Data breaches and hacking incidences affect a myriad of entities in many industries, such as financial, retail, and technology. Analysis Group Principal
Almudena Arcelus discussed the impact of these incidences with affiliate
Michael Siegel, a Principal Research Scientist at the MIT Sloan School of Management, the Co-Director of the PROductivity from Information Technology (PROFIT) Project, and Associate Director of MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3.
Michael Siegel: Principal Research Scientist, MIT Sloan School of Management
Professor Siegel: Most of the questions we are getting from board members through information technology executives are related to what is an appropriate cybersecurity framework. Cybersecurity is a mostly non-regulated field in which there are many issues to be discussed, including risk, compliance, security, and best practices. There is always a question of how much to spend and where to allocate resources.
Professor Siegel: First and foremost, cybersecurity is about people, process, and technology. The largest emphasis is on people because most breaches – some say as much at 90% – have been aided and abetted, knowingly or unknowingly, by insiders in the organization. Most organizations have made building a culture around security a major priority. Many are using the NIST (National Institute of Standards and Technology) Cybersecurity Framework as an overall guide for understanding cyber-readiness.
Almudena Arcelus: Principal, Analysis Group
Professor Siegel: The major areas of focus for an organization with respect to any cybersecurity threat are prevention, detection, and response. As hackers grow increasingly sophisticated, more and more organizations are realizing that prevention only goes so far. These organizations realize others will breach their systems and those breaches can go undetected for months or even years. Clearly, response capabilities are increasingly important and represent a significant budget item for leading organizations.
Professor Siegel: I think one very exciting area of research and practice relates to efforts to limit the number of vulnerabilities available to potential hackers (black hats). In recent years, hundreds of technology-focused organizations (e.g., Google, Facebook, Microsoft, Uber) have launched “bug bounty” programs. Under these programs, an organization pays friendly hackers (white hats) to identify its vulnerabilities. The vulnerabilities are then patched (though there can be problems when this is delayed) and as a result their software is safer to use.
Non-technology companies are also beginning to offer bounty programs. United Airlines has had an active public bug bounty program for nearly a year, and many organizations have private programs. The Department of Defense through HackerOne (a platform for bounty programs) launched “Hack the Pentagon” in April 2016. Finally, FCA (Chrysler) just announced a bounty program for automobile systems.
Notably, reducing the number of vulnerabilities through such programs only works if the organizations have the ability to patch the bugs quickly. Not doing so raises a whole new liability concern for these organizations.
Professor Siegel: People, people, people. Without a strong security culture, an organization will not be effective in implementing its security protocols. For example, phishing (emails with links intended to allow malware to be loaded on a computer) have over 10% click-through rates in many organizations. All the efforts spent on securing the organization only work well if we don’t give away the keys to the house.
Beyond this, a focus on allocating resources to prevention, detection, and response is crucial. Relying on a reactive mode of operation will not allow us to get ahead of those that threaten our organizations. ■
This feature was published in September 2016.