Member Insight

June 2021

Greg Gershman
Michael Dent
CISO
Fairfax County, Virginia

Cyber Governance: More Critical Than Ever

Cyber is going to be a hot topic next month at EDGE2021, and I am looking forward to participating in the discussions.  The main conference venue is the Park MGM, Las Vegas, as in MGM Resorts.  Let us start there: in February of 2020, 10.6 million records of former MGM hotel guests – names, home addresses, phone numbers, emails and dates of birth – were posted on a hacking forum.  In July, 2020, researchers discovered 142 million records of MGM hotel guests for sale on the Dark Web, suggesting the breach might have been far worse.  Don’t worry fellow EDGE2021 attendees, your records probably already were compromised in the Microsoft, Walgreens, Carnival Cruise Lines, J. Crew or any one of the more than 5,000 successful cyber breaches of 2020. Nearly one in three Americans were hacked last year alone.  41 percent of Americans have encountered fraudulent charges on their credit cards.  35 percent have received notices that some type of sensitive information has been compromised (like account numbers).  Another 16 percent have had their email accounts taken over, 13 percent one or more social media accounts.  15 percent have received notices that their social security accounts have been compromised.  14 percent had someone attempt to take out loans using their personal information, and 6 percent report being impersonated in the filing of fraudulent tax returns.   Statistically, more than half of you reading this use the same or similar passwords on multiple accounts, and you rarely change them.  And the passwords you use often include some link to your name, birth month and/or year, and possibly a logical sequence of numbers. Frustrated by the gas lines the past few weeks because of the Colonial breach?  According to today’s news, looks like cheeseburgers were successfully targeted.  Attacks are increasing in terms of both frequency and impact.  The kinds of practices described above– the absence of cyber hygiene, have consequences, and these consequences are expensive in more ways than just dollars.  Bad cyber hygiene at home contributes to the cyber challenges of government and business because these practices follow to work environments.  Every government agency and commercial enterprise of appreciable size has a CISO.  And smaller enterprises put in place safeguards as best they can (47 percent of cyberattacks – ransomware – target small business).  Governments and businesses alike produce cyber policies, incorporate best practices, monitor threats as they evolve and constantly review technical solutions to combat them.  But the perfect cyber strategy is only as effective as the governance behind it.  Compliance and accountability matter and begin at the top – the agency head, Secretary, CEO, CFO.  Employees need to be messaged continually about the threats and the importance of compliance – mandated compliance that is enforced and that carries consequences if deliberately violated.  This top-down governance, as common sense as it sounds, is a major challenge, perhaps THE major challenge.  Here are a few simple rules for C-suite executives – Mike’s Rules:

  • Compliance starts at the top: no exceptions allowed for anyone, period, in terms of passwords, two- or three-factor authentication (depending on the government mission or business sensitivity), or rules of basic cyber hygeine.
  • Standardize technology used by employees to access the network – no unauthorized device access allowed.
  • Invest in infrastructure – too much legacy technology incapable of detecting and preventing the cyberattack capabilities of today’s sophisticated cyber criminals and nation-states.
  • Recognize that sometimes a brief pause in network availability to patch a vulnerability prevents a larger problem that can shut down production or service for longer periods: aka Colonial Pipeline. CISO’s need to know they can responsibly perform needed functions (and CISOs need to effectively evaluate these and communicate them to and with management).
  • Enforce compliance through education and communication. Communicate to your workforce and team that compliance is mandatory, vital, monitored and regularly reviewed.

Bottom line is cyberattacks are increasingly sophisticated, hard to detect, and more costly and impactful.  Cyber is in the news and is going to be there.  Attackers and the technologies they use are harder to detect.  Cyber strategies are more important than ever.  But our greatest vulnerability in government and business, is governance.  Cyber governance is on the agenda at EDGE2021, and I look forward to being a participant in that discussion.  See you in Las Vegas next month.

EDGE2021