Roger Cochetti testifies before Congress. (Photo by Mike Wendy)
Even the most sophisticated companies have problems keeping their computer networks secure from malicious hacking. Earlier in September, Americans learned that credit reporting agency Equifax exposed the personal information of 143 million U.S. consumers in an undetected hack of the company’s databases. Preliminary reports have it that Equifax could have avoided this mess if it had only made a couple of “simple” patches, which it failed to do. So what are the lessons learned from this cybersecurity nightmare.
CEOReport caught up with IT industry veteran, Roger Cochetti, to discuss the challenges cybersecurity issues pose to business and individuals. Cochetti knows a thing or two about cybersecurity – presently, he advises the technology sector in Washington, DC, on techpolicy matters; and his decades of experience includes executive positions with COMSAT, IBM, Network Solutions, VeriSign and CompTIA, as well as his service on the Advisory Committee to the Secretary of State on International Information & Communications Policy; on the President’s National Security Telecommunications Advisory Committee (NSTAC); and as a founder and board member of TRUSTe, FOSI, the Online Privacy Alliance.
CEOReport: What are the top cyber-hygiene behaviors a small to mid-size company should do to keep their systems secure?
RC: Keep up with updates to your software and hardware. Long ago, these were sometimes annoying downloads that didn’t seem to benefit the user very much. Today, they are an essential tool in keeping your systems safe. Failing to install an update is comparable to leaving your house unlocked when you leave it.
Training your employees is also very important. Most cyber crimes are committed as a result of an employee error. Let’s recognize that we will never eliminate all employee errors, but we can reduce them and keep casual cyber criminals away through basic training. Simple examples include always selecting passwords that are difficult to guess (how about a phrase from your favorite song?); change your passwords periodically; and look carefully at incoming e-mails that ask you to click on anything.
CEOReport: Seems like many companies don’t take cybersecurity seriously. But it can be costly when a breach occurs – what are some of those typical costs?
RC: There are lots of costs; and the ranks of businesses that have failed or executives who have lost their jobs due to cyber security failures are growing. Moreover, governments everywhere are trying to increase the penalties for business cyber failures. To name a few of those costs: lawsuits from customers, shareholders or employees; consumer protection prosecutions from federal, state or local authorities; and damaging PR and loss of customer trust.
CEOReport: Why is it so hard for companies of any size to justify spending resources on cybersecurity?
RC: Like any expense that prevents damage, expenses for cyber protection do not yield an immediate return. $100 spent on advertising will hopefully generate $XXX in sales, but $100 spent on cyber protection only protects a business from future costs. So it seems easy to defer, minimize or avoid these costs. For most of the history of the internet, there was little or no cost to avoiding cyber protection expenses since the chances of a failure were small. Bad guys came to understand this and the chances of a cyber break-in have been growing every day. We need to look at these expenses exactly the same way we look at the cost of locks on our doors.
CEOReport: What are some services or web practices you yourself strenuously avoid due to cybersecurity issues?
RC: The biggest has to be looking skeptically at incoming e-mails that ask you to click on something (These are called “phishing” and when they seem to be specific and realistic “spear phishing”.) These often seem to come from a business that many people (including you) use or someone that you know, so they may seem to be legitimate. I can’t tell you how many “free” e-mail offers I have deleted from businesses with whom I do business because it wasn’t worth the risk of downloading something pretty bad.
CEOReport: How does the mobile, technologically heterogeneous office-place complicate cybersecurity matters?
RC: The bad guys are catching on to the fact that Internet users today are mostly using smart phones. Today’s heterogeneous mobile software and hardware environment is a little more tricky for bad guys to manipulate, but that is more than offset by the fact that mobile Internet users tend to be a lot less careful. This is the number one growth opportunity for bad guys.
CEOReport: Any last pieces of advice?
RC: Unfortunately, we simply have to get used to the notion that the open Internet is little different than the open streets in any large city. It offers enormous opportunities and many, many risks. We have no choice but to spend time and money protecting ourselves from these risks.