With less than one month to go until Cybersecurity Awareness Month, the National Cybersecurity Alliance hosted a conversation between Bryan Smith, Section Chief, Cyber Criminal Section, Federal Bureau of Investigation, and Mitchel Chang, SVP of Corporate Social Responsibility and Initiative for Education, TrendMicro.
The two cybersecurity experts discussed the contentious question “Cyber Pro vs. Cyber Criminal – Who is winning?” In the course of conversation, the answer was not definitive. All the more reason to be vigilant and involved with Cybersecurity Awareness Month this October.
The discussion did describe the current threat landscape, advantages cyber professionals still have and cybersecurity resources available to the business community for mitigating cyberattacks.
Cybersecurity Threat Landscape
Currently, there is a widespread perception that cyber crime has increased in scale and frequency. As an organization, you are well within your rights to be concerned. Recent headlines including Solarwinds, JBS and Colonial Pipeline have made the public outlook pessimistic.
It seems cyberattacks have affected every part of the supply chain – doom and gloom scenarios are pervasive on the news and FBI IC3 (what is this) saw cyberattack complaints quadruple in 2020. Bryan Smith, Section Chief, FBI, did offer a glimmer of positivity, acknowledging that for every cyberattack the media highlights, there are probably hundreds of companies who successfully protect themselves against attacks.
Mitchel Chang “Industry 4.0” (a new phase in the Industrial Revolution that focuses heavily on interconnectivity, automation, machine learning, and real-time data) giving some positive statistics. Industry 4.0 has reduced industrial outages by 50% and digitally-enabled healthcare tools prevent 95% of adverse drug events. But, this technological trend and the exponential growth of device use has brought a proportional increase in attack surface. We are living and working in a time that demands balancing the benefits of digital transformation with cybersecurity challenges.
Prior to working for the FBI, Bryan Smith worked in the consulting industry. The model that the “Big 5” uses to evaluate organizational cybersecurity posture furthers understanding of business systems. (e.g. the passage of information from one department to another, the interaction an organization has with vendors.) Organizations invest in IT systems to solve business problems – but very often, organizations divorce IT from the core business.
Yet, the adversary is attacking the business component. Business needs to communicate with IT. That bridge is critical in addressing cybersecurity. Cybersecurity is not an IT problem; it is a business problem.
Reporting Cyberattacks
Organizations do not necessarily see cyberattacks as a crime problem. They see cyberattacks as a public relations problem. After a cyberattack, organizations are concerned about their customers and the public learning about the attack. Organizations take steps to minimize attacks. But, having legal teams handle cyberattacks does not get to the root of the problem.
When a bank is robbed, the bank will typically call law enforcement and aid law enforcement with everything they need to solve the crime. The process should be similar in the event of a cyberattack.
When an organization calls the FBI after a cyberattack, the FBI is sometimes afforded the opportunity to recoup the data stolen (as was the case with BTC). The FBI’s objective is to go after and hold criminal enterprises accountable for their actions and to recoup losses or prevent criminal activity in the first place. If no one from the private sector reaches out to the FBI to report a cyberattack, they simply cannot help.
A knowledgeable and prepared public sector is key to fighting cyber crime. Sharing information (via the Internet Complaint Center and StopRansomware.gov) , building public and private partnerships and engaging businesses (National Cybersecurity Alliance) is a strong threefold approach.
These cybersecurity resources are available to your organization to fight cybercrime:
1. Stop Ransomware
StopRansomware.gov establishes a one-stop hub for ransomware resources for individuals, businesses and other organizations.
https://www.cisa.gov/stopransomware
2. Internet Complaint Center – IC3
The mission of the Internet Crime Complaint Center, also known as IC3, is to provide the public with a reliable and convenient reporting mechanism to submit information to the Federal Bureau of Investigation (FBI) concerning suspected Internet-facilitated criminal activity and to develop alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness.
3. National Cybersecurity Alliance
The National Cybersecurity Alliance is a group of convening partners who believe in the strength of the security collective. It is their purpose to educate individuals and organizations on security best practices, thereby amplifying collective efforts to increase cybersecurity awareness.
Themed “Do Your Part. #BeCyberSmart.”, the 18th annual Cybersecurity Awareness Month (October 2022) empowers individuals and organizations to own their role in protecting their part of cyberspace.
