It’s human nature to pinpoint our focus on the most dramatic threats to our safety, ignoring the more probable hazards. It works the same way for cybersecurity as it does in our personal calculus of shark attacks vs. everyday clumsiness. If we spend too much time preparing for sophisticated zero-day attacks or being lulled to complacency by the assurances of a shiny new software solution, we tend to pull attention and time away from the cyber elements we know are most likely to protect or expose us. Malicious hackers’ relentless inventiveness and tactical sophistication has allowed a handful of malware families to continue infiltrating and damaging networks for an astonishingly long time. Still, evasive malware strategies aren’t entirely to blame for why the same vulnerabilities persist for years.
It’s the fundamentals that will be our undoing —but they could also be our saving grace. Verizon’s Data Breach Investigations Report highlighted this dynamic yet again in 2018. A vast majority of breaches fall into the same nine patterns Verizon identified in 2014. Their calculations reveal that 94 percent of security incidents and 90 percent of data breaches continue to fall within one of these original patterns, including web applications, privilege misuse, point of sale, crimeware, and denial of service, and lost or stolen assets. Ransomware still holds the top spot for most common type of malware (used in more than half of incidents where specific malware found); command and control malware ranks a significant second (36 percent).
The bad news is, we don’t seem to be learning from our mistakes as quickly as we should. The good news is, raising security awareness across the enterprise doesn’t require capital investments or complex upgrades. It requires diligence, leadership, and contextual threat intelligence — and it starts in the C-suite.
Reducing the Risk of Attack
Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organisations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organisations must extend risk management to include risk resilience in order to manage, respond and mitigate any negative impacts of cyberspace activity.
Cyber resilience also requires that organisations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organisation, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organisation, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.
Cyber resilience is all about ensuring the sustainability and success of an organisation, even when it has been subjected to the almost inescapable attack. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately.
Focus on the Fundamentals
Business leaders recognize the enormous benefits of cyberspace and how the Internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organisations must do is ensure they have standard security measures in place. This means going well beyond implementing the latest security tools.
Cisco’s annual security report for 2018 found that CISOs are making increasing use of automation (83 percent) and AI (74 percent) to help them reach security objectives. On the other hand, the report also found that many of the most damaging and widespread attacks of the past year (WannaCry, NotPetya, etc.) could have been minimized by fundamental defenses such as network segmenting, patching, and thorough incident response plans. These fundamental shortcomings are a good place to start if you’re looking to fortify your existing defenses.
In preparation for making your organisation more cyber resilient, here is a short list of next steps that I believe businesses should implement to better prepare themselves:
Focus on the Basics
- Include Both People and Technology
- Adopt Policies and Procedures to Engage
Prepare for the Future
- Be Ready to Support New Business Initiative
- Align Security with Risk Management
Change your Thinking About Cyber Threats
- Think Risk and Resilience
Re-assess the Risks to Your Organisation and its Information from the Inside Out
- Inside and Outside the Organisation
- Share Intelligence
Revise Information Security Arrangements
- Collaborate and Share Insights
- Understand Your Vulnerabilities
Every organisation is vulnerable to cyber-attacks. Companies that prioritize well-equipped security programs and widespread security awareness are more prepared to survive breaches and be ready for growth opportunities. Senior executives and boards have to remain consistently engaged make better decisions about aligning business and security objectives to manage risk, protecting brand reputation, and responding effectively to incidents.
It’s imperative that every organization develops and maintains a thorough understanding of specific weak points, mission-critical information assets, and industry-specific threat vectors. Security leaders who closely manage insider threats, develop stronger contextual awareness, and leverage threat intelligence ensure that their organization is ready and resilient enough to withstand the inevitable attacks and get back to business.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.