The Need For A Top Down Enterprise Security Strategy

– By Rex M. Lee

Rex M. Lee, is a Cybersecurity and Privacy Advisor/Tech Journalist. and Host of CyberTalk TV, PODTV on Roku, Amazon Fire weekdays 2pm CST.
*Article originally published in Mission Critical Magazine

In today’s hyper geo-competitive world, businesses and governments must implement a top down cybersecurity and privacy strategy to eliminate or mitigate threats posed by competitors and adversarial nation-states.

Here is what FBI Director Christopher Wray said to business leaders in London on July 6:

“The FBI has no closer partner than MI5 (UK )… As laser-focused as both our agencies are on the Russia threat…We consistently see that it’s the Chinese government that poses the biggest long-term threat to our economic and national security, and by ‘our,’ I mean both of our nations, along with our allies in Europe and elsewhere … I’ll start with what this danger looks like. The Chinese government is set on stealing your technology — whatever it is that makes your industry tick — and using it to undercut your business and dominate your market … I want to be clear that it’s the Chinese government and the Chinese Communist Party (CCP) that pose the threat, not the Chinese people, and certainly not Chinese immigrants in our countries—who are themselves frequently victims of the Chinese government’s lawless aggression.”

Many businesses, including Fortune 500 corporations and government agencies, fail to implement a top-down enterprise cybersecurity and privacy strategy centered on eliminating or mitigating threats posed to:

Networks and critical infrastructure, including Endpoint Devices.
- Many hacks and malware attacks today are coming from nation-state hackers who are using leaky operating systems and intrusive apps to launch attacks on networks/critical infrastructure by way of endpoint devices such as smartphones or tablet PCs.
Confidential information and IP.
- Most hacks today come from insider attacks launched by employees who are compromised by bad actors such as nation-state actors or criminal organizations.
Board members, C-suite executives, government officials, and elected officials.
- Many business leaders, as well as government/elected officials, can be compromised or leveraged by nation-state actors, including law firms/lobbyists.
Middle management and frontline employees.
- Middle management and frontline employees can be exposed to insider threats associated with nation-state actors or criminal organizations.
Supply chain.
- Many contractors and supply chain vendors can be compromised or leveraged by nation state actors or criminal organizations.

As a matter of fact, most organizations and government entities do not even employ a privacy strategy regarding threats to end-user business information associated with the use of smartphones, tablet PCs, connected products, and PCs that are supported by leaky operating systems, intrusive apps, and surveillance & data mining business practices employed by operating system (OS) and app developers.

Furthermore, most organizations and government entities do not employ a “cloud exit strategy” regarding highly confidential and protected information supported by critical infrastructure.

Today, most organizations and government entities are now relying on third-party managed services providers (MSP) many of whom do not indemnify their clients, even due to negligence on behalf of the MSP exposing the client to harm without legal recourse.

Many organizations and government entities only employ a tactical level cybersecurity strategy that is centered on threats posed mainly to network/critical infrastructure with little or no focus on endpoint cybersecurity associated with mobile devices, including smartphones, tablet PCs, and connected products in general.

Existential Threats Posed by Connected Technology -- Leaky Operating Systems & Intrusive Apps

In today’s connected world, operating systems and apps are designed to enable the OS and app developer, including those from adversarial countries, to monitor, track and data-mine the end user for financial gain, posing numerous cybersecurity and privacy threats to the end user, including the end user’s employer.

In essence, Google, Apple, and Microsoft are actively distributing Chinese and Russian surveillance and data mining technology in the form of uncontrollable preinstalled apps that support endpoint devices and third-party apps distributed through Google Play, the Apple App Store, and Microsoft App Store.

Intrusive apps from adversarial countries are being banned by many countries, including India who has banned popular apps and social media platforms such as TikTok, developed by ByteDance of China.

Additionally, leaky operating systems and intrusive apps developed by many multinational corporations pose equal cybersecurity and privacy threats as intrusive apps from adversarial countries due to the fact that many OS/app developers, such as Alphabet, compete in multiple industries worldwide. For example, business leaders and employees who work for companies that compete against Alphabet may be inadvertently using intrusive Google technology, such as apps, exposing highly confidential business and personal information, including IP, to an existing or future competitor.

All of these threats posed by connected technology are associated with a centralized internet that is controlled by a handful of tech giants who are dominating the industries they compete in due to their monopolistic business models that are centered on surveillance capitalism.

However, there is some hope in the future regarding Web3/Open-Web which is centered on a decentralized internet providing end users with the level of privacy and security that used to be associated with the internet in the 1990s, before major corporations centralized the internet for monopolistic purposes.

Until there is mainstream adoption of a decentralized internet, there are many existential threats posed by connected technology that organizations and government entities need to address with a top down enterprise cybersecurity and privacy strategy.

These existential threats include the following:

Unrestricted hybrid warfare, including tech-based hybrid warfare, waged by business competitors and adversarial countries.
Insider threats posed to board members, senior executives, middle management, frontline employees, government/elected officials, contractors, college interns, and supply chain vendors.
Predatory surveillance and data mining business practices employed by major corporations, operating system developers, and app developers, including those from Russia and China.
Predatory and exploitive terms of use that support leaky operating systems and intrusive apps
Nation-state hackers who can launch attacks on networks/critical infrastructure by way of telecommunication networks, email, intrusive apps, and leaky operating systems.
Legal malware in the form of addictive, intrusive, and dangerous apps that pose privacy, cybersecurity, and safety threats to end users.
Legal corporate and government espionage by way of leaky operating systems and intrusive apps developed by current or future business competitors, including those from Russia, China and other adversarial countries.

