In addition to being Mindsight’s Cybersecurity Practice Lead, Mishaal Khan is a certified ethical hacker. Which means he’s intimately acquainted with all the nefarious ways cybercrooks infiltrate, steal from and generally wreak havoc on companies of all sizes.
The one thing he still can’t figure out is this: Why don’t enough business leaders take cybersecurity seriously — especially in this age of remote work, when it’s more crucial than ever?
“The digital response to the COVID-19 crisis has also created new security vulnerabilities,” a recent McKinsey report notes. “Attackers seek to exploit the gaps opened when telecommuting employees use insecure devices and networks. Threat actors also use known attack techniques to exploit people’s COVID-19-related fears. For example, Google tallied more than 18 million malware and phishing emails related to the novel coronavirus on its service each day in April. It also reported identifying more than a dozen government-backed groups using COVID-19 themes for these attempts.”
During a virtual Mindsight event on July 27 titled A Hacker’s Perspective on Hybrid Work — Khan (who speaks at security-related events around the country) will explain and show via simulations why augmented cybersecurity protocols are vitally important. Because once a company’s data and systems are compromised, it’s far too late. Sensitive data is gone; perhaps it’s even being held for ransom. That’s problematic financially as well as reputationally. And although every industry has seen a rise in cyberattacks in the last 18 months, higher education, healthcare, government, energy and small businesses seem to be the biggest targets (to learn more about why these industries are being hit harder, read our previous blog Five Industries Most Vulnerable to Cyberattacks in 2021).
It’s far better, Khan repeatedly stresses, to be proactive than reactive. Unfortunately, he says, this exhortation too often falls on deaf ears. He’s confident, however, that a gradual paradigm shift is afoot as more leaders see the error of their previously lax ways and elevate cybersecurity from afterthought to priority.
Proactive cybersecurity is meant to prevent or mitigate the damage of an attack. When your company’s cybersecurity culture is proactive, they are committed to preventing attacks and threats, not just responding quickly to attacks. This can include implementing tools to prevent attacks (email protection, 2FA or MFA, VPN’s, etc.), educating your employees about good cyber hygiene, and planning for potential, yet unknown, risks. Penetration testing is also part of a proactive cybersecurity strategy.
On the other hand, reactive cybersecurity is exactly what it sounds like, how your IT team responds to an attack or breach after the fact. 1. The attack or breach is discovered 2. the attacker/hacker is denied further access to the system, 3. the damage is assessed, and 4. the clean-up begins. This is often how many business leaders think about cybersecurity. While there is nothing wrong with reactive security — this is part of the reason you’ve invested in cybersecurity controls — but when your entire security culture is reactive, that can be a problem. To be truly effective, your cybersecurity culture must be reactive and proactive.
During a recent conversation, Khan detailed the main reasons why cyberattacks continue to occur at an alarming rate.
Many company leaders are stubborn and resistant to change
They don’t trust the new paradigm, they’re not comfortable with change in general and they don’t think they’ll get hacked. The interactive approach I take with them is more specific rather than general. I tailor my presentation to their company and what can happen if they’re targeted without proper security measures in place. I try to make them feel a little bit uncomfortable, because that’s when you make decisions. When I make it personal and see their reactions, that works better from an educational perspective.
Companies don’t see the “dollar value” of cybersecurity
I have noticed that people are now taking cybersecurity a bit more seriously in that they’re spending money on it because they have government funds. But they’re just spending it because they need to spend it, not because they believe they need to be more secure. Money is the reason many companies don’t have better cybersecurity, but let’s not call it money. They have the budget to spend money on coffee and paper, but they don’t see the dollar value in cybersecurity. It’s like the seatbelt and airbags in your car: Maybe you’ll never need them to prevent injury, but they’re there for your safety. The same goes for any kind of insurance. So my job is to show the value in cybersecurity by reminding them of the potentially catastrophic consequences. Many companies don’t exist anymore because they didn’t take it seriously.
Many leaders lack the technical know-how to fully understand cybersecurity
Company leaders do their jobs pretty well in their own field, but they don’t understand cybersecurity. Birds of a feather clutter together. They tend to be around people of the same mindset. CEOs are around other CEOs as opposed to CTOs and other tech leaders, so there’s a disconnect. Part of my role is to bridge the gap. The key is educating the business-side executives on what the threats are and how they can adversely impact a company. Once that happens, the budget for cybersecurity suddenly becomes available.
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About the Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.