A holistic approach to combating cyber threats
We seem to hear about a major cybersecurity breach or a ransom-ware attack almost on a daily basis. And this isn’t going to change anytime soon and the main reason for that is the Internet was never meant to be used the way we are currently using it.
This is where the Internet started – Room 3420 at the University of California, Los Angeles’s Boetler Hall. This was the home of UCLA’s Network Measurement Center and back in 1969 the Advanced Research Projects Agency Network (ARPANET) which developed the network that became the basis for the Internet. It existed as a channel for physicists to pass research back and forth. It was a small, closed community. However, this design was robust enough to be scaled up many orders of magnitude to the Internet of today without any fundamental changes to the design or security model. We now use the Internet for banking, business, education and national defense. We helplessly rely on the Internet for everything, yet it is riddled with holes and glitches. Also, many of the software and web applications that we use has bugs with exploitable security holes that the bad actors are taking advantage of. To make it worse, many in the leadership team at organizations worldwide are unaware of the cyber threats. Their usual mentality is -
"We haven’t had any breach yet, so we don’t need to ramp up investment in cybersecurity"
No, chances are you already have a bad actor lurking in your organization's system, waiting to strike. The chance of every organization having a data breach is 100%. Here is what a former FBI Director said at a security conference regarding this:
The impact of a major cyber-attack to an organization’s brand, reputation, and business operations can be catastrophic. Weaknesses in information security can jeopardize your mission, threaten your profitability, and invite fines and penalties from regulatory bodies.
Answering the question, “Is an organization secure?” requires a comprehensive assessment of its operating environment and its specific business needs. Ultimately, implementing a cost-effective cybersecurity framework includes careful consideration of how you identify, protect, and recover critical assets, as well as detect and respond to security breaches. Unfortunately, what I have seen at different organizations is that majority of the efforts have been heavily skewed toward finding technological solutions. Yet, experts estimate that between 70-80% of the cost attributed to cyber-attacks is actually a result of human error. Things as simple as clicking on a malicious link, opening the wrong email attachment, using a public WiFi or using an insecure USB drive can be devastating to network security. The strongest security network in the world is only as good as the human with the password.
Cyber risk mitigation is a journey, not a destination. With each step in the process, the organization has an incrementally better cyber risk mitigation posture. As the cyber threat landscape changes - with new risks, new vulnerabilities, new businesses, the journey continues. I recommend a series of recursive steps for every organization to use by following a well known security framework to create a new cybersecurity program or improve it's existing cybersecurity program. It's critical that the Cybersecurity practice addresses any weaknesses in the organization's functional structure (people and processes), before turning to technical products as potential solutions.
In the movie Matrix Reload, Neo was seen successfully stopping bullets by waving his hand. If you are in charge of cybersecurity or operations at your organization, you will have to stop all the cyber attacks coming at you. If you let one of them pass through, you may end up having a major data breach and maybe out of a job. I hope your organization starts taking the necessary actions to secure themselves and not be the next cyber breach news we read about in the media.