Why Cybersecurity Is No Game: Q&A with Tim Ryan
Tim Ryan loves video games. Maybe that isn’t surprising, given that he’s a cybersecurity expert. After all, the cybercrime world and digitally rendered gaming environment are both populated by a complex and ambiguous mix of good and bad characters.
Ryan, who oversaw the largest Cyber Squad in the U.S. during his 13 years at the FBI, has served since 2012 as a managing director at Kroll Advisory Solutions, one of the world’s most respected risk consultancy firms. Having investigated computer crimes, economic espionage and fraud over the course of his career, Ryan is uniquely attuned to the dangers confronting businesses.
While companies have unquestionably benefited from the past decade’s digital revolution, many have also been unwittingly exposed to cybercriminals. Amid the rapid pace of technological adoption, it’s imperative that businesses know what threats they’ll encounter and how best to protect against them.
But where should companies begin?
For starters, they’re going to have to do a lot more than simply install antivirus software, especially if they hope to guard their networks from “malicious insiders” and “data destroyers” — two of the most significant cyber issues facing companies right now. If unprepared, organizations are particularly vulnerable to malicious insiders, who enjoy privileged access to proprietary data. Kroll researchers estimate that nearly one half of all data breaches this year will “come at the hands of people on the inside.”
Alas, companies must also contend with a number of equally challenging cyber issues, including the continued need to effectively devise and implement bring-your-own-device (BYOD) policies that are becoming commonplace at companies, Ryan said.
Even companies with robust cyber defense systems can suffer data breaches at the hands of their third party vendors, according to Kroll’s 2014 Cyber Security Forecast.
FreeEnterprise.com spoke with Ryan about these and other pressing cyber vulnerabilities. Anyone in search of a cyber security silver bullet may be out of luck, however. As Ryan noted, “the essence of security is that it’s not one size fits all.”
You practiced law before joining the FBI’s cybercrimes division. How did you end up working in computer security?
I always wanted to be an FBI agent ever since I was a little boy, and I could make my fingers look like a gun. Back then, one of the main ways to get into the FBI was to be a lawyer. I was military police in Desert Storm and my company commander was a lawyer, and I talked to him about it and I decided I’d go to law school. I was always a gamer — I love video games. Back when I was playing, you had to configure your computer to make sure they would work, so that’s what got me into my interest with computers.
Kroll named the malicious insider as one of the most significant issues facing businesses in 2014. What is a malicious insider and why did you describe the threat as “insidious and complex?”
A malicious insider is somebody whom the company gave credentials to, and who then decides to use those credentials to steal intellectual property or to destroy data.
What we see with insiders is that we have this thing — like a crime scene or a murder scene — where, unfortunately, there is someone who is murdered, and there is one stab wound. And maybe it was a robbery gone bad. But when you have a crime scene where there’s all this overkill — where the body has a hundred stab wounds in it — that suggests it was personal in nature. It’s kind of the same thing with insiders: we see there is more of a proclivity for an insider to destroy data than an outsider.
What would you say are the biggest threats companies are facing right now in 2014?
I think it’s industry specific. I think the top seven ones we came out with, that’s a pretty good understanding of the threat. It kind of depends on what the crown jewels or the assets of the company are.
You said the emergence of data destroyers is a very pressing threat. Who are they and why are they so dangerous?
What I normally see from a data destroyer is somebody who wants the company destroyed, so what they'll do is they'll destroy the data inside the company and they’ll wipe data from servers.
What we've seen before are people who want to steal intellectual property or they want to steal banking credentials because they want to make money some way. This group, they don't care about the money — they just want to hurt that company. Data destroyers will say, “We don't want this to be a good corporate citizen, we don't want this company to change its ways, we want this company destroyed."
Can you talk about BYOD and why it’s a critical issue affecting businesses?
BYOD is where people are allowed to bring their own phones, laptops, and devices into work, and then the corporate data is being processed or transmitted through those devices.
When you think about the classic model, the company owns all the computing devices so you can put certain controls on there. When everyone is bringing their own device to work and corporate data is being transmitted through that device or being processed through that device, it becomes a little more difficult to control the flow of that data and secure it. People bringing their own devices into work can make the data less secure, so it needs to be well thought-out.
How has the business community’s understanding of cybercrimes evolved over the past decade? Are they better educated and better prepared?
I think companies are starting to understand that it’s a corporate issue, not just an IT issue. I think companies understand that it’s a threat to the entire corporation and its livelihood rather than just this funny thing that just happens with computers occasionally.