These are just a few of many existential cybersecurity and privacy threats that need to be addressed by government entities, including law enforcement/military; corporations; defense contractors; healthcare providers; academic institutions; legal professionals and small-to-medium-sized businesses.

Here is what Casey Fleming, CEO of BlackOps Partners, had to say about FBI Director Christopher Wray’s comments to business leaders in London:

“The FBI and MI5 announcement is unprecedented in history. It frames the scale of economic power that has tipped out of our favor requiring a top-down cultural shift in every company beginning with the board and CEO. The shift must align risk, strategy, data, IP, technology, cyber, security, privacy, and the most important element - the “human factor.”

Existential Threats Posed by Surveillance Capitalism and Lobbying

Unfortunately, Google, Apple, Microsoft, and governments around the world are not going to address many of these existential threats that are associated with leaky operating systems, intrusive apps, app developers from adversarial countries, and predatory surveillance & datamining business practices employed by OS and app developers in general.

The problems with addressing these threats include the fact that trillions of dollars in profits associated with predatory surveillance and data mining business practices would be eliminated while negatively effecting the stock values of tech giants such as Google, Apple, Microsoft, Meta, Amazon, ByteDance and other major corporations who have adopted a business model rooted in surveillance capitalism.

The tech lobby as whole poses numerous cybersecurity and privacy threats to end users of the internet and connected technology in general due to the level of influence powerful law firms and lobbyist hold over government/elected officials, including world leaders.

Surprisingly in the United States, companies from China can lawfully buy influence over lawmakers by way of powerful K-street law firms/lobbyist such as American Continental Group (ACG) who represent ByteDance, the Chinese developer of the highly intrusive social media app and platform TikTok.

Getting back to FBI Director Christopher Wray’s concerns over China’s ability to steal technology, he states that the Chinese government, including the CCP, are going to use every tool necessary to gain intelligence on their competitors, while using whatever means possible to steal information, including intellectual property.

China is using every tool necessary to accomplish their goals using intrusive apps and social media platforms, such as TikTok, in order to monitor, track, and data-mine end users, including teens, children, and business end users for profit.

As I mentioned in my previous MissionCritical Communications article centered on tech-based hybrid warfare, Bloomberg reported in 2021 that the Chinese government insisted that ByteDance employ a Chinese government official on their board, potentially exposing highly confidential TikTok end-user personal and business information to the Chinese government, including the CCP.

It is paramount that CIOs, CISOs, and IT professionals audit the apps that the enterprise, including government agency[J1] , is using from the board/CEO down to the frontline employee.

Top Down Enterprise Cybersecurity and Privacy Strategy

Since governments around the world, including the United States, are not going to help stop these existential threats associated with connected technology and unrestricted hybrid warfare, it is paramount that organizations and government entities employ a top-down enterprise cybersecurity and privacy strategy that includes:

A “cloud exit strategy” centered on protecting highly confidential and protected information supported by critical infrastructure. Note, it is OK to use MSPs to support general and/or public information.
Best practices associated with business competition, wargaming, insider threats, employee privacy policies, confidential/protected information, network security, critical infrastructure, and endpoint cybersecurity.
Third-party mobile device lifecycle and security management providers.
Mobile device management (MDM) solutions. **
Intelligence, cybersecurity, and simulated business war gaming firms centered on threats posed by insiders, corporations, nation-state hackers, and entities associated with adversarial business competitors and countries.
Corporate counterintelligence centered on domestic and foreign competition, including Chinese and Russian competitors.
Cybersecurity and privacy advisors who have extensive tech, telecom, and cybersecurity industry experience.
Privacy providers centered on protecting confidential business and personal information.

** Note that some MDM solutions are supported by intrusive apps and/or are not secure

According to Fleming, corporate counterintelligence and wargaming are a requirement to survive in today’s hyper geo-business environment, here is what he had to say:

”Corporate Counterintelligence, while highly critical, must be coupled with a dynamic tool to apply it to the enterprise and supply chain for execution and adoption. This provides the ability to reveal hidden risk in advance and the ability to quickly pivot out of risk and into new opportunities.

Tailored Business Wargaming (TBW) encompasses all risk including financial, reputational, cyber, operational, compliance, legal, geo-economic, geo-political, mergers and acquisitions, health crises, location hazards, and other risks. It solves the problem: “I don’t know what I don’t know.” TBW is like Doppler radar for your company with the ability to switch to MRI for internal execution.

Your adversaries are wargaming to put you out of business. Why are you not wargaming to survive and thrive in this environment of permanent chaos.”

Business leaders, government/elected officials, and professionals need to be concerned about the fact that their highly confidential and protected information is ending up on servers owned by business competitors, adversarial countries, and other entities that could be bad actors, including those from China, Russia, Iran and North Korea.

CIOs, CISOs, and IT professionals also need to be concerned with the fact that nation-state hackers can use leaky operating systems and intrusive apps to launch a wide array of attacks on networks/critical infrastructure that include distributed denial of service (DDoS), man-in-the-middle (MitM), and ransomware attacks.

Organizations and government entities can no longer afford to put off implementing a top down enterprise cybersecurity and privacy strategy for survival in today’s world of permanent chaos.

Bio

For background information on Mr. Lee, visit My Smart Privacy at: About (mysmartprivacy.com) or contact Rex at Rlee@MySmartPrivacy.com

Article was published by MissionCritical Magazine