The Need For A Top Down Enterprise Security Strategy
By Rex M. Lee
Monday, August 15, 2022 | Comments

In today’s hyper geo-competitive world, businesses and governments must implement a top down cybersecurity and privacy strategy to eliminate or mitigate threats posed by competitors and adversarial nation-states.

Here is what FBI Director Christopher Wray said to business leaders in London on July 6:
“The FBI has no closer partner than MI5 (UK )… As laser-focused as both our agencies are on the Russia threat…We consistently see that it’s the Chinese government that poses the biggest long-term threat to our economic and national security, and by ‘our,’ I mean both of our nations, along with our allies in Europe and elsewhere … I’ll start with what this danger looks like. The Chinese government is set on stealing your technology — whatever it is that makes your industry tick — and using it to undercut your business and dominate your market … I want to be clear that it’s the Chinese government and the Chinese Communist Party (CCP) that pose the threat, not the Chinese people, and certainly not Chinese immigrants in our countries—who are themselves frequently victims of the Chinese government’s lawless aggression.”

Many businesses, including fortune 500 corporations, and government agencies fail to implement a top-down enterprise cybersecurity and privacy strategy centered on eliminating or mitigating threats posed to:
• Networks and critical infrastructure, including Endpoint Devices: Many hacks and malware attacks today are coming from nation-state hackers who are using leaky operating systems and intrusive apps to launch attacks on networks/critical infrastructure by way of endpoint devices such as a smartphone or a tablet PC
• Confidential information and IP: Most hacks today come from insider attacks launched by employees who are compromised by bad actors such as nation-state hackers or criminal organizations
• Board members, C-suite executives, government officials and elected officials: Many business leaders, including government/elected officials, can be compromised or leveraged by nation-state actors, including law firms/lobbyist
• Middle management and frontline employees: Middle management and frontline employees can be exposed to insider threats associated with nation-state actors or criminal organizations
• Supply chain: Many contractors and supply chain vendors can be compromised or leveraged by nation state actors

As a matter of fact, most organizations and government entities do not even employ a privacy strategy regarding threats to end-user business information associated with the use of smartphones, tablet PCs, connected products and PCs that are supported by leaky operating systems, intrusive apps, and surveillance and data mining business practices employed by operating system (OS) and app developers.

Furthermore, most organizations and government entities do not employ a “cloud exit strategy” regarding highly confidential and protected information supported by critical infrastructure. Today, most organizations and government entities are now relying on third-party managed services providers (MSP) many of whom do not indemnify their clients, even due to negligence on behalf of the MSP exposing the client to harm without legal recourse.

Many organizations and government entities only employ a tactical level cybersecurity strategy that is centered on threats posed mainly to network/critical infrastructure with little or no focus on endpoint cybersecurity associated with mobile devices that include smartphones, tablet PCs and connected products in general.

Existential Threats Posed by Connected Technology
In today’s connected world, operating systems and apps are designed to enable the OS and app developer, including those from adversarial countries, to monitor, track and datamine the end user for financial gain posing numerous cybersecurity and privacy threats to the end user, including the end user’s employer.

In essence, Google, Apple and Microsoft are actively distributing Chinese and Russian surveillance and data mining technology in the form of uncontrollable preinstalled apps that support endpoint devices and third-party apps distributed through Google Play, the Apple App Store and Microsoft App Store.

Intrusive apps from adversarial countries are being banned by many countries, including India who has banned popular apps and social media platforms such as TikTok, which is developed by ByteDance of China.

Additionally, leaky operating systems and intrusive apps developed by many multinational corporations pose equal cybersecurity and privacy threats as intrusive apps from adversarial countries due to the fact that many leaky OS and app developers, such as Alphabet, compete in multiple industries worldwide such as Alphabet.

For example, business leaders and employees who work for companies that compete against Alphabet may be inadvertently using intrusive Google technology, such as apps, exposing highly confidential business and personal information to an existing or future competitor.

All of these threats posed by connected technology are associated with a centralized internet that is controlled by a handful of tech giants who are dominating the industries they compete in due to their monopolistic business models that are centered on surveillance capitalism.

However, there is some hope in the future regarding Web3/Open-Web which is centered on a decentralized internet providing end users with privacy and security that used to be associated with the internet in the 1990s before major corporations centralized the internet for monopolistic purposes.

Until there is mainstream adoption of a decentralized internet, there are many existential threats posed by connected technology that organizations and government entities need to address with a top down enterprise cybersecurity and privacy strategy.

These existential threats include the following:
1. Unrestricted hybrid warfare, including tech-based hybrid warfare, waged by business competitors and adversarial countries
2. Insider threats posed to board members, senior executives, middle management, frontline employees, government/elected officials, contractors, college interns and supply chain vendors
3. Predatory surveillance and data mining business practices employed by major corporations, operating system developers, and app developers, including those from Russia and China
4. Predatory and exploitive terms of use that support leaky operating systems and intrusive apps
5. Nation-state hackers who can launch attacks on networks/critical infrastructure by way of telecommunication networks, email, intrusive apps and leaky operating systems
6. Legal malware in the form of addictive, intrusive, and dangerous apps that pose privacy, cybersecurity and safety threats to end users
7. legal corporate and government espionage by way of leaky operating systems and intrusive apps developed by current or future business competitors, including those from Russia, china, and other adversarial countries

These are just a few of many existential cybersecurity and privacy threats that need to be addressed by government entities, including law enforcement/military; corporations; defense contractors; healthcare providers; academic institutions; legal professionals and small-to-medium-sized businesses.

