When it comes to preventing cyberattacks, companies are operating under a set of outdated notions, says Mark Sutton MBA’09, senior vice president and chief information security officer for Bain Capital.
Companies often treat cyberattacks as purely a “tech” problem, to be solved in an IT back office, he says, when really it needs to be tackled in the boardroom by the leaders making senior business-risk decisions.
“Cybercrime isn’t a criminal endeavor; it’s a business,” Sutton asserts. “To protect your company, you have to understand who may want to target you, how they may compromise your network and what your most critical and sensitive digital assets are.”
It seems almost quaint now to recall a once-pervasive image of cybercriminals “as geeks in their parents’ basement with no real friends, trying to hack into” systems, says Sutton, or “Nigerian princes sending you emails (asking for) your bank information.” The cybercrime of today, he says, has “evolved into something much more sophisticated to a level where people are talking about this being the fifth dimension of warfare” (after land, sea, air, and space).
In a webinar presented recently at Babson’s Miami campus, Sutton addressed the threat of cyberattacks and offered three tips on how companies can better protect themselves:
Invest in a Cybersecurity Team
This is different from an IT team, which is “going to be focused on IT projects,” Sutton says. A cybersecurity expert knows how to assess cyber risk and then build a program and strategy that is aligned with the business to mitigate it.
Invest in Cyber Controls
“Small- to mid-sized companies that want to roll that dice and say, ‘I won’t be targeted,’ leave themselves very exposed if they don’t invest in the most basic of cyber controls,” he says. Measures such as endpoint controls to stop malware and viruses and multifactor authentication “so you can be confident only your employees are ‘logging in’ are now table stakes,” he says.
Update Software and Plug Holes
“Companies hurt themselves because of a basic lack of IT hygiene,” Sutton says. Basic updates often are overlooked in favor of other initiatives, he explains, adding, “Plugging holes or patching is the digital equivalent of locking your front door.”
Some cyberattackers “are simply opportunistic,” Sutton says, “like a criminal walking around a neighborhood looking for open doors. They can see all the holes that (a company) is trying to patch. All they need is one hole, one gap, one opportunity, and they are in.”