Freelance writer John Grainger (previously of The Yorkshire Post) meets Miguel Clarke, former FBI special agent, now cybersecurity adviser, who explains that business leaders need to learn a new set of responses to cybercrime.
When a large UK outsourcing company was hit by a ransomware attack this year, it did what every victim of cybercrime usually does: it kept quiet about it.
Thatโs because the reputational damage can be costly, and thatโs on top of the immediate financial loss, which in this case was believed to be in theย many millions.
โI can promise you, that CEO probably wishes that he or she had had some practice with ransomware before having to face the press,โ says Armor cyber-security evangelist Miguel Clarke.
Clarke has been tackling computer crime for over two decades, making him something of a pioneer in the field. He joined the FBI in 1998 and after a couple of years โjumping out of moving vehicles and putting the bad guys in jailโ, he started to focus on matters digital, moving to the National Cyber Investigative Joint Task Force and specialising in intrusions from the Peopleโs Republic of China.
Heโs now a โcivilianโ and a highly sought-after cyber-security consultant to companies that are serious about making themselves impregnable to online attacks.
As well they might โ cybercrime is currently worth over $6 trillion a year. Already the third largest GDPR in the world if it was a country, and it is forecast to grow to ยฃ10.5 trillion by 2025. Itโs more profitable than the international drug trade and larger than every national economy except the United States and China. Little wonder it comes up for discussion every year at the World Economic Forumโs annual shindig in Davos.
Miguel recently came to the UK to speak about the issue at the invitation of Digital Craftsmen, one of Armorโs UK partners at a number of events in London, Leeds and Birmingham. His answer to the cyber-crime wave is, if you will, all in the mind.
โIn the FBI, you are the individual โ maybe the only individual โ that stands between accomplishing the mission for the United States and failing,โ he says. โSo, you have a โno failโ mentality. We don’t ever give up.
โIf I were to be walking down the street and someone were to punch me, I wouldn’t consider myself to be a victim. I would consider myself to be a combatant in that fight, even if I didnโt end up winning.
โWe’ve all heard those stories where somebody fought back. I think thatโs an energy we can capitalise on in cyber-security, because it’s not necessarily something that needs to be paid for. That is what I am espousing: a mindset, and it prioritises training with the idea of resilience behind it.โ
But what does that mean in a business context? After all, very few targeted companies will see themselves as โcombatants who didn’t winโ.
โFirst of all, you need to prepare,โ says Clarke. โYou need to ask: โWhat are those elements that would create a business-ending scenario for us?โ. โAnd what decisions do I make today if I know that I’m going to have to speak to the press on Friday about the huge ransomware thatโs going to hit my company on Thursday? Why wait until it happens to make these preparations? We have to think about resilience. We have to think about โhow are we going to be OK?โ, and that’s the difference really between a victim and a combatant.โ
Those are questions that a lot of companies that have spent millions of dollars on cyber-security have never thought to ask. They may have cyber-security policies in place, but have never rehearsed what they would do in the event of a breach.
โThey need to take half a day to game-plan the thing out,โ says Clarke. โAnd they need to make it a challenge, because it’s better to have a friendly challenge than for these things to play out in real-time in front of the press.โ
While playing โwhat ifโ may sound hypothetical, cyber-attacks are anything but, for many British companies. According to UK government figures, 39% of UK businesses experienced a cyber-attack in 2022, and of these 31% estimated they were targeted at least once a week. The cost of each attack was reckoned at ยฃ4,200 in 2021, but for medium and large businesses it was more like ยฃ19,400. For the largest businesses โ like the outsourcing company โ the costs often run into the millions, or more.
To spoil the criminalsโ party, Clarke recommends targeted organisations never, ever to pay the ransom. Not only is it costly, but thereโs also no guarantee the bad guys will keep their side of the bargain. In some cases, online extortioners have tried to monetise a breach three times: once through a payment to unlock locked data, another through a ransom under threat of making the breach public to cause reputational damage, and a third time by selling the stolen data on the Dark Web.
Clarke says: โIt’s like somebody’s holding you hostage and they’re saying โgive up your gunโ and then you’re like, โOK, I’m going to give up my weapon to you, and now I have no power and no choices โ you dictate everythingโ. And companies are actually doing this.โ
The answer, of course, is to pre-empt such attacks, or as Clarke puts it, โto have a post-breach conversation, pre-breachโ. But while many CEOs are taking the issue seriously โ 82% of UK senior managers say they see cyber-security as a high priority โ others are still only paying lip-service to the dangers.
โI don’t think that everybody’s going to be able to do what we’re espousing,โ says Clarke. โSome people want to be great, some people good, and others just want to be compliant. The conversation we’re having right now is for those folks that want to be great. The ones who just want to be compliant will eventually just go out of business because they manage risk poorly. The ones that want to be good will eventually figure out โIโm going to need to be great to stay alive, to stay in businessโ.โ
Leave a Comment