Mexico City 2015 Blog: Michael Chertoff on How Businesses Can Manage Cyber Attacks
The former U.S. secretary of Homeland Security said that businesses should not expect to eliminate or avoid all risk, but instead to manage and reduce it.
“It’s no longer a question of whether a company will be breached, but when they’ll be breached,” said Michael Chertoff, the former U.S. secretary of Homeland Security, in a speech on how businesses can understand and respond to cyber threats. “Companies need to be able to respond to cyber attacks if they’re conducting any activity of economic value.”
Chertoff, who today is head of The Chertoff Group, a security and risk management advisory firm, opened his remarks by describing that when the Internet was designed initially (as a communications system for defense groups), every user was a trusted member. As the Internet has evolved, however, the network expanded to include users who were not always trustworthy and therein gave rise to the issue of cybersecurity.
Cyber attacks have evolved from criminality (e.g. robbery), to acts of destruction where the goal is to take down corps. --Chertoff #mxASCOA
— AS/COA Online (@ASCOA) May 21, 2015
Chertoff gave numerous examples of the types of attacks faced by different groups around the world today—everyone from the Saudi state oil company to a Silicon Valley electrical substation—and highlighted the fact that cyber attacks can cause not just technological damage, but physical harm. He said protecting critical infrastructure of sectors like energy, finance, and communications should be the shared responsibility of both the government and private sector.
Chertoff closed by laying out a six-step “security road map” for businesses:
- Identify what are your post strategic assets. What are you trying to protect?
- Inventory your network. Who’s on? Who can get on? What goes on inside your network?
- Companies need to train and exercise and test their employees on how they interact on the internet.
- Monitor and vet the people who have the highest level of administrative privileges to make sure they’re not creating a threat within the company.
- Plan for what happens when something bad occurs. The ability to respond quickly to an incident is the difference between a bad day and a catastrophic day.
- Establish redundancy. The ability to have a workaround and compensate if a particular system fails is maybe one of the most essential things you can do.
Watch the video (beginning at 29:25):