Are U.S. businesses ready to face the growing cybersecurity threat right now? Well, according to Preet Bharara, the U.S. Attorney for the Southern District of New York, things are pretty grim.
In an Op/Ed piece in the Sunday edition of The New York Times entitled “Asleep at the Laptop,” Bharara emphasizes that the cyber threat is real and has not been exaggerated. Unfortunately, while he believes that authorities are moving to confront the threat, the private sector’s response has been wanting. Bharara recounts a number of anecdotes to bear this out:
“Recently I met two executives from major companies who did not even know whom in law enforcement to contact in the event of a hack or intrusion. A few weeks ago, after a speech I gave about cybercrime, a board member of a significant Internet-based company took me aside and admitted, with some horror, that his company’s board had not spent a single minute discussing cybersecurity.”
Bharara has considerable credibility in this discussion, as his office has aggressively pursued trade secret and economic espionage cases, including the U.S. v. Aleynikov and the Starwood/Hilton trade secret prosecutions. We should heed what he says.
What can companies do? First, Bharara urges that companies adopt a culture of disclosure, meaning that companies need to be willing to acknowledge attacks when they occur and promptly partner with federal authorities to address them.
Second, in a point that I have emphasized in the past, Bharara recommends that companies create and foster a culture of security. Bharara cites a recent Verizon study concluding that 97% of recent security breaches were avoidable. Bharara argues that we are “overthinking the threat” and rather than focusing on elaborate defenses to ward off attacks by Anonymous, companies should be focusing on fundamentals. Bharara believes that “the more mundane reality is that companies are most often breached by hackers walking down virtual hallways, looking for a single unlocked door. And the proverbial unlocked door can mean entry into the entire data network.”
Third, “the most important step is the most obvious and fundamental one: understanding the threat in a comprehensive, serious manner.” According to Bharara, companies need to commit the same resources to coming up with a plan and audits, the way they would for any other crisis or serious threat.