The mere mention of cybersecurity invokes notions of a universally accepted perception of reality — both by industry professionals as well as the public at large. Threats abound and vulnerabilities are pervasive in the world of the Internet. Attacks by evil doers from the outside are inevitable and increasing in frequency. Our technical people must be prepared to respond with the latest technology when an incident occurs in order to mitigate the impact and restore operations to normal. In the words of Mark Twain (or was it Henry Ford, maybe Albert Einstein) regarding the definition of insanity: “If you always do what you’ve always done….”
Cybersecurity is what you do — not something that you buy
I argue that virtually every one of the aforementioned statements are self-defeating, ineffective, and don’t address modern cybersecurity realities. Not every Internet threat and vulnerability is applicable to your organization. While many risks are common among and within industries and sectors, no single set of factors affects everyone equally. Even those running the same operating system and using many of the same apps have different missions, on-hand talent, supply chains, technical and operational architectures, and policies and processes. Yet, many seem to want to fret about every potential threat on the horizon, rather than focus only on what matters to their own enterprise. Don’t get depressed about the state of cybersecurity in general. Continually do a thorough risk assessment and big analysis of your sphere of activities and seek to protect them vice just securing technical systems. Often times the answer lies in a different procedure, data structure, or employee training program—not buying the promise of yet another technical solution.
Real cybersecurity threats are people-based and most often emanate from inside organizations—not the outside. For that last several years, study after study has shown that virtually all cybersecurity compromises had some component of behavior internal to the breached enterprise as the main source of the evil doer infiltration. Through social engineering and human error or carelessness, evil doers follow the low-tech path of least resistance to gain access into a network. They usually operate as an authorized user and go undetected for weeks, even months. Then, operating from the inside, the evil doers use technology to carry out their attacks. I’ve posted over 400 Tweets about the cybersecurity industry over the past two years — almost two-thirds of them addressed the real cybersecurity challenge that faces us, that of people and insider behavior and threats.
Cybersecurity is about people — not technology
The inescapable conclusion is that data loss and theft continue to increase for two primary reasons — insider actions and the ever-changing evil doer tactics to take advantage of that behavior.
Multiple studies cite insider negligence as twice more likely to cause breaches as other culprits including external hackers, bad employees, and contractors. The vast majority of breaches occur around email, file systems, and web-enabled apps — where most sensitive organizational data moves and lives. Attack vectors are socially engineered to exploit the most mundane of user behaviors, like weak passwords and phishing emails. Last year’s WannaCry ransomware attack was an excellent example where companies were exploited because they didn’t practice good cybersecurity hygiene and follow well-known, established procedures. Despite the awareness of the need for cybersecurity, far too many aren’t taking proactive measures to address today’s threats — unfortunately, that’s true for even our technical people.
Evil doers continually adjust their tactics as evidenced by the escalating impact of their attacks on our connected world. As innovators finds more uses for cyber, the potential exposure and number of attackable surfaces are increasing at a geometric pace. To some extent, the evil doers are more agile than we are in adopting new technologies through Artificial Intelligence and machine-to-machine learning! And they are way too effective at targeting our weakest link — our people.
Do you embed a security culture throughout your organization? How well or ineffectively do you vet and educate your talent, continuously monitor your digital environment, control tangible assets that touch the virtual environment, and grow the ecosystem through a strong, integrated governance? Or is the leadership buy-in within your organization a “bureaucratic placebo”? Are you more worried about your systems than your mission, organizational activities, and data? To be sure, the cybersecurity professionals cannot, by themselves, solve today’s cybersecurity issues. For that it takes the entire organization since we are our own worst enemy!