The dire threats posed by cyberattacks are becoming clearer with every passing year.
Last month, Lloyd’s of London estimated that a hypothetical major cyberattack on the world’s financial payment systems could cost about $3.5 trillion globally, with the U.S. suffering about one-third of that loss. The U.S. has already seen “hundreds” of breaches that have handicapped hospital operations this year, according to the American Hospitals Association. Other companies, like the genetic testing business 23andMe, have also been victims of data theft.
Meanwhile, the conflict between Israel and Hamas has led to a spike in cyberattacks in the region, and could trigger additional activity elsewhere as the war continues and geopolitical dynamics shift.
Despite witnessing a steady stream of cyber incidents in the news, however, a lot of companies aren’t prepared, says Steve Schmidt, chief security officer at Amazon and a member of the company’s famous “s-team” of senior leaders, who report directly to CEO Andy Jassy.
Schmidt, a former FBI section chief who was CISO at AWS for 15 years, joined the retail company in 2022. Amazon had been criticized in the years leading up to his appointment for not protecting its ever-growing cache of customer data properly.
Many businesses at risk of cyberattacks “don't even know it yet because they don't have anybody looking,” he tells Fortune. To be fair, he adds, they may not have anyone looking because of a major shortage of people with cybersecurity skills.
Schmidt’s team at Amazon—one of the most data-rich companies on the planet—is planning a hiring spree in the coming months. “If we're hiring thousands of people, and others who are large out there are hiring thousands of people, the pool of available talent or talent is exhausted pretty darn quickly,” Schmidt says.
Here’s how he thinks about his job protecting all of Amazon’s physical and digital properties, which he describes as a matter of "solving puzzles, playing chess, and practicing psychology.”
Get clear on what data and hardware you have
The most basic and surprisingly overlooked job a security team can tackle involves cataloging all of a company’s digital and hardware infrastructure (software, servers, devices) and keeping that data updated, Schmidt recently told Fortune. Companies should also rank their assets and assign multiple layers of security — then keep testing those layers to ensure that they’re still working.
Know your cyber threats
“Many people think of security as a job where you're stopping things from happening, and certainly there's an element to that,” Schmidt says. “But what I'm trying to do more than anything else is understand the motivation of our adversaries.”
To that end, Amazon recently revealed that its cyber team uses “MadPots,” a play on “honey pots,” the phony relationship-based traps used by police agencies to ensnare criminals. In the digital space, MadPots and other forms of deception software, or data decoys, give hackers the false impression that they’ve accessed real data. Once the stranger is in the system, Amazon can “get adversaries to engage with our sensors,” says Schmidt, “and let them think they're engaging with our customers, so we can collect the adversaries' tools. We get to learn about their techniques, we get to learn about what they're trying to focus on, and it informs our threat intelligence services.”
The groups that might want to bust past a company’s system range from hackers playing games to annoy each other, to thieves who behave much like highly organized crime families. The opponents targeting Amazon and other large companies may also be contractors working for a foreign government like Russia or China. Even when these people are not particularly talented, Schmidt explains, “there’s such high volume [of their attacks] that their statistical chance of success is relatively high.”
Not every company can take advantage of threat intelligence software like MadPots, says Schmidt. For these programs to work, the organization needs to have enough data and networks to produce statistically useful information. “You also need to have to have a team that’s the appropriate size and maturity to be able to digest the information effectively,” he says. For teams that are smaller or busy with immediate catch-up projects, Schmidt advises acquiring threat intelligence software.
Your worst enemy could come from within your own ranks
It’s not always a stranger who breaks in or enables a breach, of course. The reality is quite the contrary: the biggest threat usually comes from inside the house.
The two scenarios that most small and medium-sized companies should worry about most, according to Schmidt, are employees “using their legitimate access to data for things that they shouldn't do” and “employees being exploited by a social engineering actor” seeking data in a ransomware attack.
Cybercriminals are known for gaining access to a system through the legitimate credentials of an employee. They might do that through a phishing campaign or by bribing an employee, which happened at Amazon in 2021. Once past the gates, criminals with an employee’s identity can maneuver fairly freely, which is why Amazon severely limits the amount of data that any employee can access at one time, and monitors how employees use their access.
“If you think about the way a business typically runs, there'll be some administrators who have access to everything in the company,” says Schmidt, “The smaller the business is, the more usual it is for everybody in the company to have access to all the data.” That may be the easiest solution, he adds, but it’s bad for security.
Cybersecurity is key to unlocking innovation
Many companies see cybersecurity as a “gatekeeping” function that slows down other parts of the business. But within Amazon, security work is seen as a business accelerator, according to Schmidt, who says that’s a mindset shift that many companies may still need to make.
Schmidt advises CEOs to measure their security teams by “how they're increasing velocity versus slowing things down.” Is your CISO or head of data asking how they can enable a new product, not simply policing and blocking what people do?
“I personally view the use of the word ‘no,’ in a security context, as a failure,” Schmidt says. Stopping something from happening may feel prudent in the short term, but saying no all the time will stop a company from growing in areas where it needs to innovate, he contends. Perhaps worse, he adds, it will eventually frustrate product builders and may lead to them to find ways to circumvent the security team as much as possible. Ideally, companies want to engender just the opposite: early and frequent collaboration between engineers, product teams, and security leaders.
Play the long game
As CSO at one of the world’s largest companies, Schmidt is no longer working in the tactical day-to-day of cybersecurity. Instead he’s playing the long game, planning for 3 to 5 years out, studying how malicious actors might be evolving, and what kind of investments may be required to maintain strong defenses.
Security teams at companies of all sizes should be doing the same, he says. They ought to be looking out for emerging tech, and launching upgrades now that may take a few years to roll out. “Many years ago, Amazon started moving over to hardware multi-factor authentication because we saw the evolving threats from both the nation-state actors and the social engineering-slash-ransomware organizations,” says the CSO. “Making that change took us four or five years because of the size of our company, even though we're a really tech-focused organization, so most companies out there have to figure out: ‘What are the threats that are going to be facing me? What are the techniques that I need to start investing in now in order to protect myself against those threats?’”
Have an insider tip or a story idea? Do share! Contact me at lila.maclellan@fortune.com, or through secure messaging app Signal at (646) 820-9525.