When it comes time to defend against cyber attacks — look to retail for a lesson
If you’re being chased by a bear, you don’t have to run faster than the bear. You just have to run faster than the other guy who’s being chased. At a Chicago Executive's Club panel on cyber security, we learned the same principle applies to defending your company against cyber attacks.
According to the panelists, if a high-powered hacking team deliberately targets your company, there’s no way you can be 100 percent safe. It’s simply too expensive to put into place the level of security that would be required to keep them out.
Instead of lamenting that fact and giving up, the panelists suggested a two pronged approach:
Make it just difficult enough that the hackers will move on to easier prey.
Practice your response plan so that when you are inevitably hacked, your leadership team will be ready to respond effectively.
The good news is that hackers are not usually deliberately targeting your company — they’re looking for the easy pickings. That’s where “running faster than the other guy” comes in. You want your company’s cyber defenses to be powerful enough to discourage hackers so they will move on.
Even so, a breach is bound to happen given a long enough timeline. Every smart cyber security program will devote time to designing and practicing an emergency response plan that can lock down data, fight back against the hack, and communicate the steps being taken.
To tackle the first step, the panelists recommended implementing the SANS Top 20, a list of basic actions to maximize your cyber security. Following that simple roadmap will help build a robust cyber security program. It starts with inventorying all your authorized and unauthorized devices and ends with organizing a “red team” to simulate cyber-attacks.
The challenge, of course, is that even the most sophisticated cyber security tools won’t work if people don’t use them. Leaders must develop a company culture where every single person feels responsible for protecting the company. Amazingly, it is often the most senior executives who are too casual about cyber-security. They need to be held accountable along with everyone else.
Companies trying to defend against cyber attacks can look to retail for a lesson. Brick-and-mortar stores must defend against shop-lifting — called “shrink” — in much the same way. At one major retail chain, every time someone says the word “shrink,” everyone shouts, “Not on my watch!” It is that kind of vigilance and personal responsibility that will protect your company from a destructive attack.
