By Hans Holmer
Senior Cyber Strategist, Technical Counterintelligence Center
Leaders of companies frequently find themselves at a loss for how to lead in the cyber arena. Typically, from the C-Suite point of view, “cyber” appears to be a technology problem rather than a people problem–and the technology moves way too quickly for us ordinary mortals to keep up. Too often the “people aspect” of cyber security is overlooked and, yet, it is one of the most critical areas, where leaders can do their company and their employees the most good. In fact, cyber security is like exercise: No pain, no gain.
For example, the traveling executive is likely to be the senior leader who travels the world carrying electronic devices that hold crucial company intellectual property and proprietary data. He or she is also too busy to deal with painful security requirements that interfere with work and their computer has just the sort of data that are of critical value to the business… and to competitors or even foreign governments. It doesn’t take a genius to know that a number of countries are gaining access to US intellectual proprietary and patented information by cyber means. As of mid-2014, Bloomberg estimates that more than $445 billion worth of intellectual capital was lost this way. (http://www.bloomberg.com/news/articles/2014-06-09/cybercrime-remains-growth-industry-with-445-billion-lost )
So how can companies protect their traveling executives and lead their business in cyber security? By demonstrating that cyber security is business resiliency. That data protection is important enough to put above the pain of “not doing things the way you’ve always done them.” By proving that you are willing to accept pain to secure their data when traveling. All the data show that changing our behavior is the key to stopping breaches, hacks, and data loss.
- Take the time to install every security update and patch. Almost all intrusions depend on software vulnerabilities for which patches have been issued but not installed. Computers that connect inside and outside the corporate network are particularly at risk because users rarely are willing to let the update process detract from work demands. So if traveling senior executives demonstrate how protecting their computer is critical to the business and demand that their computers maintain the highest levels of security, this alone would be a major step forward in corporate cyber leadership.
- Use a designated computer for foreign travel. This reduces the amount of intellectual property within the computer and, in turn, reduces the chances that the computer can introduce malware when returned to the corporate network. It also prevents the disclosure of corporate log-in credentials overseas.
- Keep computer, phones, and other devices in your sight at all times. Sure, it can be painful. But not as painful as the loss of intellectual property, competitive advantage, and lost business.
When corporate leadership demonstrates that cyber security is important and that useful countermeasures are worth the pain, it sets the priorities for the rest of the organization. By taking the lead in secure technology use while traveling abroad, senior leadership can set the tone for the entire corporation and enjoy increased cyber security practices. In the process of learning to use technology securely, everybody benefits. It’s a win for leadership and for cyber security. Not only does it demonstrate that mitigating risks while traveling is important, but also that protecting company data on the corporate network is important. The same countermeasures that secure a travel computer will secure a corporate network. Doing one but not the other is nothing more than a waste of time. Cyber security is very much an all-or-nothing kind of problem; it’s “data ecology.” The entire network as well as all the employees need to actively participate. And it starts at the top.
Hans Holmer works in the Technical Counterintelligence Center of Intelligent Decisions. He can be reached at email@example.com or 703.599.4735.
Hans is a retired CIA officer with about 20 years in cyber, 26 years in intelligence and over 40 years in computers and similar technologies.