The curse of the Black Swan: little events that have big security impacts

The curse of the Black Swan: little events that have big security impacts

What happens if you can’t see that your company’s data has been stolen until it turns up in someone else’s portfolio? It’s not always the highly visible events that are the catastrophe.

It is easy to perceive the value of physical property. Physical property can be touched, seen, evaluated in the light of day. But today’s world, to borrow a phrase from Winston Churchill, is defined by “the empires of the mind”. The empires are arrayed in an almost infinite combination of ones and zeroes and these ones and zeroes are constantly flowing around the globe reassembling in distant places as cars, air conditioners and business plans.

It is intellectual property, and everything from the schematics to a tractor to the vast troves of customer information, that matter most to companies today. But the physical mindset still governs when it comes to protecting this kind of property and as long as it does, this valuable property will be at risk because appropriate resources aren’t being dedicated to its protection.

If someone were to break into a room filled with a company’s paper files and walk out with the lot, not only would alarms be raised company wide, but aggressive damage control would be immediately enacted. Does the same thing happen with the loss of data? Perhaps it does, if the breach is big and bold enough and the material is sensitive enough, but the physical analogy actually falls down here. Why? Because without a detection and response regime in place, data theft can happen silently and only be discovered months or even years later, if at all.

The rise of bring your own device (BYOD) and cloud, as well as the ongoing openness of most organisational networks to third-parties like contractors and temporary workers, means that without a comprehensive understanding of information security and a place for cyber security at the boardroom table, company blueprints and corporate intentions are finding their way to those who know how to capitalise on them.

They are being ‘shanghaied’ into service for others. But unlike the shanghaied sailors of the 19th century, intellectual property ends up doing double duty, serving two masters, both the creator and those who have stolen it. David Irvine, ASIO’s director, has said that corporate networks were a target for “foreign cyber sleuths seeking to steal Australia's secrets” and it is widely known that corporate targets often outnumber defence and government agencies in the frequency of attacks.

In other words, most corporate and organisational management has been groomed to think in terms of the data theft catastrophe – the ‘Big One’. However, often there may be no catastrophic overnight failure and the CEO may avoid the dramatic headlines of a breach, but the business has been damaged just the same. It seems to be slower off the mark. Your best and brightest just can’t seem to deliver something better, faster and cheaper than what is already shipping from the seaports of our great trading partners. There is an invisible drag on what should be your competitive edge. That is data theft today: A silent productivity killer.

The standard CEO patter when a breach is discovered is that it was a “highly sophisticated attack” that “could have happened to anyone”. This is a cop-out. Not only does it reveal a defensive corporate posture but also a staggering ignorance of the value of data and the way data theft really works.

The current mindset is unequipped to deal with a world in which data determines competitive advantage and unscrupulous parties – often state-sponsored – can steal that data undetected.

When it comes to cyber security, CEOs and corporate management often think they are waiting for the so-called ‘Black Swan’ event – the one-off, low probability, high-impact occurrence. But the Black Swan is just the decoy that lulls us into a false sense of security. By focussing on the Black Swan, you will wrongly think that security is about insurance and as a result, bottom line considerations like ROI will always be framed within that context. After all, that’s how you handle Black Swan events like an office fire or flood. At worst, security is seen as a tax on growth and shortcuts are taken.

It’s far better to think of your intellectual property as a powerful magnet that is constantly attracting those who would take commercial advantage of it, preferably without you ever discovering or interrupting this theft and use.

Here is a case that we recently encountered that illustrates the point: The executive of a major earthmoving company recounted how he was surprised (stunned is the better word), when he came up close with a counterfeit product on a visit to China. The product? A tractor. The problem? He, the executive of the company that had designed this product, could not for the life of him tell the difference between the tractor that his company had made and the counterfeit.

This wasn’t old-time, reverse engineering counterfeiting, the kind of easily detectable counterfeiting you often find in the pharmaceutical market (sugar, a pill press and cheap blue dye). No. This was ‘empire of the mind’ counterfeiting. The counterfeit tractor was the same right down to serial numbers and the paint. This product plugged neatly into the company’s supply chain. Every element, every detail, every bit of intellectual property had been tapped to make this tractor – in essence, that entire file room, crammed with all the design specifics, had gone walking off.

Moreover, the thieves didn’t want to be detected. They didn’t hack for notoriety. They wanted to slip as smoothly and seamlessly into the company’s inventory and sales and marketing machine as possible. They were data thieves and brand parasites.

This new brand of counterfeiter’s relation to a company’s data is symbiotic. In the case of the tractor, their goal was to export to buyers around the world who would buy without ever suspecting that the product hadn’t been manufactured by the company who had designed it.

Clearly there had been a security breach, but neither the executive nor anyone on his team had known about it until the evidence was staring him in the face. The funny thing is that, even after the fact, the team had trouble figuring out the problem. In fact, when we spoke with them, albeit in a casual conversation, their IT security person didn’t connect the critical dots. While the plans for the tractor were only kept on the core systems, the company’s CEO and many others had access to these core systems through their various devices and this didn’t register as the problem, even though it should have been obvious to any security expert that a network-connected device was the likeliest point of entry.

So how do you shift the mindset of your organisation so that data security gets the funding it needs? The simple answer: You need to take your company’s management on a journey.

Make the value of data as ‘physical’ as possible

This shouldn’t be too hard given the rise of big data and the growing understanding that many organisations not only own valuable IP of their own creation but also possess troves of raw information that might have massive value to themselves and their competitors. Draw connections that show the value of the data the company owns. For example, a retailer’s annual sales data contains metrics where if they were to get into the wrong hands it could be the difference between a profitable quarter and a loss – in a fiercely competitive world, the advantage of data mining is lost if your competitor gets hold of that data.

Give accountability for data and information management back to the people who own the data – the boardroom

Too often we are told by senior decision makers that they don’t understand information security so they delegate that comprehension to somebody who does. The problem is that if you can’t understand information security, you cannot manage it. However, senior management should and must be able to understand today’s security parameters and needs.

Use readily understandable analogies to drive this understanding

Often, critical tech intelligence is hidden behind impenetrable tech speak. If the issue is the inherent and attractive value of your organisation’s data, then start with the analogy of a house. Engage your management by having them describe all the ways that a determined burglar might get into a house. Then, draw the connections to all of the points of exposure in your organisation (personal devices, laptops, contractors, disgruntled employees). What reduces the chance of break-in by another person at your house is the gravel path, the sound of breaking glass, the barking dog, the alarm, the nosey neighbour – and, most of all, the likelihood of a rapid response to these cues that something is wrong.

Build on this analogy and the fact that threats, while targeted, should be seen as pervasive

No matter how good the wall built around a house is (next-generation firewall, anyone?), if there is no holistic understanding of security that involves detection and response (in effect, manning that wall), then IP will remain vulnerable. Ultimately, the security of your information systems need to be fought for until that shift in the boardroom mentality occurs. Don’t let the Black Swan be a distraction when your valuable IP could be walking out the door today without anyone knowing.

Carlo Minassian is founder and CEO of Earthwave Corporation.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags data security

More about ASIOEngage

Show Comments