your mobile phone and call security. Two
minutes later, a security guy is standing in
your office. You ask, “How long has your
company been protecting our building?”
He says, “Almost 10 years.”
Motioning to all the corners of your
office you ask, “Then how could you guys
have missed all of this?” He looks around
and pauses for a moment, “Sir, every-
thing here looks good, what appears to
be the problem?”
In the physical world, perpetrators who
attack individuals, corporate or government infrastructure can be identified,
pursued and brought to justice — even
(with some exception) if they live outside
the U. S. Our ability to successfully go after
an attacker is a meaningful deterrence to
others who have similar objectives and
is a major reason there have been so few
physical incidents within our borders.
But in the digital world, someone can
be rifling through our confidential records
while remaining completely invisible to
us. It took years before Yahoo discovered that a billion of its users’ data was
compromised; even today it still doesn’t
know who did it.
Vanity Fair reported the following
revelation last September: “The Pentagon has said it fends off several million
attempts at cyber-intrusion every day.”
Most of the attempts are amateur, but
more than a few are sophisticated and
clearly state sponsored. Of course the
Pentagon has access to NSA-type expertise, and it is close-lipped about what (if
any) retaliatory plans it may have.
The same elite, state-sponsored hackers that may be close to breaking into the
Pentagon are also actively looking to exploit weaknesses in U.S. businesses. This
is nothing new — just the digital equivalent of something that has been going on
What is unprecedented is the num-
ber and regularity of the attacks. If there
were millions of physical attacks against
the Pentagon each day — our national
amygdala would light up, Congress would
declare war on the perpetrators, and we
would respond in-kind and with force. But
while digital attacks can lead to damages
as serious as those from physical attacks,
until those damages actualize, it somehow
doesn’t quite feel as threatening.
Like any reasonably informed layman,
I’ve followed this issue with growing
interest. However, the one aspect that
struck me — which I had never considered — is just how much more advantage
our attackers have over us.
The Center for Cyber & Homeland
Security, a think tank at George Washington University, has explained this
skewed reality in both public papers and
in periodic testimony before Congress. It
points out that public perception of this
issue is getting in the way of a solution.
“As things now stand, however, our
adversaries are acting largely without
penalty and thus continue to transgress.
Moreover, when an incident occurs, our
tendency is to blame the victim,” the center explained. This is obviously a foolish
and counter-productive response — but
it sounds somewhat like the policy of
As attackers grow in size and sophistication, the list of entities that have
suffered significant losses is increasing.
Recent estimates of cyberattacks’ annual
costs on business range from $120 billion
to $160 billion.
The experts at George Washington
University concluded a recent presenta-
tion with the following sober warning:
“It will only be a matter of time before
an adversary successfully capitalizes on
these advantages and carries out an at-
tack that damages and disrupts critical
What are we supposed to do about this
state of affairs? Is Filofax going to make
a huge comeback? Should we go back
to paper records and land-line phones?
Letter writing? Carbon paper?
I think the answer lies in what we on
the West Coast know as earthquake preparedness. That is, we can’t stop it from
happening; it is out of our control. But
if we are prepared for the eventuality,
and ready for what might be an extended
recovery period, the odds of surviving
a major earthquake and its aftermath
I know Norton Internet Security is
generally useless against an experienced
hacker. But I also know that if I just follow good digital common-sense practices I can eliminate 99% of all potential
problems — many of which would be the
result of my own carelessness.
For the 1% of cyberthreats that we cannot avoid, our goal should be to survive
them, by having a simple, robust and flexible plan: backing up data regularly — to
different physical locations, with lots of
redundancy; plus, a basic but time-tested
disaster plan for the recovery period.
If we can stop thinking about digital
security as a compliance issue and start
thinking about it as an existential one,
we’ll be in the right mindset to make
good choices. The result may not satisfy all the concerns the SEC will cover
in your next examination, but it might
allow you to actually have a business to
Marshall Jaffe is managing partner of Jaffe
Asset Management, an investment advisory
firm in Beverly Hills, California.
If we can stop thinking
about digital security as
a compliance issue and
start thinking about it as
an existential one, we’ll
be in the right mindset
to make good choices.