5 sins cybersecurity executives should avoid
- 04 January, 2016 16:39
With the advent of 2016, I was tempted to touch upon my thoughts on what the future of the cyberlandscape will hold, prognosticating trends and shifts and what the next big threat would be. However, upon deeper reflection and further review of 2015, I’ve decided to focus on what we as cybersecurity executives have control of and can influence, as those have a direct and more profound impact on the organizations we steward.
The “Five Sins” may seem hyperbolic but given the fact that organizations are continuing to make the same mistakes without trying to rectify them, I think it’s fitting particularly at the end of the year when we aspire to be better than we were yesterday, but not as good as we hope to be tomorrow.
Trying to be perfect. The one constant in cybersecurity is that the bad guys have a marked advantage over the good guys. Network defenders try to remain vigilant against an onslaught of automated and targeted attacks that seek to exploit vulnerabilities to gain unauthorized access into their networks.
The adage, “attackers have to be successful only once; defenders have to be successful all the time” holds true in cyberspace. This is our reality the current condition. However, trying to make our networks 100 percent impenetrable is an inconceivable path forward as myriad anecdotes have shown that even the most robust and layered security networks get penetrated sooner or later.
By shifting focus from trying to deter all attacks toward a more risk management focused approach allows organizations to understand their cyberthreat profiles to support a strategic cybersecure posture. Identifying, analyzing, and prioritizing threats will better position organizations to allocate material, fiscal, and personnel resources accordingly, the results of which should bolster resiliency and recovery capabilities when breaches occur.
Betting on cyberinsurance equaling security. By its definition, insurance is protection, in many times in the form of guaranteed compensation, provided to an organization against a possible eventuality. In 2015, cyberinsurance gained significant traction as a must-have for many organizations, particularly as more breaches were reported on and class action lawsuits were filed against organizations such as Target by those impacted by data losses.
Like most insurance, cyberinsurance will help organizations absorb some of the costs that may occur after a breach. Granted, the exact particulars and amounts of coverage will largely depend on the type of coverage purchased, but in a time when surreptitious theft of sensitive and personal information is increasing, organizations will need to balance that risk mitigation investment with other investments such as those supporting continuity of operations. But just because much of the expenses associated with a breach may be covered by an insurance policy doesn’t mean that’s the only security an organization needs.
With a proper policy in place that best meets the need of your organization, cyberinsurance can support an organization’s resiliency, integrate with a risk management focused cybersecurity strategy, and protect an organization’s brand by demonstrating its commitment to protecting its assets thereby promoting public confidence.
Thinking that cybersecurity is a one-and-done solution. Layering cyberdefenses and purchasing advanced technical solutions is a necessity for any organization. As technology continues to advance, cybersecurity tools and products develop with it enhancing organizations’ abilities to quickly identify threats, reduce their response time to them, and ensure that business operations do not suffer long periods of inoperability as a result. But buying the most sophisticated monitoring device or data loss protection solution is not a panacea to breaches, theft of sensitive information, or other forms of cybermalfeasance.
A capable cyberdefense strategy will include defense monitoring that occurs on a 24x7x365 basis. Considering that in 2014, there were approximately 143 million malware samples, roughly 12 million new variants a month, in addition to at least 24 previously unknown vulnerabilities for which detection would not have been possible, it’s easy to see why organizations cannot rely on the productivity of technology as their sole defense mechanism. Integration of technical solutions, proactive threat intelligence reporting, and an analyst team compromised of both technical and strategic threat analysts to communicate important information up the chain is a critical security reality for organizations in 2016.
Forgetting about getting employee buy in. It’s long been maintained that the weakest link in most cybersecurity apparatuses is not an unpatched or misconfigured device, but the human factor. This should come as little surprise given the fact that phishing and spearphishing attacks remain a favored tactic used by hacktivists, criminals, and cyberespionage actors alike. Most e-mail message-based attacks do not involve advanced malware, although certainly they can. What they seek to exploit most of all is the recipient – whether it’s his trust, his lackadaisical approach to security, his interest in specific topics, or any other human factor that can be manipulated.
Developing a cybersecurity culture starts with ensuring that an organization’s employees including senior-level officers understand their part to preserving the confidentiality, integrity, and accessibility of their information systems and the information resident on them. Training should not be a yearly event but an ongoing process educating all employees of the threat landscape, particularly as it applies to their organization or the business that it’s in, as well any significant developments that need to be socialized among the group.
In this paradigm, cybersecurity is a common denominator, bridging the gap between the C-Suite and the most junior employees. Getting organizational buy-in to commit to improving cybersecurity is best led from the top down with accountability shared equally among everyone.
Not having enough focus on an incident response plan. As the year of some of the most prolific breaches comes to a close, how organizations that were victimized handled the breaches is a direct reflection of the plans they had in place. Breach response is more than just a reaction to an infiltration; it needs to be a legitimate course of action that an organization had developed and tested in times of crisis. Perhaps more importantly, organizations need to have confidence in the plans they have developed.
In a 2015 study conducted by the Ponemon Institute, 81 percent of respondents said their company had a breach response plan, but only 34 percent believed they were effective. While there is no conclusive template in developing a breach response plan, a good breach response plan will include risk assessments, business impact assessments, disaster recovery and continuity of operations models, contact list of appropriate law enforcement entities, forensics companies, and a post breach communications strategy to provide transparent and updated information as necessary. The Target breach introduced the greater public to realities of large amounts of data theft, but it also provided a lesson in crisis communication. Sticking your head in the sand is not a viable option in 2016 and organizations need to be prepared.
With the New Year here, I was tempted to alter the title of this piece to reflect the cybersecurity resolutions that executives need to undertake. But to say that the above five areas should be “resolutions” would be a misnomer, as resolutions are often superfluous gestures that are soon forgotten. These are sins for executives as they cover areas that are well known and about which there is substantive literature. There is no excuse for not implementing them. We need to be better and we need to start now.