The dire threats posed by cyberattacks are becoming clearer with every passing year.
Last month, Lloydâs of London estimated that a hypothetical major cyberattack on the worldâs financial payment systems could cost about $3.5 trillion globally, with the U.S. suffering about one-third of that loss. The U.S. has already seen âhundredsâ of breaches that have handicapped hospital operations this year, according to the American Hospitals Association. Other companies, like the genetic testing business 23andMe, have also been victims of data theft.
Meanwhile, the conflict between Israel and Hamas has led to a spike in cyberattacks in the region, and could trigger additional activity elsewhere as the war continues and geopolitical dynamics shift.
Despite witnessing a steady stream of cyber incidents in the news, however, a lot of companies arenât prepared, says Steve Schmidt, chief security officer at Amazon and a member of the companyâs famous âs-teamâ of senior leaders, who report directly to CEO Andy Jassy.
Amazon has been criticized in recent years for not protecting its ever-growing cache of customer data properly. Schmidt, a former FBI section chief who was CISO at AWS for 15 years, began his job as CSO for Amazon in 2022.
Many businesses at risk of cyberattacks âdonât even know it yet because they donât have anybody looking,â he tells Fortune. To be fair, he adds, they may not have anyone looking because of a major shortage of people with cybersecurity skills.
Schmidtâs team at Amazonâone of the most data-rich companies on the planetâis planning a hiring spree in the coming months. âIf weâre hiring thousands of people, and others who are large out there are hiring thousands of people, the pool of available talent or talent is exhausted pretty darn quickly,â Schmidt says.
Hereâs how he thinks about his job protecting all of Amazonâs physical and digital properties, which he describes as a matter of âsolving puzzles, playing chess, and practicing psychology.â
Get clear on what data and hardware you have
The most basic and surprisingly overlooked job a security team can tackle involves cataloging all of a companyâs digital and hardware infrastructure (software, servers, devices) and keeping that data updated, Schmidt recently told Fortune. Companies should also rank their assets and assign multiple layers of security â then keep testing those layers to ensure that theyâre still working.
Know your cyber threats
âMany people think of security as a job where youâre stopping things from happening, and certainly thereâs an element to that,â Schmidt says. âBut what Iâm trying to do more than anything else is understand the motivation of our adversaries.â
To that end, Amazon recently revealed that its cyber team uses a proprietary platform it dubbed âMadPot,â a form of deception software that gives hackers the false impression that theyâve accessed real data. Once the stranger is in the system, Amazon can âget adversaries to engage with our sensors,â says Schmidt, âand let them think theyâre engaging with our customers, so we can collect the adversariesâ tools. We get to learn about their techniques, we get to learn about what theyâre trying to focus on, and it informs our threat intelligence services.â
The groups that might want to bust past a companyâs system range from hackers playing games to annoy each other, to thieves who behave much like highly organized crime families. The opponents targeting Amazon and other large companies may also be contractors working for a foreign government like Russia or China. Even when these people are not particularly talented, Schmidt explains, âthereâs such high volume [of their attacks] that their statistical chance of success is relatively high.â
Not every company can take advantage of threat intelligence software like MadPot, says Schmidt. For these programs to work, the organization needs to have enough data and networks to produce statistically useful information. âYou also need to have to have a team thatâs the appropriate size and maturity to be able to digest the information effectively,â he says. For teams that are smaller or busy with immediate catch-up projects, Schmidt advises acquiring threat intelligence software.
Your worst enemy could come from within your own ranks
Itâs not always a stranger who breaks in or enables a breach, of course. The reality is quite the contrary: the biggest threat usually comes from inside the house.
The two scenarios that most small and medium-sized companies should worry about most, according to Schmidt, are employees âusing their legitimate access to data for things that they shouldnât doâ and âemployees being exploited by a social engineering actorâ seeking data in a ransomware attack.
Cybercriminals are known for gaining access to a system through the legitimate credentials of an employee. They might do that through a phishing campaign or by bribing an employee, which happened at Amazon in 2021. Once past the gates, criminals with an employeeâs identity can maneuver fairly freely, which is why Amazon severely limits the amount of data that any employee can access at one time, and monitors how employees use their access.
âIf you think about the way a business typically runs, thereâll be some administrators who have access to everything in the company,â says Schmidt, âThe smaller the business is, the more usual it is for everybody in the company to have access to all the data.â That may be the easiest solution, he adds, but itâs bad for security.
Cybersecurity is key to unlocking innovation
Many companies see cybersecurity as a âgatekeepingâ function that slows down other parts of the business. But within Amazon, security work is seen as a business accelerator, according to Schmidt, who says thatâs a mindset shift that many companies may still need to make.
Schmidt advises CEOs to measure their security teams by âhow theyâre increasing velocity versus slowing things down.â Is your CISO or head of data asking how they can enable a new product, not simply policing and blocking what people do?
âI personally view the use of the word âno,â in a security context, as a failure,â Schmidt says. Stopping something from happening may feel prudent in the short term, but saying no all the time will stop a company from growing in areas where it needs to innovate, he contends. Perhaps worse, he adds, it will eventually frustrate product builders and may lead to them to find ways to circumvent the security team as much as possible. Ideally, companies want to engender just the opposite: early and frequent collaboration between engineers, product teams, and security leaders.
Play the long game
As CSO at one of the worldâs largest companies, Schmidt is no longer working in the tactical day-to-day of cybersecurity. Instead heâs playing the long game, planning for 3 to 5 years out, studying how malicious actors might be evolving, and what kind of investments may be required to maintain strong defenses.
Security teams at companies of all sizes should be doing the same, he says. They ought to be looking out for emerging tech, and launching upgrades now that may take a few years to roll out. âMany years ago, Amazon started moving over to hardware multi-factor authentication because we saw the evolving threats from both the nation-state actors and the social engineering-slash-ransomware organizations,â says the CSO. âMaking that change took us four or five years because of the size of our company, even though weâre a really tech-focused organization, so most companies out there have to figure out: âWhat are the threats that are going to be facing me? What are the techniques that I need to start investing in now in order to protect myself against those threats?ââ
Nov. 2, 2023: This story has been updated with the correct term for MadPot, and clarified that MadPot is Amazonâs proprietary software.
Do you have insight to share? Got a tip? Contact Lila MacLellan at lila.maclellan@fortune.com or through secure messaging app Signal at 646-820-9525.
Subscribe to CHRO Daily, our newsletter focusing on helping HR executive navigate the changing needs of the workplace. Sign up for free.
Author: William Swanson
Last Updated: 1700334362
Views: 1515
Rating: 3.9 / 5 (71 voted)
Reviews: 98% of readers found this page helpful
Name: William Swanson
Birthday: 1940-04-04
Address: 250 Simmons Greens, West Shelly, RI 03599
Phone: +3991449052501091
Job: Geologist
Hobby: Coin Collecting, Rowing, Painting, Whiskey Distilling, Camping, Astronomy, Chess
Introduction: My name is William Swanson, I am a steadfast, artistic, variegated, proficient, resolute, courageous, irreplaceable person who loves writing and wants to share my knowledge and understanding with you.