Cybersecurity: The Silver Bullet Myth

Re-posted from LinkedIn

Ten years ago, the industry frowned upon security professionals who overstated the cyber threat.  It was considered bad form to try and scare a potential customer into purchasing your products or services using hyperbole and improbable scenarios.

Nowadays we are faced, ironically enough, with a contradictory problem.  It’s almost impossible to exaggerate the cyber threat.  In fact, security professionals find it difficult to accurately convey the seriousness of the cyber threat without coming across as a modern-day Chicken Little claiming that the sky is, indeed, falling.

What all businesses, both large and small, need to understand is that there is no silver bullet to address the cybersecurity problem for a variety of reasons:

  1. The population of the Internet has hit critical mass
  2. Data is easily monetized through direct sales or ransom-ware
  3. Hacktivists have a low risk, high impact platform from which to speak
  4. State-sponsored attackers from lesser developed countries have everything to gain and very little to lose when they attack U.S. interests
  5. Companies are moving to “The Cloud” under the assumption that their data is safe, a false assumption that Jennifer Lawrence and other celebrities unfortunately discovered*

What is an average business to do if even large organizations with multi-million dollar cybersecurity budgets cannot prevent a data breach?  The over-simplified answer to this question 10 years ago was to throw in a firewall and make sure your workstations and servers were protected with an anti-virus solution.  Obviously, this is no longer the answer as Sony, Anthem, J.P. Morgan, Target, and most recently the government’s Office of Personnel Management can all attest to since they all had firewalls and anti-virus solutions in place.  And these large, high-profile companies are just the tip of the iceberg due to their media-worthiness.  The thousands of smaller organizations that publicly disclosed that they were victims of a data breach in the last 18 months (mostly due to breach laws) flew under the radar of mainstream media since they lack the name recognition that brings in ratings and readership.  By the way, many of those smaller organizations had firewalls and anti-virus, also.

So, what can you do to protect your business against today’s cyber threat?  You will not be able to purchase enough technology to prevent an attack.  You will not be able to hire enough cybersecurity professionals to stop a cyber-infiltration.  You will not be able to institutionalize enough policies, processes or procedures to prevent employees from clicking on an infected email or website.  What you can do, though, is take a risk-based approach to protecting your company’s information and data assets by:

  1. Acknowledging that you are, indeed, a worthwhile and globally accessible target
  2. Accepting that your IT department, while certainly part of the solution, may not be qualified to handle all of your organization’s cybersecurity needs
  3. Understanding that technologies such as firewalls, anti-virus, and password-based credentials are easily bypassed and of limited use without a dedicated and qualified cybersecurity team (in-house or third party) to monitor, triage and react to security events
  4. Building and investing in a cybersecurity program that aligns to organizational goals and assists in mitigating business risk by knowing where your important/sensitive data resides, and focusing resources proportionate to the criticality of your data assets

The cyber landscape has undergone a tectonic shift, and decision makers that do not devote resources to cybersecurity in meaningful ways are gambling with their company’s reputation and intellectual property, employees’ private information and customers’ private information.  Start with the four steps mentioned above and manage the risk in a way that accurately reflects the value of the information you have been entrusted to protect.

 

*I am a supporter of “The Cloud” in many situations.  And a strong argument can be made that data is safer in the hands of the likes of Amazon or Microsoft, two organizations that have an incentive to be more secure than the average organization.  The problem is that “safer” does not mean an organization no longer has responsibility or liability for the data that resides on a Cloud provider’s servers.  There are still many ways for threat actors to steal data that resides in “The Cloud”, and targeting end-users’ credentials is one very effective method.

 

Written by Craig Naylor