A few months ago I was participating in a cybersecurity forum aimed at corporate boards of directors. We’d split into smaller teams to do a problem solving exercise. The gentleman seated to my right was a member of the board of directors of a bank in a southeastern Asia nation. He told me he was having difficulty getting his fellow board members to engage in serious cyber planning. When I asked where they were in the planning cycle he said, essentially, nowhere. In fact, he said they had just faced a cyber attack in which the bank’s ATM machines had suddenly started spurting money. I presume he was referring to the Carbanak malware identified by Kaspersky, which underpinned what Kaspersky termed “by far the most successful criminal cyber campaign we have ever seen,” an effort that may have relieved banks around the world of about a billion dollars.
I asked what the bank did to respond to the attack. He said, “We voted to ignore it. We did not wish to call attention to the fact we were not prepared to protect against or respond to this kind of attack.” At first blush the answer was hard to believe. One immediately thinks that some combination of media coverage, regulatory intervention, law enforcement and/or simply word of mouth would prompt action. But not, it seems, in this instance, which prompted me to wonder just how much culture impacts response. It seems the answer may be, a heckuva lot.
The AP just reported that in Japan, “even with the frequency and severity of cyberattacks increasing rapidly worldwide, efforts by the world’s third-largest economy to improve its data security are being hobbled by a widespread corporate culture that views security breaches as a loss of face, leading to poor disclosure of incidents or information sharing at critical moments… .” The article quotes William H. Saito, the top cybersecurity adviser to Prime Minister Shinzo Abe, who notes that the problem is twofold. Rank-and-file workers fear reporting security lapses may get them punished, and there is a lack of understanding of cybersecurity among Japanese executives. According to Saito, “This is Japanese culture where in some situations the upper management doesn’t know how to use email and IT integration is voodoo magic.”
In much of the world the story is similar. Requirements for sharing information do not exist, and standards of acceptable behavior are in very formative stages of development. Unfortunately, this tilts the scales dramatically in favor of cyber criminals. Trying to change national culture around cyber preparation is a very challenging task.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
November 10, 2015