Abstract
Almost every organization today is also a technology company. Yet most of their senior decision makers persist in denying it. And because they deny it, they can’t see themselves the way cyber criminals do: As an organization that cannot perform its primary function without computers. And that’s what makes them a prime target for ransomware attacks.
Article
Can an organization have an identity crisis? It can. And in fact, this happens a lot. There are many examples, and some of them are really amazing.
One of the biggest examples of an identity crisis happened at Kodak, the camera and film company. In 1975, a Kodak engineer in the company’s research and development labs actually invented the digital camera as we know it today. Kodak even patented it. But the digital camera wasn’t commercialized until 15 years later. The first digital camera to actually go on sale in the US was the Logitech Fotoman in 1990.
So why isn’t Kodak dominating the digital photography market?
Kodak was founded in 1892 and they spent almost a hundred years in the film business. First they started with dry plate photography. This is the technology that Ansel Adams used to make his iconic black-and-white images of the American West. Later, Kodak switched to far more efficient film.
In 1996, its peak year, Kodak had over66% of the global market for film. The Kodak brand was the fifth most valuable in the world. Their revenues reached nearly $16 billion and the company’s market value was over $31 billion. Ever hear of a “Kodak Moment”?
But by 2012 they filed for bankruptcy. Why? The company leaders saw themselves as a film company. They just could not shake this identity. “We are the film people.” And really what they were was the snapshot picture company of the world. Because, as we’ve since learned, people wanted to take snapshots. For consumers, it was never about the film, but Kodak got so hyper focused on the film that they just couldn’t let go of it.
Organizations definitely can have an identity crisis. But what does this have to do with cyber-crime or cyber risk management?
Almost every organization today is, in fact, a technology company as well as something else. Fishing, farming, banking, healthcare, oil distribution, and mortgage brokering are just a few examples.
And that’s because they can’t serve their customers either partially or at all without their computers. They have computerized everything and they can’t do anything without them.
And what’s shocking is that most of their senior decision makers persist in denying it. They will not true up to the fact that they are technology companies that happen to know a lot about making consumer beverage cups or growing crops or whatever they sell. But most commerce in the modern world cannot be done profitably without computers.
And because of this identity crisis, organizations can’t see themselves the way cyber criminals do. Cyber criminals see an organization that cannot perform its primary function without computers, and that is what makes them a prime target for things like ransomware attacks.
On January 12, 2022, the Wall Street Journal,, published a relevant story. In December2021, a 200-location hotel chain in Europe called Nordic Choice suffered a ransomware attack. They shut down and disconnect all their computers from the Internet, and then they went into a business continuity mode.
The staff shifted over to pens and paper. And because the door locks to the guest rooms were computer controlled, they couldn’t create digital key cards. And even if they could, they wouldn’t work because the computers controlling the doors were down.
The staff had to escort guests to their room and let them in. Now, I don’t know how in the world that was tenable over time because I would imagine guests could lock themselves out very easily and routinely. In the article, it talked about how the hotel management was really frustrated with this because the pandemic lockdowns were finally lifting.And they’ve been suffering as a business for months and months, and were probably just glad to still be in business.
And here it was, five, six weeks after the cyber-attack, and all of these computers that provided door locks, music, and all types of guest services either weren’t working or they were unreliable.
Based on forensic analysis, the attack was most likely the result of a phishing email. It’s a super common way to get hit. And it came from a tour operator. So how much was the ransom and did they pay it?
The gang that attacked, Conti, demanded $5 million. Two or three years ago, ransoms were often in the $10,000 to $50,000 range. But Conti is really good at extortion because it’s not just about getting your data unencrypted. They will also threaten to release the data that they have on the open Internet as a way of convincing you that you really do need to pay them.
But the hotel said, “Nope,” and Conti published the personal data of their employees, including their bank accounts and their government issued identification numbers.
And Nordic Choice stood firm. And instead of giving in, they actually called their employees together and said, “Okay. Your personal data has been compromised. Now, what we want to do is train you to protect yourself from identity theft. We’re sorry this happened. And oh, by the way, we’re also going to do a GDPR notification to the Norwegian Data Protection Regulator, because that’s the law of our land.”
Nordic Choice then began training its employees to prevent this kind of ransomware from happening again. And the article had a quote from the vice president of technology of Nordic Choice who said, “Most people just can’t keep up.” And then the VP continued, “It’s just not what they know. We’re hoteliers. We’re not tech experts.”
This, I think, is the definition of an identity crisis. And it’s causing organizations to assume way more cyber risk than they need to. “We’re hoteliers and we’re not tech experts” were both true statements at the time. But the problem is those statements also make them vulnerable to more cyber-attacks.
Companies might not consider themselves to be a tech company, but that doesn’t mean they aren’t one. And it doesn’t mean that the criminals will say, “Oh, they’re just hotel people. They’re not worth attacking.”
