With the malware variant WannaCry still wreaking havoc across the globe, most business leaders are finding themselves discussing Cybersecurity within their organization. As these types of events are becoming more common, it's hard to get away from the security dialog.
What is also true is the continued narrative of achieving a 'secure network'. It's likely the case your product vendors are taking recent events as an opportunity to remind you of how ‘how wonderful their innovation is’, and how ‘they stopped WannaCry on their customers’ networks’. Or, perhaps you received an email from the CEO of your outsourced IT company reflecting on the recent breach, and informing you ‘how wonderful of a job they’re doing to keep you secure'.
Does any of this make you feel secure? It shouldn’t.
For decades, the technology industry has been on a pursuit for the holy grail of prevention. The notion was that if you spent enough money, then you could stop a breach. If you simply did what your IT vendor said, bought that new firewall, upgraded your software, etc., then you'd be safe. Today’s reality? This couldn’t be further from the truth. While prevention is crucial, it's not enough. You simply cannot spend enough money to prevent your organization from becoming a victim. There is no such thing as a 'secure network', only varying levels of insecurity.
The fundamental issue is what we think we already know. Our faith in AV software, that latest firewall, encryption technologies, or that cool 'monitoring software' your MSP always tells you about, has blindly led us to a place of assurance. In most cases, business leaders and boards simply do not want to hear that it's not enough. If most other business issues can be solved with time and money, then why not cybersecurity? As a former owner of an IT engineering firm, and the current owner of a Cybersecurity firm, I can unequivocally tell you that no network is impenetrable - a reality that business executives and security professionals alike have to accept. Yet, it's those networks that 'detect' and 'respond' - that achieve the most success.
Effective cybersecurity is a perpetual process, not an event or product. Mitigation is not a set it and forget it proposition, but requires an ongoing evolution of awareness, vigilance, training, and CxO engagement. It's the understanding that prevention will fail, and that legitimate cyber defense must be at the core of your cybersecurity program. Industry data suggests that most breaches typically go unnoticed for months - allowing hackers ample time to carry out their mission. The most pervasive breaches in recent years weren’t necessarily a result of elaborate nation-state code or corporate espionage, but rather subtle attacks of the human element (i.e. social engineering), and then remaining undetected for weeks, months, or even years. Take the 2013 Target credit card breach for example - malicious threat actors removed credit card data for months, via FTP, without being 'detected'. In non-technical terms, the hackers used 35-year-old technology to send customer data out of the corporate network. The millions of dollars Target invested in prevention technologies did nothing to stop the ongoing breach. In this case (and those like them), it's the subsequent detection failure, not the initial breach, that defined the event.
This premise holds true for all businesses. Whether you’re a 10 employee small business, or a Fortune 100 corporation - the ability to detect and respond, is an absolute requirement.
What can your business do? What are some practical next steps?
- Begin an employee awareness and training program. The fact is, hackers relentlessly target and single out employees. If your staff hasn’t been trained to spot this behavior, hackers will be successful. Data suggest nearly 75% of all successful breaches begin with compromised staff.
- Begin to develop a culture of security. Security is no longer an 'IT' issue, but is first and foremost a people issue.
- Invest in a professional vulnerability and penetration test to demonstrate real-world risk within your organization. This should be more than a 'generated report'. A good cybersecurity firm will offer sound guidance - taking into account your business, your people, and your mission.
- Embrace the need for a truly integrated risk analysis and management process; one that is looked at, and adjusted regularly. Here are just a few of the triggers that should warrant a reassessment of your security posture: 1) any new major technology purchase or business operation change, 2) whenever new regulations or compliance measures are on the horizon, 3) if you’ve experienced a security incident, and 4) change in ownership or turnover in key staff.