The Cost of Cyberattacks: Minimizing Risk, Minimizing Damage
Most of us view the internet as a useful and benign tool. But in many ways, it’s more like walking down a dark alley. Knowing how to reduce the cost of cyberattacks is important for anyone who uses the internet today.
See Minimizing Damage from Cyberattacks with Stuart Madnick for a complete transcript of the Easy Prey podcast episode.
Stuart Madnick has been a faculty member at MIT since 1972. He is the John Norris Maguire Professor of Information Technologies at the MIT Sloan School of Management, and was the founding Director of Cybersecurity at MIT Sloan. He has been involved in cybersecurity since 1974, and has authored or co-authored over 380 books, articles, technical reports, and textbooks.
The Risks of Everyone Being Online
Cybersecurity concerns started to pop up even before the internet. People would exchange floppy disks, and sometimes something bad might come along for the ride. During the dot-com boom in the late 1990s, everybody was connecting their computers to the internet. No one was thinking about the cost of cyberattacks then, but they started discovering things happening to their computers.
The problem with everyone and everything being online is that people trust the internet. There isn’t much awareness about the risks of being online or the cost of cyberattacks. The internet was never designed to be secure, but logging into your email doesn’t inspire the same feeling of danger as walking into a dark alley. We aren’t warned about the perils.
Going down a dark alley at night probably makes people cautious, but connecting to the internet doesn’t have that same scary feel about it.Stuart Madnick
Industrial settings understand safety. If you go to a modern manufacturing plant, you’ll probably see a sign over the door saying, “550 days since the last industrial accident. Don’t be the one who resets this to zero!” When is the last time you went to a data center and saw a sign that said, “50 milliseconds since the last cyber attack”? In manufacturing, you hear about safety all the time. When it comes to cyber attacks, we have nowhere near that awareness.
The Internet of Things
With the Internet of Things, or IoT, every device is a “smart” device with a computer in it. Stuart recently brought a smart toothbrush. It’s a toothbrush with a computer in it, and it sends messages back to his phone telling him how good he is doing at brushing his teeth. He used to joke that everything will have a computer except a brick, and then someone showed him an article about smart bricks. Internet-connected objects are everywhere now.
Not only was the internet not designed with security in mind, your toothbrush probably wasn’t, either. Who worries about the security of your toothbrush? But everything connected to the internet is at risk of cyber attack, even your toothbrush. The newer ones are especially at risk, because people are less likely to think about security. There have been attacks on smart TVs before. No one thinks about the cost of cyberattacks on their television or toothbrush.
Every device on the internet is a candidate for cyber attack.Stuart Madnick
Can You Avoid a Cyber Attack?
Unfortunately, there are a limited number of things individuals can do to avoid being targeted by a cyber attack. Most of our vulnerabilities come through services that we use. Most of the things we can do are things most of us have at least heard about – like if you get an email from a Nigerian prince, don’t click any links. (Stuart has heard that 1-3% of people still fall for that.)
A more likely kind of cyber attack to fall for is spear phishing. The con artist uses your information – either public information (like from your Facebook account) or from accessing your computer – to target you specifically. A common example is a CFO who gets a fake email from the CEO telling them to make a transfer to this account because it’s part of a big deal the company is making. If the scammer knows the CFO and CEO had dinner on Wednesday and starts the email with, “It was great to have dinner with you and your wife last Wednesday, we should do that again soon,” it seems real.
Spear phishing is so dangerous because it’s realistic and plausible. A technology expert was in a meeting with an investigative reporter who discussed spear phishing. To demonstrate the point, the reporter told the expert that he was going to be the target of spear phishing attempts for the next week. By the end of the week, the expert had fallen for at least one of them.
If a technology expert who was aware of the cost of cyberattacks and how to spot them fell for one, even though he was warned ahead of time, chances are the rest of us will fall for one at some point, too. Don’t feel bad if you do. Better people than us have fallen for scams. It’s also important to think about your plan if you do fall for one. Chances are good you’re going to fall for a cyber attack eventually, so what’s your plan to reduce the cost of cyberattacks?
Consider the possibility that no matter how cautious you are, you’ll fall for something. How do you minimize the damage?Stuart Madnick
How to Minimize the Cost of Cyberattacks
Cybersecurity is not just about making sure the attack doesn’t happen. It will happen. Cybersecurity is also about what you will do when it happens. For instance, someone got into your computer and stole or corrupted all your data. What’s your plan? If you back up your data regularly, you can restore from your backup and lose very little.
Reducing the cost of cyberattacks is a lot like buying fire insurance. You don’t want to have a fire, but if it does happen, you’ll be glad for that insurance. We have to realize that bad things can happen, but we can take steps to minimize the damage.
When making your plan, think beyond your data. What if something happens to your whole computer? If the power goes out, the moment you’re sitting in the dark isn’t the moment you want to discover your flashlight batteries are dead. There’s a laundry list of things you can do, but keep it simple. Imagine something has happened. What’s your contingency?
Corporate Cyber Attacks: Behind the Headlines
When a cyberattack happens, there’s always more than the news reports. People like to read simple, straightforward stories, and companies want to minimize the reputational cost of cyberattacks. You’ll hear that the cyber attack happened because someone forgot to update a software or someone misconfigured a firewall. The impression was that an individual was sloppy or made a minor mistake.
Stuart and his team at MIT research cases like this in-depth. Almost every major cyber attack didn’t just happen because of a single mistake. You can’t steal millions of dollars or Social Security numbers with just one mistake. It’s like a robbery: The thief may break down the door, but they still have to find the safe and unlock it to get to the valuables. There are a lot of steps, and accidentally leaving the door unlocked doesn’t guarantee they can get into your safe.
Case Study: The Equifax Breach
In the case of the Equifax breach, Stuart identified eighteen management indecisions that lead to the breach. These were situations where management made important decisions without stopping to consider consequences.
In one example, Equifax has an intrusion detection system software. It monitored network traffic for anything suspicious. In order to do its job, it needed security certificates. Those certificates expired nine months before the breach was discovered, so the system did nothing for nine months. (Once those certificates were activated again, all the alarms went off.)
Equifax has thousands of different certificates, and keeping them up-to-date is a manual task. There was a proposed system that would monitor all the certificates and send an alert when one needed updated, but it would take time and effort to implement. Someone in management made the decision that implementing that system wasn’t that important, and so it was nine months before anyone realized the intrusion detection system wasn’t working.
That’s just one of the eighteen management indecisions that led to the breach. You can read about a ll of them in the full article in the MIS Quarterly Executive journal.
Another problem that Equifax had was that security and IT were completely separate. They didn’t even report to the same people. You may read in the headlines that a security patch wasn’t applied and assume someone just forgot to apply it. In reality, the people who knew about the patch and the people who could apply the patch were two different groups of people. The ones who were supposed to apply the patch didn’t forget – they were never told.
Corporations tend to move slowly. The good guys are getting better, but the bad guys are getting better faster. Cybersecurity often a lower priority. Corporations just don’t think about the cost of cyberattacks. Twenty years ago, Stuart talked to people working in automotive technology. Tech problems were at the top of the list, and cybersecurity was at the very bottom. Three years ago, he talked to a different group of people working on autonomous vehicles, and found the same thing. The people building the technology are focused on getting it working first and worrying about security later, instead of building in security from the beginning (called “security by design“).
Large-Scale Cost of Cyberattacks
Most cyber attacks are what Stuart calls “information technology attacks.” They steal your data, lock your computer, ask for a ransom, etc. In most cases, you can wipe your computer (hopefully you have a backup!) to solve the problem. It’s an annoyance, and it may take a week or more in the case of complicated corporate networks, but it’s not a lasting issue.
These days, many devices are online – your smart toothbrush, yes, but also things like internet-connected electrical generators. If someone knew what they were doing, they could make a generator like that explode. And if you explode a million-dollar generator, you can’t go to your local RadioShack for a replacement. This kind of malfunction attack happened at MIT once, and it took three months to get up and running again. Stuart has seen cases of power grids going down or steel mills being destroyed. Send a phony signal to a device like that, and things go bad. Equipment can explode, epople can die. These attacks happen, but they tend to be one-offs and don’t get a lot of publicity.
When Stuart talks about a cyber catastrophe, the potentially major costs of cyberattacks that are massive and sustained. In engineering, there’s the concept of independent failures. In a power station, you might have eight turbines, but it’s highly unlikely that Turbine 1 and Turbine 2 will go down at the same time. A massive cyber attack wouldn’t just target one device. It could target all eight turbines at once and shut down the whole plant. The risk isn’t that the Northeast will have a power failure or Texas will freeze, but that all power systems across the country will go at the same time. Stuart hopes it won’t happen, but there’s no reason why it couldn’t.
You Can’t Eliminate Risk (But You Can Reduce Cost of Cyberattacks)
As the old saying goes, if you want to minimize risk, don’t get out of bed in the morning because you could slip in the shower. It’s a balancing act. You don’t have to swear off technology altogether, but don’t take foolish risks, either. Minimize what risks you can, and have a backup plan to reduce the cost of cyberattacks.
The best thing you can do is to change your thinking around cybersecurity. You don’t have to be a tech expert to do it. Stuart always asks his students, if you put a better lock on your front door but still keep the key under the front mat, are you any more secure? Think about what we’re doing, why we’re doing it, and how. Know what the risks are, and have a plan to deal with them if something happens.
None of this is rocket science, but it requires you to start thinking about things in ways that we haven’t done before … people thinking in these ways will start to turn the tide in our favor.Stuart Madnick
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Is there any service or product for which you’d have a lifetime subscription? Probably not. So, if...[Read More]
If you haven’t noticed, cryptocurrency is going mainstream—or is trying desperately to do so—with high-profile actors like...[Read More]
If you simply want to hide you browser activity on you computer (from friends and family), there’s...[Read More]
All security is personal. The first step towards better personal security is better security awareness. But in…[Read More]