In a session at NRF Retail Converge, Admiral Mike Rogers, former director of the National Security Agency, discussed cyber threats and risks with Matt Dunlop, chief information security officer at Under Armour.
Dunlop kicked off the session by noting that he hears about a cyberattack seemingly every day. Rogers agreed, saying that in the past few years, many U.S. companies have been the target of cyberattacks, often resulting in leaked data and hefty ransom payouts. With increased remote work during the pandemic, the frequency has only increased.
The more attacks that happen, the more media coverage they receive, which includes sharing the ransom payout the attackers received. That just incentivizes criminals to continue targeting large companies, Rogers pointed out. But despite these criminals receiving millions of dollars, only 8 percent of companies get their data back.
That loss of data is particularly potent for retailers, as their reputations and revenue can be impacted by a cyberattack. “As you look across the retail space,” Dunlop said, “if you can impact our ability to pick, pack, and ship, you can impact our revenue.”
While most companies are spending their money and efforts on a cyber defense system, Rogers said a focused adversary has a high probability of success no matter how much money is being spent on defense.
“Cybersecurity needs to include both cyber defense and cyber resiliency,” Rogers said, explaining that companies can not only prevent attacks but take action during them.
One major component is understanding the network structure inside and out. Rogers said he has seen cross-connects between business and IT sides of a network that employees are unaware of, which leaves them vulnerable. “You cannot defend what you cannot see,” Rogers said. “The cyber security strategy will be flawed if you don’t know the gaps.”
Part of understanding those gaps is recognizing the human element of cybersecurity. Cyber professionals must find ways to explain complicated issues in ways non-cyber professionals can understand. Every individual in an organization plays a part in strengthening cybersecurity, Rogers said, but they can also easily undermine it if they do not understand what a cyberattack might look like.
Rogers closed the session on a positive note, noting the increased awareness of cyberattacks, and emphasized the need to move beyond awareness and figure out new solutions.
“Continuing to do the same, but expecting a different outcome is ridiculous,” he said.