Earlier this week, while taking a break from home schooling (don’t ask), I happened to be browsing a list of the world’s billionaires.
You can probably guess who’s leading the pack – Bezos, Gates and Zuckerberg, of course. But did you know that Tesla founder, Elon Musk, is consistently among the top five? I have to admit, I was surprised.
But as I dug in a bit and read his bio, I realized that not only is he super-rich, he’s also involved in an astonishing array of projects and companies. According to Wikipedia…
He is the founder, CEO, CTO and chief designer of SpaceX; early investor, CEO and product architect of Tesla, Inc.; founder of The Boring Company; co-founder of Neuralink; and co-founder and initial co-chairman of OpenAI.
The truth is, he’s essentially a real-life version of world-famous industrialist and genius inventor, Tony Stark (AKA “Iron Man”), minus the self-contained flying suit of armor (or so I am assuming).
And it doesn’t end there. Musk is a cybersecurity superhero, too.
The Russians Are Coming
You may have read about a Russian hacker’s recent attempt to recruit a Tesla employee to insert malware into the company’s computer systems. The employee turned down the $1 million offered and, instead, notified the FBI, which ultimately arrested the hacker.
Cybersecurity-wise, what stands out most about this incident is that Tesla’s security practices are so well-conceived and implemented that the only feasible way in was through an on-the-ground insider – there were no viable remote entry points.
Musk’s obsession with cybersecurity is well known. Realizing that the hacking of Tesla’s car fleet would be the downfall of his business, he has taken every step imaginable to guard against that possibility (even hiring people, on occasion, who have demonstrated an ability to hack a Tesla).
Most of us, of course, don’t have to worry about a Russian operative recruiting one of our employees to plant malware inside our systems.
First, because the Russian attackers are really, really good at breaking in remotely. They don’t need to physically enter a building to gain access. Second, because most companies don’t offer a great enough return for a hacker to risk getting caught in an FBI sting!
Nevertheless, Tesla’s approach to cybersecurity is instructive. Here are three important takeaways…
#1. Don’t be the weak player.
Maybe you’ve heard the old joke about two men in the forest who come upon a ferocious bear. One kneels down and starts tightening his shoelaces. The other guy asks, “Do you really think we can outrun him?” The first guys says, “I don’t need to outrun him, I only need to outrun you.”
The same logic applies with your cybersecurity.
The bad guys are in business – they want to make as much money with as little effort and risk as possible. They are looking for the most vulnerable targets. If you put enough controls in place, they will likely look elsewhere.
#2. Map risk evaluation to business risk.
Musk knows with certainty where Tesla’s biggest threat lies: it’s a fleet-wide hack. In his own words, “That would be the end of Tesla.” And so that’s where his greatest security efforts live, too.
Many companies, on the other hand, don’t make these kinds of distinctions – everything is given equal importance, whether that’s a corporate database inside a cloud environment, customer records on an internal network, or a marketing web site with no connection to either.
There’s no such thing as across the board security – there is not enough time or money on Earth to protect everything equally.
Rather, you need to complete a risk assessment, one in which you prioritize and make choices by identifying your key assets, both in terms of what they are worth to you and what they might be worth to a potential hacker.
Put another way, what’s your equivalent to a fleet of Teslas?
#3. Consider possible negative scenarios.
Once you know where your priorities lie, now consider how and where these key assets might be vulnerable. What means are hackers, generally, using these days to access company data? How would a bad actor monetize that information?
Many companies fall down here as well. Too often, esoteric or unlikely attacks are given high priority, while basic security steps like multi-factor authentication or training employees on good cybersecurity behavior are given little attention.
Keep in mind as well that the “entry point” for an attack may, in and of itself, be of little value. Just as an unlocked door in the basement provides access to everything within the walls of your building, an unsecured printer on your network may open the door to your entire production system.
The key, always, is to apply a risk-based view of potential threats and their repercussions. For example, email may not seem like a big deal, but if gaining entry to your system allows me to send fake messages on your behalf, you’re in for a very long day (or month).
Conclusion
Elon Musk’s singular focus on cybersecurity is a shining example of corporate leadership and the importance of keeping a close eye on what matters most.
Whether “the bear” on your heels is a Russian attacker or a four-legged mammal, it falls on you to make yourself as uninviting a target as possible!
