Federal authorities are now convinced that Russia is behind a cyberattack that is so massive and so serious, that they either don’t want to go into details, or can’t. I’m not sure which is worse. The small amount of information available can be found on every major news site, so I won’t rehash it. Instead, I want to offer you a strategic approach to dealing with an immutable law of 21st century life, “There are only two kinds of companies: Those that have been hacked, and those that do not know they have been hacked.”
A little historical context
The idea of protecting business intelligence is as old as business itself. Since Italian mathematician Luca Pacioli published his treatise on double-entry accounting in 1494, accountants have been writing in ink. In a double-entry system, nothing is erased. If a mistake is made, a reversing entry is made to correct it. The goal is accuracy, permanence and a secure chain of information. Historically, accounting journals and ledgers were so valuable that they were locked in safes at the close of business each day.
Fast forward to the advent of our online world. The business units needed ecommerce, they needed to collect data of every kind, and they needed to connect it to the company’s books. IT was asked to take something that had been literally locked in a safe each night and figure out a way to make parts of it accessible. What could possibly go wrong?
This is, admittedly, a gross oversimplification, but the metaphor is valid, and it presents a good mental model for a simple and effective strategy to combat the most serious social engineering and cyberattack vectors.
Classifying your information
The U.S. government has three levels of document classification: Confidential, Secret and Top Secret. All other documents default to “unclassified,” which means anyone who can access them can read them. If you want to get deep into how the government classifies documents, Google it. There are about a million writings on the subject.
What you need to think about is the hierarchical value of your data. What does “Top Secret” mean in your organization? What’s “Secret?” What’s “Confidential?” Do you have other levels? What information must be protected at all costs, and what information are you comfortable seeing publicly available online?
If you don’t have a document hierarchy, it’s time to create one. You can’t protect everything—truly Top Secret information can be kept top secret, but there is a real cost involved. So, do your research and create clear guidelines for your document hierarchy. The best ones I’ve seen are super simple to understand and easy to execute. This is a workflow and process project. Bring your information management people in early and make this a solid group effort. You may benefit from working with a risk management or cybersecurity consultant.
There are several proprietary document processing tools that can scan work product and determine its classification. There are all kinds of privacy and “Big Brother” issues with this kind of tech, but it is an option you might consider.
Protecting your information
Once you’ve implemented a document hierarchy, it’s time to pick an encryption schema and storage solution. This is another job where skilled consultants may be of value.
The strategy is simple. You will invest appropriately to protect documents and information you have decided you must protect. You will let everything else enjoy common protections offered by commercial-grade systems.
This extra level of protection is well understood by every risk consultant and cybersecurity expert. There is nothing magical about it. There are encryption algorithms that are so effective, breaking them would cost the hackers more time and money than your information is worth. But to design and socialize systems that offer this level of protection requires both a serious share of mind and a serious share of wallet. If it’s not a priority, if it’s not top-of-mind, if it’s not part of an established workflow, if it’s not a habit, if it’s not as important to you as locking your door at night, if it’s not done by absolutely everyone in your organization, then there’s no point.
A security system is only as secure as the third-party-provided FTE who writes their password on a Post-it note.
Key takeaways from the Great Hack of 2020
There’s nothing you can do about the alleged Russian hackers and the SolarWinds debacle. That’s for others to deal with. If your company has been impacted by it, you’ll know soon enough—or not, because it is thought to be very stealthy malware. But you can implement a set of solid cybersecurity protocols to protect your most valuable information, and buy some cybersecurity insurance to cover the rest.