Here is what Casey Fleming, CEO of BlackOps Partners, had to say about FBI Director Christopher Wray’s comments to business leaders in London:
“The FBI and MI5 announcement is unprecedented in history. It frames the scale of economic power that has tipped out of our favor requiring a top-down cultural shift in every company beginning with the board and CEO. The shift must align risk, strategy, data, IP, technology, cyber, security, privacy, and the most important element - the “human factor.”
Existential Threats Posed by Surveillance Capitalism and Lobbying
Unfortunately, Google, Apple, Microsoft and governments around the world are not going to address many of these existential threats that are associated with leaky operating systems, intrusive apps and threats posed by major corporations/app developers, including those from adversarial countries.

The problems with addressing these threats include the fact that trillions of dollars in profits associated with predatory surveillance and data mining business practices would be eliminated while negatively effecting the stock values of tech giants such as Google, Apple, Microsoft, Meta, Amazon, ByteDance and other major corporations who employ predatory surveillance and data mining business practices that are rooted in “surveillance capitalism.”

Frankly tech giants, including those from adversarial countries, buy influence with government/elected officials, including world leaders, by way of powerful law firms and lobbyists.

Surprisingly in the United States, companies from China can lawfully buy influence over lawmakers by way of powerful K-street law firms/lobbyist such as American Continental Group (ACG) who represent ByteDance, the Chinese developer of the highly intrusive social media app and platform TikTok.

Getting back to FBI Director Christopher Wray’s concerns over China’s ability to steal technology, he states that the Chinese government, including the CCP, are going to use every tool necessary to gain intelligence on their competitors, while using whatever means possible to steal information, including intellectual property.

One way to do that could include using intrusive apps and social media platforms developed by Chinese corporations such as ByteDance (TikTok), Tencent (WeChat) and BAIDU (Android app developer/Google partner).

As I mentioned in my previous MissionCritical Communications article centered on tech-based hybrid warfare, Bloomberg reported in 2021 that the Chinese government insisted that ByteDance employ a Chinese government official on their board, potentially exposing highly confidential TikTok end-user personal and business information to the Chinese government, including the CCP.

It is paramount that CIOs, CISOs and IT professionals audit the apps that the enterprise, including government agency, is using from the board/CEO down to the frontline employee.

Top Down Enterprise Cybersecurity and Privacy Strategy
Since governments around the world, including the United States, are not going to help stop these existential cybersecurity, privacy, and hybrid warfare threats, it is paramount that organizations and government entities employ a top-down enterprise cybersecurity and privacy strategy that includes:
1. A “cloud exit strategy” centered on protecting highly confidential and protected information supported by critical infrastructure. Note, it is OK to use MSPs to support general and/or public information.
2. Best practices associated with business competition, wargaming, insider threats, employee privacy policies, confidential and protected information, network security, critical infrastructure and endpoint cybersecurity
3. Third-party mobile device lifecycle and security management providers
4. Mobile device management (MDM) solutions. Note that some MDM solutions are supported by intrusive apps and/or are not secure.
5. Intelligence, cybersecurity and simulated business war gaming firms centered on threats posed by insiders, corporations, nation-state hackers and entities associated with adversarial business competitors and countries
6. Corporate counterintelligence centered on domestic and foreign competition, including Chinese and Russian competitors
7. Cybersecurity and privacy advisors who have extensive tech, telecom and cybersecurity industry experience
8. privacy providers centered on protecting confidential business and personal information

Organizations, government entities, business leaders, and professionals need to be concerned about the fact that their highly confidential and protected information is ending up on servers owned by business competitors, adversarial countries, and other entities that could be bad actors, including those from China, Russia, Iran and North Korea. CIOs, CISOs, and IT professionals also need to be concerned with the fact that nation-state hackers can use leaky operating systems and intrusive apps to launch a wide array of attacks on networks/critical infrastructure that include distributed denial of service (DDoS), man-in-the-middle (MitM) and ransomware attacks. Organizations and government entities can no longer afford to put off implementing a top down enterprise cybersecurity and privacy strategy for survival in today’s world of permanent chaos.

Would you like to comment on this story? Find our comments system below.


Rex M. Lee, is a Cybersecurity and Privacy Advisor/Tech Journalist. For background information on Mr. Lee, visit My Smart Privacy at: About (mysmartprivacy.com) or contact Rex at Rlee@MySmartPrivacy.com



 
 
Post a comment
Name: *
Email: *
Title: *
Comment: *
 

Comments

No Comments Submitted Yet

Be the first by using the form above to submit a comment!


Education






Events
November 2022

8 - 10
Communications Marketing Conference (CMC)
Albuquerque, New Mexico
https://cma-cmc.org/

15 - 16
Wireless Leadership Summit (WLS)
Tucson, Arizona
https://www.enterprisewireless.org/wls

March 2023

27 - 30
International Wireless Communications Expo (IWCE) 2023
Las Vegas
https://iwceexpo.com

More Events >

Site Navigation

Close