WikiLeaks recently published several documents reported to be from the Central Intelligence Agency, revealing a glimpse into the digital secrets of the CIA's hacking ability and digital espionage tactics. The release of information is so large that it is hard to comprehend, but what does it mean for your small business? Should it change what your small business does in cyber security strategy or affect what you can do?
According to WikiLeaks, an anti-secrecy organization, thousands of CIA files have been leaked to it and will be released on the WikiLeaks website over time. Currently, there are nearly 9,000 CIA files that have been recently published on the website. The release confirms what many have suspected for years. The CIA has a vast number of offensive cyber weapons at their disposal. These cyber weapons could target any person or organization anywhere in the world.
According to the reports, the CIA has weapons that can attack a variety of operating systems like Windows, iOS, Android or even programs running on those systems, such as WhatsApp.
They also have tools that can collect information on specific computers or individuals. The documents detail weapons that can take over web cameras, turn a thumb drive into a listening device and use a phone to record conversations.
Maybe more concerning, the reports indicate that the CIA also purchased cyber weapons from third parties.
Scary, right? Sure, all of the information that has been leaked is scary. From a privacy standpoint, it could cause people to question what is truly private and what is truly protected. However, I look at the disclosure a little different.
I have always assumed that the CIA, and similar organizations, have been capable of the actions recently reported. If they wanted to target me, I would assume they had the capability and tools to do it. Is it disconcerting? Sure, but it saves me from being worried about it.
The breach and release of information is definitely an embarrassment to our security agency. The documents have created an international crisis in which foreign governments may question our motives and even actions, but what does it mean for a small business or businesses in general?
Generally, it may mean that the development of the Internet of Things (IoT) could slow down over privacy concerns. It could mean activities requiring confidential or sensitive information being held on phones or tablets slow down. New voice activated devices, such as the Amazon Echo, could be less accepted by society than current levels.
From a positive standpoint, it could mean that companies patch their known vulnerabilities faster. It also means that more companies will purchase cyber insurance, ensuring that their plans cover all possible costs, including revenue lost during the breach. However, it is possible that premiums could go up.
But what about a small business? I often advise businesses to ignore the attacks that involve a huge expense and targets a particular business. For example, the Stuxnet virus targeted a specific computer running a specific programmable logic controller running a specific nuclear facility in a specific part of Iran. It was very focused and cost a large amount of money. If the organization that created the Stuxnet virus targeted your business, there would be very little you could do about it.
The CIA breach should not change much about your cybersecurity strategy. Yes, there are more avenues into your system than previously known. Yes, there are chances that bad actors could obtain these tools. Your business should consider the risks, but also realize that the larger risks to your organization haven't changed.
The same five security recommendations still apply:
n Create a security policy and follow it.
n Use strong passwords.
n Provide user awareness training regularly.
n Invest in security technologies, in a layered defense in depth manner.
n Regularly conduct audits/assessments of your company's security.
Your company has a better chance of being hacked due to a weak password than being targeted by the CIA. Your company has a better chance of getting ransomware due to someone clicking a link in a phishing email than your company being specifically targeted by the CIA.
If your organization was truly targeted in a large and focused way by the CIA or similar organization, would it be worth their effort? There are some businesses that are working in areas of national security. For the bulk of businesses in the region, it isn't that important. And frankly, if it was worth it, your business probably can't afford to stop it.
Focus on the attacks that you can prevent and are likely to occur. Your business has only so many resources to invest in security.
Focusing on the CIA capabilities is likely not the best use of resources. It is definitely a data point to include, but do not let it alter your company's security strategy.
Michael Ramage is the director of the Center for Telecommunications Systems Management (CTSM) at Murray State University. CTSM conducts research in the various areas of technology as well as serving as a liaison between the academic and private sectors to see that a sufficient technology workforce is available. He can be reached at email@example.com or 270-809-3987 for questions or more information.
Check out these recently discussed stories and voice your opinion...