist groups, 1, 20 threats, xii, xv, 1–22 current, 3–5 danger of, 46–47 external, 28, 46, 55 human, 68, 74–76 increase in, 5–7, 60, 69 internal, 27, 55, 70–71 sources of, 68 understanding, 61–62 top executives See C-suite trade policy, 131–139 training, 67–72, 79–80, 88–89 transparency, 60, 96–97 trends, in cybersecurity, 23–37 tripwires, 17, 68 trust, 117–124 Ukraine, underinvestment, in cybersecurity, 49–57 See also investment, in cybersecurity understanding, cybersecurity, xii–xv unintended inferences, 126–128 United Kingdom, 137–138 United States cost of cybercrime in, 33 trade policy and, 132, 134–135 U.S economy, 1, user behavior, 73–83 See also employees, training user data, 29–30 utility companies, best practices and, 9–10 cost of cybercrime for, 35 Van Horenbeeck, Maarten, 85–92 Verizon, 25, 68, 86 vulnerabilities assessment of, 62 of digital technologies, 5–7 software, 117–118 WannaCry malware, 2, 4–5, 74 Whole Foods breach, 95 Yahoo breach, 68, 95, 96, 128 Yampolskiy, Roman V., 141–145