The cyber risks you can’t see

Every time someone mentions cybersecurity, I see an iceberg. It’s a handy metaphor to grasp both the enormity and the nature of the risk of using something connected to the Internet.

Here’s the thing about icebergs: it’s not the size that will sink you. It’s the jagged edges lurking under the surface. You never see them coming.

The same idea applies to cybersecurity. It’s not just the number of threats that’s dangerous. It’s that so many of them exist down in the depths, where you might not know they’re there.

Over the years, people have learned to avoid the tip of the iceberg – the obvious threats to traditional IT infrastructure like personal computers. But now, those same people are taking their first look beneath the water line. And they’re finding the hazards are everywhere.

I’m talking, of course, about the Internet of Things. For consumers, this means everything from smartphone-controlled light fixtures to cars that stream performance data to the manufacturer. Refrigerators, coffee makers, even toilets – they’re all being connected for the sake of convenience, and together they’re giving hackers hundreds of millions of vectors for attack. And those bad actors, recognizing a wealth of opportunity, are constantly developing more sophisticated and aggressive methods of attack.

Recently we’ve seen major malware attacks that crippled retailers, banks and even hospitals. Most major institutions have a plan on what they would do if, say, a group of armed robbers burst in, took control of their assets, disrupted their daily operations and threatened customers. But far fewer institutions have thought about what they would do if cyber criminals took control of their digital operations, held critical files and data hostage, and put their customers at risk.

These potential threats now extend to every part of running a business. One of the biggest threats, for example, is to operational technology. Automation has made factories faster and more efficient than ever. It has also made them susceptible to attack. The interfaces that control this machinery require diligent cybersecurity measures such as software patches and constant monitoring for signs of intrusion. Anything short of that puts the assembly line, the products and the customers at risk.

But companies can’t stop at minding their own shop. They also need to know how their supply chains are protecting themselves, and whether they’re doing enough. The same goes for partner companies and acquisitions. A single weakness can put the whole network in danger.

You can see, then, why businesses need cybersecurity protecting everything they use, from the machines in their factories to the systems that control the air conditioning. And if any of their products communicate with anything else, they need to protect those, too.

At my company, whenever we develop new systems, we use an integrated product team. The idea is to get engineers from different disciplines – electrical, mechanical, software – working together to make sure all the dimensions are covered. Today, that team includes cybersecurity engineers. Not only are we doing our normal designs, we’re doing them in a way that makes them resilient to cyber-attack.

Technology has made our lives more convenient and our businesses more efficient. Those are good things. But it has also created that iceberg I think about so much. Luckily, we’re starting to realize there’s much more to it than what we can see. We just have to know where to look.