One of the few things the "experts" seem to agree upon is that cybercrime is a clear and present danger to our...
national security. These issues have gone way beyond the province of esoteric IT journals and cultish science fiction novels -- they have invaded our daily collective consciousness and well-being as individuals, as families, as companies, as governments, as a society and as a culture at large. Many opine at great length on how the cyber landscape has become the new battleground upon which future wars will be fought: Nations will rise and fall based upon their techno-prowess to aggressively attack and defend against the new breed of cybercriminals.
At a summit at Stanford University earlier this year, President Obama said this of the cyber landscape: "The first computer viruses hit personal computers in the early 1980s, and essentially, we've been in a cyber arms race ever since. … We design new defenses, and then hackers and criminals design new ways to penetrate them. Whether it's phishing or botnets, spyware or malware, and now ransomware, these attacks are getting more and more sophisticated every day."
Blind to the cyberthreat landscape
"Success does not consist in never making mistakes but in never making the same one a second time." -- George Bernard Shaw
So what's the deal here? If this bad stuff has been going on for more than 30 years, why can't we get it under control? In its 2015 Cyberthreat Defense Report (North America & Europe), the CyberEdge Group shared what I considered to be an alarming finding: 71% of respondents said they were affected by a successful cyberattack in 2014; yet only 52% of that 71% expected they would fall victim again in 2015.
Could this be true? What about the other 19%? Feeling a bit skeptical about what I was reading, I checked the research methodology, in particular, the demographics of the respondents: 814 IT security decision makers and practitioners, all from organizations with more than 500 employees. The respondents represented seven countries in North America and Europe and 19 industries. Seems pretty comprehensive.
Another study performed earlier this year by Accenture titled Business Resilience in the Face of Cyber Risk, reported that: 66% of executives experience significant attacks on their IT systems on a daily or weekly basis; yet only 9% of executives run ongoing security penetration or continuity of business/disaster recovery tests on their systems.
A pre-cyber landscape tale
Thinking through the rather pessimistic implications of these findings, I was immediately reminded of an earlier series of albeit much lower-tech but strikingly related incidents perpetrated upon a friend of mine roughly 40 (pre-"cyber") years ago. Let's call him Lenny.
Lenny lived near the northern end of Riverside Drive, considered at the time to be one of New York's "frontier" neighborhoods. Lenny prudently chose to drive a beat up old Plymouth Fury so that he could inexpensively and relatively inconspicuously park his ride on the street to avoid the significant expense of parking in a Manhattan garage (the cost of which was then and is now roughly equivalent to a monthly mortgage payment) and at the same time minimize the chances of his chariot being "borrowed" or stolen as is relatively commonplace in frontier neighborhoods.
One day Lenny got into his car, turned the key and -- nothing. Not even that horrible clicking noise that a weak or dead battery makes after it has turned the starter motor over for the last time. Upon investigation, Lenny discovered that his battery had been stolen. Two hours and $50 later, Lenny was back in his car with a new battery installed and off he drove.
Life was good for a couple of days until Lenny returned to his Plymouth for another road trip. He got in, turned the key and, once again, the dreaded sound of silence. For the sake of discretion, I will not repeat Lenny's words in this post. After calming himself down, Lenny realized that his car had become the ideal bad-guy target -- one with a brand-new battery, ripe for stealing again. For a brief moment, