By: Tyler Ward, VP of Security
There's a lot of information out there on the frequency and types of cyber attacks dominating today's landscape, but some of the most compelling statistics are:
- 92% of malware is delivered by email.
- 77% of compromised attacks were file-less in 2017.
- The average cost of an attack to an organization is $5 million dollars.
- It takes organizations an average of 191 days to identify a data breach.
- 40%-50% of organizations have experienced data breaches and 74% don’t know how it happened.
Looking at the above, it is easy to understand why organizations are saying “it is not a matter of if, but when”. However, we do not have to accept this. This is the worst attitude that organizations can have regarding cybersecurity; your organization is not destined to become a statistic and you should be standing up against the status quo.
If you are a CSO, CTO, CISO, IT Manager, or Director, you are faced with a never-ending onslaught of vendors that propose solutions that will solve your cyber woes. Each one of them has something to offer that no other business can. Everyone seems to have the solution that your business is lacking.
So, you budget, you buy-in, you deploy, and you are still breached. Why? Well, 74% of organizations don’t know how it happened. There is a foundational problem that we need to be talking about today—not tomorrow or next fiscal quarter. It costs almost nothing to begin discussions around your cybersecurity posture.
Don’t Accept Cyber-Mediocracy
If you are reading about data breaches in the news and thinking to yourself that it is only a matter of time before this becomes your problem, don’t despair. You are not alone. The majority of organizations have no clear plan of action for a sustainable cybersecurity future. This is not a 50-yard dash; it is a super marathon, and everyone needs to be involved. If your organization does not have a firm grasp on your cyber-resiliency, my first bit of advice is to seek expertise in this area. This does not mean that you need to find another internal employee to lead this effort, but you should be establishing a relationship with a firm that knows the ropes. Before you budget for your next piece of technology, consider your next move as one that involves an experienced firm that is well-versed in, at least, the following:
· Ethical Hacking/Offensive Security
· Incident Response/Defensive Security
· Compliance (NIST, DFARS, PCI, HIPAA, NYS-DFS, SOX, etc.)
· Security Engineering
· Vulnerability Management
· Business Experience*
One Shoe Fits One Foot
Most importantly, your selection should only include a firm that takes the time to first understand your business. Your business is not like the others and neither is your cyber-strategy. What works for one organization may not be the best fit for you—and be wary of a company that tries to tell you otherwise.
There is a high probability that your organization has the tools and technologies to enhance your cybersecurity posture right now, without the immediate need to blow the budget. The incumbent firm should roll up their sleeves and listen to your organizational needs to develop the best strategy while simultaneously recommending industry-trusted security best practices. Their approach should include various verticals as well. Physical security, information security, digital security, cybersecurity, IT security, IoT security, and industrial control security are not created equal. Different businesses and missions require customized approaches.
Thieves Want Your Data
The value of your data may not be as directly monetary as payment card information, but data classification includes some intangibles as well. If your organization does not have social security numbers, payment/financial information, military/government secrets, or medical records; you’re not out of the weeds yet and remember that cyber-attackers are not that selective. Your data is worth something to someone and attackers may have a bead on you. The firm should take a significant amount of time to accurately map your data and categorize your system boundaries. If you must protect the entire environment and every single system to the same degree, this could wind up a very expensive operation.
I will reiterate a paramount point: The experts that you are seeking should have extensive experience in offensive security and incident/breach response. Most firms that offer cybersecurity services couldn’t hack their way out of a wet paper bag. Others have never responded to a single data breach or cybersecurity incident. If you are able to locate professionals that have experience on both sides of the playing field; seize the moment. These types of professionals are able to provide an independent and unbiased vision for your organization. Look for firms that have experience on the front-lines of both offensive and defensive operations. When these types of professionals are recommending solutions for your organization, they are resultant from past mistakes that organizations have made; leading to data breaches and cybersecurity incidents.
Get Back to the Basics
Keep it simple and start by establishing relationships with key partners. If your organization does not currently retain the high-caliber cyber-professionals that you need, start looking today. Merely contacting subject matter experts could yield tremendous benefits to you and your organization in the near or distant future. Ensure that the professionals are examining your posture and starting with foundational strategies before delving into the more advanced facets of cybersecurity. If your cyber maturity is at ground-level and a firm is recommending artificial intelligence and machine learning solutions to solve your issues, then we may be putting the cart in front of the toy pony.
1. Addressing Cyber-Confusion: Break down the walls and ask questions.
2. Don’t Accept Cyber-Mediocracy: Statistics are everywhere but your organization does not have to become one.
3. One Shoe Fits One Foot: Choose a partner that wants to understand your organization’s uniqueness.
4. Thieves Want Your Data: The secret sauce that greases the gears of your business exists; identify it.
5. Hire Hackers: Hackers are not bad guys, criminals are. They don't wear hoodies and sometimes own business suits. Get in-touch with them.
6. Get Back to the Basics: The foundation supports the house, treat it well.