Today, you can’t profitably operate a hotel, or pack and ship apples, without the technology that is deeply embedded in your operations. Which makes you a big, juicytarget for cyber criminals.
Here’s one more example that comes directly from my work. Recently, I was talking to a chief financial officer about their top cyber risks. This is what my company does: We help our customers figure out their top cyber risks, we make them a prioritized mitigation plan, and we make them an implementation roadmap.
So I was going through all this with the CFO who had hired us. And I could see the CFO was following the conversation. And then at some point, the CFO had this look on their face, and it was weird. And I stopped talking and I just waited a moment because it felt to me like the CFO wanted to say something, but they were just struggling for words. And then finally they looked at me and they said, “I can’t believe I’m having this conversation.” And that caused me to be really confused. I wasn’t sure what I was about to hear.
And I thought, “Well, maybe our work was completely off base. Maybe the mitigation plan is terrible and the CFO just realized it and has to now say, “No, this is schlock. You have to start over again.” I didn’t know. So I just kept being patient.
Then the CFO said, “We’re not tech experts. We’re just farmers.”
And the hair on the back of my neck went up as I heard that.
When a CFO says that, what I interpret them to mean is, “I don’t have to pay attention to tech because I’ve got a team of people who pay attention to tech. And I’m just going to assume that they’re doing what they need to do. I’m not going to get involved.”
And I remember one time I was talking to another business leader about the ability to detect intruders on their network. And I remember they asked me, “Why is that so important?”
And I said, “Well, you have a warehouse full of stuff, right? You have a warehouse where people are assembling stuff that you’re going to sell. Don’t you have video surveillance cameras in your warehouse? Wouldn’t you want to know if somebody is in there and they’re not supposed to be? And isn’t that important to you that only authorized people can be in that warehouse?”
And they said, “Well, yeah.” And I responded, “Well, then why don’t you feel the same way about your network? Shouldn’t you? Because you have all these assets on your data network, but you have no idea who’s actually on it. And it seems to me, you should feel just as protective about your network as you do with your warehouse.”
How should an organization resolves an identity crisis like this?
I wish I had a magic wand. I need a bag of magic pixie dust that I can just sprinkle on the organization and make this crisis go away.
I’ll tell you how I got sensitized to this identity problem within the context of cybersecurity. I was reading about habits. Why do some people have bad habits, whether it’s smoking or drinking or whatever? Or, why do some people lack good habits like lack of exercise and eating correctly? And the author of the book said that a lot of it has to do with identity.
So for example, if you’re a drinker and you want to quit drinking, you’ve got to first see yourself as not a drinker. You’ve got to have a new identity that says “I don’t have to drink to live my life.” And if you overeat, you have to somehow reorient your identity to, “I’m a person who eats healthy” and then act consistently with your new identity. So identity is such a foundational aspect to habits. To whether you can lose bad habits or gain good habits. And cybersecurity, whether you have too much, not enough, or just the right amount, is definitely driven by habits.
So, good cyber hygiene has to start with senior decision makers. They set the tone at the top. If they declare that, “We are not tech experts because I’m not a tech expert,” then the entire organization is going to adopt that worldview. So, to get out of this identity crisis, senior decision makers have to become self-aware that it’s possible for them to have some technical expertise. That they don’t have to be a person with deep technical skills, but that they can associate themselves with technology, and that it’s possible for them to think about their network the same way they think about their warehouse. That it’s a space that’s important to them, and that should be guarded, and you should know who’s in there and you, and you should toss out the people who don’t belong.
It’s going to take intentionality and mindfulness to alter the identity of organizations to include a legitimate technological dimension. And you can’t shift the culture on this point unless the senior-most decision makers want it to shift. Usually, it happens downstream from a cyber crisis. It’s very difficult, but it’s possible to do before a crisis erupts.
IBM did it in the 1990s. Senior leadership realized that their future was not going to be hardware. They had been a hardware company that also made software. And they needed to pivot and become a services company before they found themselves in a deep crisis. And it was very difficult. Even though they did it, they had to disappoint a lot of people on their workforce who really loved what they did in terms of hardware engineering.
Microsoft went through the same kind of identity transition. Bill Gates finally realized that the Internet was so important that he pivoted the entire company towards the Internet in short order. And then he did it again when their product security had to be improved. So, it can be done. But the only way it’s going to get done is by the senior-most people.
Whether it’s cluelessness or a willful ignorance, senior decision makers are permitting way more cyber risk than they need to simply because they have an identity problem. They would make their organizations a lot less vulnerable to cyber-attack if they would at least acknowledge their complete dependence on computers and level up their management of the business risks that dependency brings.
What they really need to do is embrace the fact that they’ve backed into a new, technology-heavy identity and then grow and thrive within their reality.
Kip Boyle is a practicing Chief Information Security Officer and the co-host of the Cyber Risk Management Podcast. He’s also the author of the best-selling book, “Fire Doesn’t Innovate: The Executive’s Practical Guide to Thriving in the Face of Evolving Cyber Risks”