Mohammad Jalali, MIT Sloan Research Scientist
From MIT Sloan Management Review.
Cybersecurity is becoming top of mind for customers and organizations, as highly publicized data breaches and cyberattacks at large corporations have revealed just how much damage a hacker can do by accessing or manipulating an organization’s systems. In addition to the immediate financial and operational consequences, a breached business often faces class-action lawsuits, regulatory fines, damage to its reputation, and a string of other ramifications.
Consider Yahoo. In April 2018, the company agreed to pay a $35 million fine for failing to report a 2014 data breach in which hackers stole personal information from hundreds of millions of user accounts. A month prior, a judge had ruled that the victims of the data breach had the right to sue Yahoo for negligence and breach of contract for not disclosing its systems’ security weaknesses.
Yahoo is not alone; a startling number of companies have faced public relations disasters surrounding security breaches in the past few years. On the one hand, the trend makes sense; cyberattacks are becoming more common than ever as hackers become more adept at penetrating systems. On the other hand, it doesn’t make sense, because while those carrying out cyberattacks are gaining more tools, so are the specialists who defend against them. Cybersecurity practices can — and need to — be better.
MIT Sloan Professor Stuart Madnick
MIT Sloan Professor Simon Johnson
Postdoctoral Associate, Keman Huang
From Harvard Business Review
Cybersecurity as a key issue for trade policy is a relatively new development. In the last few years there have been a number of news reports about various governments’ incorporating spyware, malware, or similar programs into computer-based products that are exported around the world. The governments typically have worked with private companies in their countries to do it. In the internet-of-things era, almost all products can be connected to the internet, and most of them can also be used for spying and other malicious activities. Furthermore, since data is considered a critical asset, services, from international banking to payment systems to consumer websites, are part of this too.
In late 2016 and 2017, for example, the voice-activated My Friend Cayla doll made headlines for its technology, which could be used to collect information on children or anyone in the room. In 2017 Germany banned the doll, alleging that it contained a surveillance device that violated the country’s privacy regulations. Another famous example is the 2010 Stuxnet attack on the Natanz nuclear enrichment facility in Iran. It was accomplished by planting malware, including Stuxnet, into industrial control systems that were shipped to Iran, resulting in the destruction of many centrifuges.
Stuart Madnick, MIT Sloan Prof. of Information Technology
From The Wall Street Journal
As technical defenses against cyberattacks have improved, attackers have adapted by zeroing in on the weakest link: people. And too many companies are making it easy for the attackers to succeed.
An analogy that I often use is this: You can get a stronger lock for your door, but if you are still leaving the key under your mat, are you really any more secure?
It isn’t as if people aren’t aware of the weapons hackers are using. For instance, most people have heard of, and probably experienced, phishing—emails or messages asking you to take some action. (“We are your IT dept. and want to help you protect your computer. Click on this link for more information.”) Although crude, these tactics still achieve a 1% to 3% success rate.
Then there are the more deadly, personalized “spearphish” attacks. One example is an email, apparently sent from a CEO to the CFO, that starts by mentioning things they discussed at dinner last week and requests that money be transferred immediately for a new high-priority project. These attacks are increasingly popular because they have a high success rate.
The common element of all these kinds of attacks: They rely on people falling for them. Read More
Mohammad Jalali, MIT Sloan Research Scientist
From The Conversation
Like any large company, a modern hospital has hundreds – even thousands – of workers using countless computers, smartphones and other electronic devices that are vulnerable to security breaches, data thefts and ransomware attacks. But hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people. And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.
A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.
Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.
I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts. Read More
Doug Criscitello, Executive Director of MIT’s Center for Finance and Policy
From The Hill
As we move beyond the widespread acceptance and use of online banking and trading platforms and push further into an increasingly digital financial marketplace, consumers face new forms of risk—namely, cyber risk—that would have been unfathomable previously. When confronted with risks that could be financially devastating, consumers are driven to mitigate and insure against such perils. Has the time come to purchase insurance for financial cyber risks?
Rational consumers seek to prevent, minimize or avoid adverse financial outcomes by purchasing insurance to protect against actual and perceived risks they can’t easily afford. Insurance essentially serves as a risk management and wealth preservation tool. However, consumers realize that it doesn’t make sense to purchase insurance when the cost of coverage is so high that they will pay substantially more in premiums than expected losses. In other words, they decide that self-insuring is the more cost-effective alternative.
Individuals today are increasingly concerned about their online security but don’t have a clear understanding of the amorphous yet perilous risks they face. In response, new consumer-directed insurance products are being offered to guard against cyber attacks.