Risky Business: David X Martin Shows Fortune 100 Firms, Banks, and Hedge Funds How Not to Get Hacked
David X Martin has worked for and consulted to some of the biggest banks and healthcare systems in the world. And when he looks at what most companies are doing to protect their information, he just shakes his head.
“It makes me crazy,” he says. “Ticketron got hacked. It was massive. Countless credit cards and other private information stolen. And then what happens a month later? British Airways gets hacked exactly the same way.
“If the people at British Airways had just paid attention to what had happened at Ticketron, they wouldn’t have suffered the same fate. But they didn’t learn from others’ experience, and that’s just typical.”
Martin says that most big firms are reactive instead of proactive when it comes to cyber risk management.
“You’re proactive with your health, right?” he asks. “You get checkups and tests every so often. You want to prevent illness, not just treat them when they show up. It’s the same concept. Businesses can’t be passive, sitting around, and hoping nothing bad happens. That’s what American intelligence agencies were doing before 9/11, and we all saw how that worked out. Organizations need to prevent attacks, not just respond after the fact.”
In his work consulting to boards and serving as an expert witness in major cyber risk management cases, Martin preaches the gospel of cyber wellness. “Your own personal wellness is much more than just the absence of disease — it’s bigger, more holistic than that — it’s a lifestyle. Personal wellness is about maximizing your fullest potential as a human being. Likewise, cyber wellness about maximizing your company’s fullest potential. Cyber wellness is a business strategy that needs to be the priority of boards and executive leadership. Soon, boards will be required to have a Director who has cybersecurity expertise.”
What prevents organizations from being proactive about cyber wellness? Their own operating structure, for one thing. “Most of these companies aren’t even thinking about what they need to protect. They’re spending hundreds of millions of dollars on cybersecurity, but everything is completely siloed. The IT people don’t know what the business people are thinking about, and vice versa. So the first step to achieving cyber wellness is cultivating cooperation and communication between silos and getting everybody on the same page.”
Martin adds that most companies overlook or ignore what the most insidious threats are.
“It’s not just stealing data,” he says, “which is the typical hack. It’s the thing you see every day — department store chains, credit bureaus, and credit card issuers think that their data is protected. But somebody finds a back door, and just like that, fifty million customers’ personal data has been compromised.”
But that’s not even the biggest threat in the world today. “The real threat is people coming in and taking our information for ransom — or perhaps simply altering data. Banks, hospitals, and businesses aren’t even thinking about this.”
According to Martin, the threat works this way: Bad actors hack into the files of a small town or city, a hospital, or an accounting firm. They tell the victim that unless they are paid ransom money, they will either change or destroy the information.
“If you’re a hospital,” Martin says, “and you can’t be sure whether the information in your patient files is accurate or not, you’re in huge trouble. At least hospitals have the resources to do something about it, and I’ve helped many of them. But what about your typical small city or town? They don’t have the resources to do real cybersecurity. And they certainly don’t have the money to pay a ransom. If they get hacked, a lot of people will be in big trouble. And this is the wave of the future.”
Martin, who has written two books on the subject of risk and is working on a third, has consulted to major accounting firms on this issue. Can you imagine an accounting firm where bad actors have gotten in and stolen or corrupted the data?” he asks. “How could they function? Unfortunately, most of them aren’t even thinking about these things. But they need to, because these sorts of attacks are happening with increasing frequency.”
Martin points to the cloud as another place where serious mischief can occur.
“Businesses, hospitals, hedge funds, banks, insurance companies — they’re all putting information in the cloud,” Martin says. “But once they’ve turned their information over, how do they know what level of protection they really have? The simple answer is: they don’t. There’s only one front door to a cloud. Any bad guy who can get into that front door has access to a lot of deeply personal, private information. It’s like sharing a toothbrush with a stranger. If you wouldn’t do that, why are you sharing your precious data in places where strangers can get at it?”
Martin describes himself as a realist, not an alarmist. “When I consult,” he says, “it’s all about alerting people to the real dangers that exist today, and then getting everyone in the enterprise on the same page in terms of recognizing and solving the problems. It’s a little like building a house. The architect has one opinion, the contractor another, and the landscaper has ideas of his own. You end up with a one hundred percent cost overrun and you never got what you wanted, because you didn’t really know what you wanted.
“To an amazing degree, it’s the same thing with cybersecurity, even in some of the best known, biggest financial institutions, hospitals, and hedge funds in the country. They don’t know what they want, they don’t know what they need. There’s no sharing of information within the organization, and as a result, there’s no real security.”
Martin says that cybersecurity actually begins with the frontline employees, who put tons of private information in email, social media, or Facebook, and then fail to change their passwords on an appropriate basis. That’s where every organization’s chief vulnerability is — it’s their own frontline employees.
“I created an interactive video game to show companies to train people in security issues,” Martin says. “In the game, you’re the villain trying to get into the company, and the further in you get, the more points you achieve and the bigger you become.
“Hands-on training games are a terrific way for employees at all levels to discover and understand their own role in preventing cyberattacks,” Martin says. “But in real-life cybersecurity and cyber wellness are not a game. They are serious issues, and any company that ignores them invites a crime of opportunity just waiting to happen — they’re almost begging to have valuable data stolen, ransomed, or changed. It’s my job to make sure that doesn’t happen.”