What Would a Cyberwar Look Like – A Brief Guide

Cyberwar Techhyme

Consider an employee W-2 form. Before the 2000s, the information on this form had a nominal value that approached the price of the paper on which it was printed. There was no easy way to monetize a stolen W-2 form.

Today, there is a thriving black market for personally identifiable information. As of 2022, the going price for a W-2 is between $4 and $20, depending on the income of the wage earner.

That may not seem like much, but it represents a massive increase from the two-cent value of a printed W-2 decades ago. Stealing even a single W-2 makes sense when attackers operate from a country where $20 is a full day’s wages. Stealing them by the hundreds or thousands using automated attacks against scores of unsuspecting and unprepared small businesses makes even more sense for criminals anywhere in the world.

Having established why hackers are coming for your data, let’s look at the damage done when they strike. Continuing with the W-2 theft example, state and federal laws require employers to report cyber theft, also known as a data breach. Failing to disclose the breach opens the door to class-action lawsuits where juries can award unlimited damages to victims due to your negligence.

Disclosing the breach helps shield you and the organization from claims of negligence and, in some cases, will prevent class-action suits. However, the organization will not be off the hook completely. Defending a non-class action lawsuit will cost tens of thousands of dollars, even if you win.

Also Read:

Additional costs include losses the employee will suffer if their identity is used to open credit in their name, drain their bank accounts, etc. Worse, the threat of identity theft will follow them forever. Related, indirect costs to the employer include replacing the employee if he or she quits and a reduction in morale among peer employees. It may become harder and more expensive to hire good talent, and customers hearing of the breach may look at competitors they believe are more vigilant.

A single stolen W-2 might net an attacker $20, but your organization and employees may be on the hook for tens or hundreds of thousands of dollars in damages. And this is just one example of how cyber-attacks wreak havoc on an organization. Black markets and cyber espionage make seemingly mundane data worth stealing and exploiting.

Trade secrets, access to bank accounts, and private communication are very lucrative targets. Sometimes it is not your own data, but a client’s data accessible through you or your employees that is the target.

Our highly connected, the digital world has ushered in a new era of cybercrime. One that is growing fast and changing constantly. Executives who stick their heads in the sand, try to keep a data breach a secret, pass off cybersecurity as just an IT problem, or wait for government protection will pay a steep price.

Many executives in the 1990s were adamant that computers were a novel expense that would never add real value to their business models. The idea that they would elevate the discussion of computers to an executive-level was as absurd as typing their own email. Executives that clung to this view doomed their company to lose ground when competitors with forward-thinking executives raised technology to a boardroom discussion.

Today cybersecurity is what computers were then. It is history, repeating itself, and we already know who wins. Organizations led by executives that are willing to buck old-school thinking and grapple with the Wild West of cybersecurity will come out on top.

Today, the outdated view is thinking that cybersecurity is a technical problem best delegated to information technology (IT) experts. It goes hand-in-hand with the idea that cybersecurity involves only preventing attacks by anticipating them and implementing as many deterrents as possible.

In contrast, a modern view of cybersecurity recognizes that countering every possible attack to achieve perfect security is financially unfeasible. This new mindset also considers what happens when attacks occur, because they will. Astute executives realize that spending every dime on prevention is futile and take a more holistic view of the problem.

Finding the right balance among various preventive and preparatory measures is like building an investment portfolio of stocks, bonds, and real estate. The right mix depends on what the external markets are doing and your appetite for taking risks. As time goes on, the markets will change, and your life circumstances change. Allocations in your portfolio adjust accordingly.

This article is a guide to making investments in cybersecurity that reflect the external threat landscape, internal business strategy, and the organization’s appetite for risk.

Despite having excellent cybersecurity teams and multi-million-dollar budgets, large companies have learned that cybersecurity is a business problem that must be managed from the top. They have realized that outsourcing and delegation only go so far when building a comprehensive cybersecurity plan and keeping it up to date as internal and external circumstances change.

For the foreseeable future, the management of cybersecurity as a business problem will rest upon the shoulders of top management. Unless you embrace this new role, your organization will be a cybersecurity have-not in a time where data privacy and security are of increasing concern among clients and suppliers.

What happens if you do not step up to the plate? Well, according to a 2017 report, nearly one-quarter of small businesses that suffered a ransomware attack were forced to immediately stop their operations. How long can your organization survive if revenue-generating operations stopped abruptly while payroll and other expenses continued? What will long-term damage be done to your clients’ perception of your organization’s ability to offer uninterrupted service?

Savvy competitors simply wait for your market share to open up as a result of your inattention. On the flip side, effective management of cybersecurity is necessary just to stay on par with forward-thinking competitors. Having a comprehensive cybersecurity plan in place can position your company to survive the same attacks that will bankrupt (or severely disrupt) your peers. When that happens, you can pick up their market share and grow your company.

Another reason to take cybersecurity seriously at the executive level is that larger, cyber-savvy companies are often direct, or indirect, clients who take the security of their supply chain very seriously. Studies show that as many as 63% of data breaches are linked to a third-party because weak downstream suppliers make great back doors into otherwise secure systems.

In response to this, the NIST Cybersecurity Framework (a technical implementation guide) was recently revised to add emphasis to supply chain scrutiny, and an executive order from the White House drove this same point home for government agencies.

The government, their downstream contractors, and large private sector companies will begin culling lax suppliers and awarding business to those who demonstrate they take cybersecurity seriously. Nimble executives who address cybersecurity at their core will have an advantage one that differentiates a company from its competitors and may command a premium.

If you insist that your plate is full just managing what you already have, you will miss the opportunity to rise above your competitors, just like the old-school executives who refused to see technology as anything more than an expense.

Consumers have also become quite sensitive to cybersecurity, and it is reflected in their buying habits. Forward-thinking executives can capitalize on this trend too.

A prominent example was Apple’s stance on personal privacy when the FBI demanded they decrypt an iPhone used in a terrorist event. Playing up their investments in encryption and demonstrating loyalty to a client even in the worst of times helped solidify consumer trust in Apple products. Learning to manage cybersecurity from a business perspective means you can spot and leverage opportunities like this too.