September 11, 2018
Why Your Business Is Likely to Get Hacked — Part 1
Security is about the questions, not about having all the answers.
In our work with customers, we often see that organizations work on their information and cybersecurity in a checklist format. Do I have all the things in place that I’ve been told I’m supposed to? Firewall? Check. SIEM? Check. Encryption? Check. Strong passwords? Check — and the list goes on and on in this very static way.
While this list can be helpful as a baseline, it is also the reason most companies fall prey to malicious attacks. Instead of inserting what we think the answers are, we need to start asking better questions. The biggest question, and the one most often overlooked, is both simple and complex: Why are we vulnerable?
Why Are We Vulnerable?
Understanding both elementary and advanced threats in the context of a risk-based framework is imperative, and asking why we are vulnerable is the start. This could involve a slew of reasons, but for the sake of this conversation, let’s talk about some of the most relevant.
First and foremost, the introduction of digital devices has wreaked havoc on many things, leading to problems such as malware through internet connections, personal data stored on networks, corporate data leaving networks and the potential for malicious attacks. We are more connected than ever, and this brings new threats into the fold.
Second, there are additional risks from new and emerging technologies. Cloud computing, both through Software as a Service (SaaS) and Infrastructure as a Service (IaaS), poses new challenges. Poor initial design is the lead culprit on IaaS. We assume many times that the provider offers inherent security for our application, when in reality, they just cover the security on the facility and platform. When we look at SaaS, we find that native security does not match what we would build on-premises, and we need to add additional security (data loss prevention, role-based access controls, encryption, etc.) to get the same level that we have in our traditional data centers.
The next big one is data integrity. This is one of the tenets of the CIA triad (confidentiality, integrity and availability). To put the importance of this in a question form, we all should be asking, “Can we trust our data over its entire lifecycle?”
This starts by accepting that the bad guys are likely inside our organization and on some part of our network. If we operate with the assumption that bad people are after things we hold (money, IP, data), what happens is we start building our security model around the actual data itself — ensuring data integrity.
Finally, the one vulnerability that we all know: employee awareness. This isn’t about pointing the finger at users, it’s about recognizing that systems and software alone can’t cure all ills. We must address “who” not just “what” to ensure that vulnerabilities are shored up.
How Do We Plug the Dam?
The area with the biggest deficiency is the creation and adoption of an incident response plan. To be truly effective, an IRP needs to cover response to a data breach, drive rapid response and, most important, guide company coworkers at all levels. This can seem an arduous task, but starting simply is the best bet. If your organization doesn’t have a seasoned incident response analyst, there are external resources that can assist from start to finish.
Next, we must recognize that there is not enough employee awareness. While employee awareness started primarily around phishing, it has grown to cover improving data privacy, guarding against vishing (voice) and smishing (text), surfing the internet and shopping online safely, and even dealing with security threats that may lurk in personal devices (cars, connected products, etc.). Designating our coworkers as gatekeepers instead of treating them as passive observers is key to filling in holes.
While it’s helpful to know about some of the vulnerabilities out there, at the end of the day, we all need to do something about them. So, before we jump into specific services and offerings, we need to consider what a robust strategy and end-state vision looks like.
At the core of cybersecurity, there should be three tenets guiding the vision. First, we need to build resilience. Simply put, we need to ensure that there is an inherent ability to respond to and recover from a breach. Most resilience is built to cover things out of our control like failed power, weather phenomenon, fire, etc. It is important to note here, though, that there is a distinction between uncontrollable events and malicious people. Are you including bad actors in your potential issues when building resilience?
Next, we must have a strategy to sustain operations. Cataloging existing capabilities and prioritizing them from an operational aspect is the start; from there we can work backward and build the resilience to sustain those operations in the event of an incident.
Finally, we need to consider how our cybersecurity strategy fits into the business; more specifically, how does it help boost economic performance? Does it provide client assurance, solidify a business continuity plan or even add secure features that can drive flexible data sharing and collaboration?
The art of the possible is wide and deep, but if we focus and spend some time prioritizing the most impactful threats and framing those in the context of risk, we can get better at asking questions and really start to see why we are vulnerable.
Check back soon — in Part 2 of this series, we’ll look at some more specific examples of covering vulnerabilities.