If the cyberattacks that infected computers in more than 150 countries this month did anything good, they have shown organizations the world over what not keeping systems up to date costs.
Michael Siegel, principal research scientist at MIT Sloan School of Management, researches cybersecurity and critical IT infrastructure and has found that companies investing in cybersecurity save money in the long term. The WannaCry virus affected older machines without the right security patching. So there’s “inverse ROI of not doing cybersecurity,” he said.
“For companies that do it right, they didn’t have disruption; they didn’t have to consider paying a ransom. For companies that don’t do it right, they just learn what it costs to not do it right.”
Siegel is also the associate director of MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, launched two years ago to raise awareness about the need to gird IT systems for cyberattacks. He’s moderating a panel discussion among business and IT security leaders at the MIT Sloan CIO Symposium in Cambridge, Mass., on Wednesday. The topic couldn’t be timelier: how to measure ROI for cybersecurity investments.
That’s hard to do, partly because there have been relatively few large-scale cybersecurity “events” as organizations have been retooling as digital businesses, moving IT operations to the cloud and transforming business models, Siegel said.
“So we’ve not had that much experience to know whether the way we measure things and the way we guard against them holds up in all sorts of conditions,” he said.
Big corporations, he said, are “reasonably ahead of the curve” in measuring risk, communicating that to the board and then investing in cybersecurity. For smaller companies, though, “It’s a whole different story.”
SearchCIO spoke to Siegel ahead of the MIT conference about another lesson the cyberattacks can teach organizations big and small, the insidious innovation today’s cybercriminals are showing and what it will take to get people to think seriously about cybersecurity. Here are excerpts from that conversation.
The recent global ransomware attacks have been seen as a turning point for cybersecurity readiness, pushing many organizations to review network security investments and staffing. Is that what’s needed?
Michael Siegel: Clearly, there’s an argument about the inverse ROI of not doing cybersecurity. It became very, very clear [that] the attack and the attack patterns were at older machines and institutions that had not patched something that was available for several months. So you can review your entire cybersecurity policy, and it may go to that level. But really this was about keeping your software licensed and current and patching things.
For companies that do it right, they didn’t have disruption; they didn’t have to consider paying a ransom. For companies that don’t do it right, they just learn what it costs to not do it right.
The real lesson to be learned is that there is very much the potential for the big one. And the question is, how do organizations prepare and understand that with regard to ROI, and then how do we deal with it as a society?
Are organizations spending enough on cybersecurity? And are they using the right information to make investments?
Siegel: In our consortium, we work with a lot of top-tier organizations — the big companies that are in financial services are at least reasonably well ahead of the curve; energy and other areas have clear plans, clear metrics.
It’s not a perfect science. We’ve had — though it seems like a lot of [cybersecurity breaches] — ultimately very few events over a considerably longer period of digitization. So we’ve not had that much experience to know whether the way we measure things and the way we guard against them holds up in all sorts of conditions.
I think companies that lead in this area are doing the best they can to measure and to communicate about the risk. It’s like other risks that organizations face, whether it be operational or credit or natural risk. It’s turned into a risk, and they’re doing the best to assess it, to put things in place, to manage that risk, whether it be policies internally or policies in the form of insurance.
It’s a whole different story when you go down to the small and medium-sized enterprises. They’re not as sophisticated. They’re doing perhaps some of the operational stuff as far as technologies and firewalls, [but it’s] not clear that they fully understand the training necessary and so on. But across the board, issues remain.
Those small and medium-sized organizations — what kind of things can they do to convince board members to make the proper investments, and who should take the lead on that?
Siegel: It’s interesting, there is a little bit of a separation between technology departments and what in larger companies would be called the CISO — chief information security officer — or the CIO, and the chief risk officer. So the chief risk officer — or perhaps CFO in some organizations — ultimately would be the one who looks at and evaluates, say, insurance policies for cyber. Yet the CISO is one who actually operates the organization that is putting stuff in place that’s at risk. Now there’s a separation between those two.
In smaller organizations, your CFO is the one who has to say, ‘OK, are we doing a large policy about cyber insurance?’ I think about the CFO sitting there and saying, ‘Well, we have errors and omissions, we have general liability — now what about cyber?’ But are they asking that question? If you’re getting a CFO in a midsize company or a smaller enterprise who starts to think about risk, in terms of what other risks that they have and managing those risks, then I think you’re starting to get a company that has the potential sophistication or interest in managing the cyber risk.
How innovative are cybercriminals? And is cybersecurity technology keeping up with them?
Siegel: Well, the general feeling is that we’re getting better, and they’re getting better faster. More and more people are getting pretty positive about technologies that are being developed and what we’re able to do. But what that in fact does is it puts even more pressure on the weakest link — the human factor. You can build the best firewall and have the best approaches to passwords. But if someone can get the right credentials and just log in and do the right things — like you’ve seen at Target or the T.J. Maxx breach — if you can do that type of thing, very little of that technology is going to be helpful.
So I think we’re getting a lot better, and many people express that we’re getting a lot better. And in fact the technology could go to 90-some percent, but it only puts more pressure on the weak point. It depends on which study you read, but somewhere from 60-plus percent of all breaches have some involvement of a person who advertently or inadvertently lets people into their system.
The social engineering skills of the attackers are getting cleverer and cleverer: They’re spoofing sites; the phishing is getting really good — I mean really good. People ask me, ‘What can I do? Is it hopeless?’ I say, ‘You know what? In a way it is hopeless. But the most important thing is, just don’t click on things. You click on things that you don’t really carefully look at or need to click on — that’s the major way you expose yourself.’
Does it take a change in mindset to effectively counter cyberattacks?
Siegel: Yes, it does. I talked to one organization in a phishing exercise to executives. In the phishing exercise, it said, ‘This is a phishing email. If you click on this link, it will harm your computer.’ And they still had people click on the link. And why is that? It really goes to who we are. We’re kind of scientists — we have this scientist in us. When I asked [someone who clicked on the link] what happened, he said, ‘I wanted to see what would happen.’
People put cybersecurity in a box. We need more engineers, and we need more computer scientists. We’re somewhere between a million and two million short already, and certainly by 2020 [we’ll be] two million short security engineers in this country alone. But really all of that should not be the argument. The argument is, we’re not all going to be computer scientists and engineers, but we’re all going to use a computer. This is a societal thing to teach, so underlying our society, there has to be a public cybersecurity narrative.