Mark Sangster, VP and Industry Security Strategist at eSentire, recently authored a book, "No Safe Harbor: The Inside Truth About Cybercrime, and How to Protect Your Business," the untold story of digital crime. It delves into how the key to changing the locks isn't in our computers, but in our corporate culture through real life story-telling that shows how organizations need to shift the security discussion away from technology gates alone toward a focus on leadership, team behaviors, and mutual support.
To find out more about this book, and gain a better understanding about cybercrime and cybersecurity in the world we live in today, VMblog reached out to Sangster.
VMblog: Why do
companies fall prey to cybercrime?
Mark Sangster: Company leaders
think: "We are a little business in the Midwest. We don't have anything worth
stealing. How would some criminal in Russia or North Korea even know we exist?"
But cybercriminals don't discriminate by employee count, revenue, or location
in a NFL city. Through a long process of socialization, criminals have learned
who pays ransoms and what data is worth stealing. When companies don't see
themselves as a target, they don't invest in cyber protection and are exposed
to cybercrime.
VMblog: Why did you choose to write the book for non-technical executives?
Sangster: Over the last
five years, I've watched the volume of attacks increase and the tools and
tactics of cybercriminals evolve and improve faster than the security industry
can respond. I've seen too many good companies and good people fall victim to
criminal adversaries. And it seemed that many of these attacks could have been
prevented, or at least minimized. Companies were repeating the same cycle of
false assumptions, check-box mentality towards cybersecurity, resulting in a
constant flow of damaging and expensive data breaches.
Worst of all,
these companies were all suffering in silence, breaking a valuable chain
required to provide vicarious learning and improvement. I realized the best way
to get the word out was to tell the stories that never made the headlines is to
expose the fundamental causes of cybercrime, to offer new ways of looking at
the problem, and to start a conversation to help these organizations protect
themselves from the next cyberattack.
VMblog: In the book, you use stories from outside of IT. How do these
stories relate back to cybercrime?
Sangster: In the book, I
use real world stories from beyond the data breach headlines, including air
crashes, oil drilling disasters, and architectural failures. Although they seem
unrelated, they draw parallels that offer critical insights we often cannot see
from our vantage point, nose deep in the mire of cyber budgets, resource
constraints, and press and peers lining up to find a scapegoat.
These stories
provide a neutral forum in which we can elevate the conversation above the
trees to see the forest. Unpacking these stories illustrates that major events,
including data breaches, occur as the confluence of multiple factors, and not a
single point of failure. These stories create a dialog that focuses on what is responsible, not who is to blame. It's about changing the
narrative from point-and-blame to seeking 360-degree accountability and
continuous improvement.
VMblog: How is the world of COVID and the increased 'Work From Home' that
we live in today affecting cybersecurity?
Sangster: The Covid-19
pandemic forced companies into support and distributed workforce en masse. This
shift was par for the course in firms that had invested in remote security,
including endpoint protection, virtual private networks (VPN) or
software-defined perimeter (SDP) services that protect and limit remote access
to critical business systems. For those companies that followed more of a
firewall-encircled perimeter (think the head office), they were caught flat
footed and exposed to attacks that could operate on the employees' devices,
free of security controls.
The pandemic also
shifted protection from commercial-grade systems to consumer-grade internet
routers, supplied through local ISPs. The technology is not as robust (nor
would you expect it to be), but configuration vulnerabilities were left in the
hands of non-technical employees. For example, many employee internet devices
ran with factory default administrative log-ins and unencrypted WIFI networks.
It's low hanging fruit for criminals that wish to install collection scripts,
snoop traffic and harvest credentials.
Many firms see
Covid-19 as a once-in-a-century event. This is not true. We've seen other
tectonic events that shifted the way we think about security. For example, the
attacks on 9/11 demonstrated the need for off-premises operations to continue
business continuity. In 2012, Hurricane Sandy struck the Eastern seaboard of
the US, flooding New York and Manhattan. It shut down and defeated the defenses
put in place post 9/11. Back-up systems housed across the river in New Jersey
were affected, along with the main facilities of banks and financial
institutions. We needed to rethink continuity to provide protection of
geographic disruption. Covid-19 is the final push into a virtual world. Now we
assume data is stored in the cloud, accessed by remote workers, using
distributed workloads. It means the perimeter has shifted from the office to the
employee and the data assets themselves.
VMblog: How do you see cybercrime evolving over the coming year?
Sangster: Cybercrime is
evolving in two ways. The first is from nation states or state-sponsored
actors. While not declared enemies of the state, these grey zones, seek to
challenge the United States using means below the threshold of a hot war. As
countries like Russia, China, North Korea, and Iran seek to destabilize the US
and its allies, it's a murky world between war and peace. It's our generation's
version of the 1950's cold war, poised on the brink of nuclear annihilation.
Their tactics are difficult to detect and even harder to attribute. What's
worse is we see attacks from these grey zones on small and medium business,
like the aftershocks of major geopolitical tectonic events. It means we face a
nebulous adversary that does not distinguish between combatant and
non-combatant. There is no such thing as collateral damage anymore. It's simply
damage.
The second
evolution is the growth of a criminal ecosystem that monetizes illicit
technology, tools and tactics. Like Fortune 500 companies that buy
best-in-breed technology and rely on specialists in their security field to
protect their business, criminals are following the same business practices.
Their cross-cartel alignments mean they sell malware-as-a-service, and
expertise in initial infiltration, insider information, resale of stolen goods,
and money (even cryptocurrency) laundering. Malware-as-service increases the
efficacy of attacks, their nefarious reputation drives up ransoms, and
collaboration reduces operational costs and time to market. As in, they are
reducing their costs while increasing their revenue. That's profit by any
definition.
VMblog: How can companies assess their risk?
Sangster: The first thing
companies need to do is think about cybersecurity in terms of risk, not as an
IT problem to solve. To do this, executives should:
- Seek expertise to
understand threat trends and regulatory requirements
- Identify and understand
the top risks facing their business through industry groups and government
feeds
- Participate in incident
response simulations and crisis communication training to ensure they are
prepared to respond to a material cybersecurity event
- Participate in regular
security awareness training sessions
- Annual risk assessment
to identify the most likely cyberattacks, recent litigation or insurance
claims to understand liability and coverage limitations, and inventory
special conditions or unusual risks associated with specific obligations
to clients, partners, investors or employee
VMblog: Where can executives go for help building a cybersecurity program?
Sangster: The National
Association of Corporate Directors (NACD) Handbook
on Cyber-Risk Oversight
The National
Cyber Security Centre (NCSC) Board Toolkit
Cybersecurity
Infrastructure and Agency (CISA) Cyber Essentials: Leaders
VMblog: Finally, how can my audience get their hands on your book?
Sangster:
No Safe Harbor is available
through leading online print, digital and audio retailers like Amazon and Barnes
and Noble. If you'd like to continue the cybersecurity conversation, you
can reach me through my website mbsangster.com, or at mark@mbsangster.com.
##