October in the technology world is “cyber-security awareness month” (can’t believe I just wrote that). Yet, with all the awareness that popular media outlets like The Wall Street Journal, The New York Times, 60 Minutes, et al, bring, little in the way of solutions is being offered – which goes to the extent of how serious this issue is for many businesses. Recently, when a huge cyber-attack was launched against JPMorgan Chase and nine other financial institutions, the White House received periodic briefings of the attack in real-time. The problem was, no senior White House official could tell the President of the United States “why” the attacks were occurring. According to a report from The New York Times, the answer simply came back as – “We don’t know for sure [why the cyber-attacks are occurring].”
The answer is quite simple, “because the can.” Such news is not advisable to mention when you are the one who has to deliver it to the President of the United States. In an interview with 60 Minutes a few Sunday’s ago, FBI Director, Mr. James Comey, said there are two kinds of “big” companies in America, “those who have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” Large corporations have a vast repository of information related to company data, customer data, and customers customer data. However, to date, the risk implications associated with a cyber-attack, both monetarily and non-monetarily, create little incentive for the large companies to respond proactively. Consider the amount of fines, penalties, and associated expenses Target, Corp., had to pay when it was victimized by a cyber-attack – $148 million dollars. That’s a ton of money, but the data breach did not prevent customers from shopping at Target. Post-breach, Target customers paid for their purchases either using cash or pre-paid cards. The recouping of the costs related to the cyber-attack took little time and likely was minimal to the company’s bottom line.
As an advisor to startups and small businesses, most entrepreneurs do not consider cyber-security in developing their business plans. This is mainly due to some naïve notion that the Chinese (or Russians for that matter) are only out to get the “big” corporations. That could not be further from the truth. Many times, the advice I give to entrepreneurs is that if the business idea is too good, consider that your competitor is paying a third-party to find out the recipe for your secret sauce. From there, anything and everything is possible, starting with reverse engineering the ingredients to make a better sauce.
The U.S. governments public response on cyber-security is a mass hysterical game of shadows, whereby companies need to look over its shoulder to see who may be watching them. A different response should be to fight back. Build up defenses within your business, regardless of size, that allow you to take the fight to the criminals, or deter it. Know where the weaknesses in the organization lie, and address it accordingly. Make the time it takes for a criminal to hack into your business unappealing so that they will move on to easier targets. Large organizations are easy targets, because they are bureaucratically driven by leaders at the top who are chiefly concerned about exceeding shareholder expectations – which has more to do with profits and loss than cyber-security.