Given all the cyber­se­cu­ri­ty fail­ures we’ve wit­nessed thus far, could it be any more clear that our legal and gov­er­nance incen­tives and mech­a­nisms for pre­vent­ing and deal­ing with cyber­se­cu­ri­ty attacks are not prop­er­ly aligned? Here’s the lat­est data point: The CEO of Talk­Talk was paid almost £2 mil­lion on top of her base pay of £550,000 in 2015 which includ­ed Talk­Talk’s lat­est cyber attack and result­ing loss of 95,000 sub­scribers.

I came across this news over at the CFO Net­work group on LinkedIn where Conor Marken recent­ly post­ed a link to an arti­cle enti­tled Fine Firms For Cyber Secu­ri­ty Fail­ures. The arti­cle reports that in the UK, mem­bers of par­lia­ment recent­ly con­sid­ered whether com­pa­nies should be fined if they fail to guard against cyber attacks. This comes as they dis­cuss last year’s Talk­Talk hack. Here’s the best line:

The com­mit­tee also rec­om­mend­ed that CEOs’ pay should be linked to effec­tive cyber secu­ri­ty;

Great sen­ti­ment, but who knows if that would real­ly work? Link­ing CEO pay to oth­er per­for­mance fac­tors has­n’t turned out as well as we hoped. Har­vard Busi­ness Review was sour on the whole idea as ear­ly as 1999. And here’s their lat­est take on it: Stop Pay­ing Exec­u­tives for Per­for­mance.

I’m not sure what the big fix is for the fact that many of the same qual­i­ties of the Inter­net that lets Ama­zon dom­i­nate are the same ones that are fuel­ing the rise of online crim­i­nals (bul­lies): Low-cost, glob­al reach, most­ly auto­mat­ed, and large­ly anony­mous. How­ev­er, it is clear that the legal and gov­er­nance incen­tives and mech­a­nisms are not prop­er­ly aligned.

So, what should we do?

Did you know that lean­ing into your cyber risks can be a source of com­pet­i­tive advan­tage? Here’s a stun­ning data point that makes my case.

The NTT Group (Japan­ese AT&T) recent­ly released their 4th annu­al Glob­al Threat Intel­li­gence Report (GTIR). Sim­i­lar to the recent­ly released Ver­i­zon Data Breach Inci­dent Report, the NTT report…

…ana­lyzes attacks, threats and trends from the pre­vi­ous year, pulling infor­ma­tion from 24 secu­ri­ty oper­a­tions cen­ters, sev­en R&D cen­ters, 3.5 tril­lion logs, 6.2 bil­lion attacks and near­ly 8,000 secu­ri­ty clients across six con­ti­nents.

Here’s one of their most strik­ing find­ings for 2015:

Trend data over the last 3 years illus­trates on aver­age only 23 per­cent of orga­ni­za­tions are capa­ble of respond­ing effec­tive­ly to a cyber inci­dent. 77 per­cent have no capa­bil­i­ty to respond to crit­i­cal inci­dents and often pur­chase inci­dent response sup­port ser­vices after an inci­dent has occurred.

You can find this sup­port­ing chart on page 47:

My ini­tial reac­tion is that exec­u­tives are plan­ning for cyber attacks as they do for 100-year floods: We’ll deal with it, if it ever hap­pens.

Giv­en the fre­quen­cy and sever­i­ty of the attacks doc­u­ment­ed in the rest of the report, and all over the news media, that’s not lined up at all with the real­i­ty of today’s cyber risks!

But back to the oppor­tu­ni­ty for com­pet­i­tive advan­tage: What if your fiercest com­peti­tor was a mem­ber of the 77% and was cyber-attacked? They could expect to bleed cash and be dis­tract­ed for months. Now what if you were one of the 23% able to effec­tive­ly respond to a major cyber­se­cu­ri­ty inci­dent? How would that boost dig­i­tal trust with your cus­tomers and part­ners? How much rep­u­ta­tion would you save by hav­ing your experts get out in front of the sto­ry? And, how much more quick­ly could you get back to work­ing on what’s most impor­tant to your busi­ness?

By the way, if you want a glimpse at data breach response done very well, check out this cri­tique of Anthem Blue­Cross BlueShield­’s 2015 data breach. If you want to see a poor­ly done exam­ple, here’s a cri­tique of Talk­Talk’s slow, awk­ward response.

Which one would you rather be?

A few weeks ago I talked about why pay­ing ran­som to get your data or com­put­ers back online was a bad idea: Like any bul­ly, once they suc­ceed in get­ting your mon­ey it will embold­en them to demand more and from more peo­ple.

But it turns out that at least one ven­er­a­ble Amer­i­can insti­tu­tion thinks you should pay: The Fed­er­al Bureau of Inves­ti­ga­tion.

Yep, the FBI says you should pay up. They are, in fact, on record (Octo­ber 22, 2015) telling peo­ple to pay the ran­som:

Joseph Bonavolon­ta, the Assis­tant Spe­cial Agent who over­sees the FBI’s CYBER and Coun­ter­in­tel­li­gence Pro­gram in Boston, spoke at the 2015 Cyber Secu­ri­ty Sum­mit and advised that com­pa­nies infect­ed with ran­somware may want to give in to the criminal’s demands.

After my post went online, I heard from a col­league who told me:

I was pre­sent­ing in an Infra­gard brief­ing at the FBI office, and they basi­cal­ly told every­one there was noth­ing they could do if it hap­pened, that they were pret­ty much on their own. There is also no telling what the ran­somware left behind for anoth­er go-round, or con­tin­ued sur­veil­lance while it held the sys­tem cap­tive. Mere­ly breath­ing a sigh of relief and think­ing you are in the clear a real­ly bad idea.

Although it’s still the right thing to do, I know that not pay­ing the ran­som is dif­fi­cult, even if you have good back­ups. It’s not as fast as just pay­ing because it takes a lot of time to restore and you’ll still lose some data. And, whether you pay or not, there’s a good chance you will get hit again with a new strain of ran­somware, so why fight it?

I won­der what the dom­i­nant type of back­lash will be as more US cit­i­zens wake up to the fact that law enforce­ment can’t help them pre­vent or recov­er from these new cyber crimes? Anger? Fear? Vig­i­lan­tism?

What do you think is most like­ly?