Achieving Corporate Cybersecurity Objectives with C-Suite Involvement
Developing corporate strategy is one of many C-suite responsibilities. Whether you are the CEO, CFO, COO, CSO, CIO or CISO, you must be a strategic thinker who can ensure corporate objectives are fulfilled. Whether you are responsible for protecting intellectual property, controlling finances or managing brand reputation, input from internal and external stakeholders spanning multiple disciplines must be considered in the development of strategic plans. Your corporate cybersecurity plan is no exception. Are you delegating management of your corporate cybersecurity plan to your IT department? If your answer is yes, your cybersecurity plan will likely fall short of C-suite strategic objectives. A counterintelligence and TSCM / Cyber TSCM expert offers insight about cybersecurity vulnerabilities your IT department may overlook.
IT department responsibility includes the architecture, hardware, software and networking of corporate computers. IT managers are tasked with ensuring information flows over the network as intended and adequate safeguards are in place to protect the information. It’s no simple task to manage these responsibilities as well as expectations of super fast Internet speed and flawless email delivery. Ask an IT professional an IT question and the answer will closely resemble a foreign language. However, C-suite executives cannot be intimated by IT lingo at the expense of ensuring cybersecurity objectives are met. If you ask the IT Department Head to explain corporate objectives regarding protection of intellectual property, financial information or brand reputation, it’s likely their answer will be limited to how their IT responsibilities impact these objectives. “A limited cybersecurity strategy does not serve the corporation well, it does not serve the consumer well and it is likely the board of directors and shareholders will not find it acceptable either,” says J.D. LeaSure (CCISM), President/CEO of ComSec LLC.
Another risky practice is assuming detection of all cyber threats is the responsibility of your IT department. Ask your IT Department Head if detecting electronic eavesdropping devices, mobile network man-in-the-middle attacks or IMSI catcher mobile network attacks is their responsibility, and it’s highly likely the answer will be a deafening no. While these cyber threats are credible and can impact your overall cybersecurity, your IT department is not equipped, not trained and does not have the expertise to detect them. Detection of these threats requires the expertise of a seasoned technical surveillance countermeasures (TSCM / Cyber TSCM) expert. “If you’re not including TSCM / Cyber TSCM in your cybersecurity program, you are leaving a very inviting door open to cyber attackers,” says Mr. LeaSure.
What types of cybersecurity threats does a TSCM / Cyber TSCM expert detect?
- Eavesdropping devices connected to networks that facilitate a man-in-the-middle attack, routing corporate information to a third party via the cellular network.
- Use of an IMSI catcher to reroute cellular data (emails, text message, voicemails, etc.) from mobile devices to a third party.
- Hybrid electronic eavesdropping devices (e.g. a CAT 5 cable with an embedded fiber optic microphone). The eavesdropping device looks like a normal CAT 5 cable, but the device is actually used to eavesdrop either real time or remotely.
- Malware and spyware on mobile devices introduced into the work environment by “bring your own device” (BYOD) policies. The devices are used to capture corporate information and reroute it to a third party.
To further complicate the issue, consider also that breaches of cybersecurity defenses generally occur in the physical realm before they exist in the cyber realm. The mechanism for syphoning your valuable information is most often a physical device. For example, a disgruntled employee transfers trade secret information to your competitor via a USB device, the maid plants a listening device in the CEO’s office, a foreign national downloads a key logger on the design engineer’s computer, or a competitor hires a hacker to access mobile data using IMSI catcher technology. The breach originates with a physical device, and the end result is loss of your valuable information. Until the physical source of the breach is identified, the information leak often cannot be stopped.
And, hacker behavior should also not be overlooked. Hackers seek to capture the greatest amount of the most valuable information from your corporation using the path of least resistance. They are not enticed by the challenge of getting the information; they are enticed by the reward. If they can find a way to exploit a flaw in your cybersecurity defenses for their gain, they will. Also, consider that hackers are always searching for a faster and easier method to gain access to your valuable information. The strategies, devices and mechanisms they use constantly evolve as old security issues are resolved and new technologies are developed. Corporations simply cannot risk implementing a cybersecurity program that does not consider the nature of hacking or the continually evolving methods used by hackers to breach corporate cyber defenses. If your corporation manages information a hacker deems more valuable, such as health information, banking / financial data or public utilities, you are at a heightened risk of a cyber attack. Why? Because, this information commands a higher price on the street.
Corporate cybersecurity programs require input and involvement from internal and external stakeholders spanning multiple disciplines, including a TSCM / Cyber TSCM expert. To achieve corporate strategic objectives, C-suite executives must be intimately involved with development and management of their cybersecurity plan. Relying on the IT department to manage corporate cybersecurity is not an effective strategy for protecting valuable intellectual property, preserving customer data or satisfying board member and shareholder concerns. Mr. LeaSure adds, “Corporations rely on the Internet, electronic data, enterprise networks, mobile devices and cellular networks to conduct daily business transactions, so cybersecurity must become a C-suite priority because the future of the corporation depends on it.” To learn more about including TSCM / Cyber TSCM in your cybersecurity program, contact ComSec LLC.
J.D. LeaSure (CCISM) is the President/CEO of ComSec LLC, a global provider of world-class counterintelligence and TSCM / Cyber TSCM services. Learn more at www.ComSecLLC.com
*Cyber TSCM ™ is a trade mark of ComSec LLC
© 2015 ComSec LLC. All rights reserved.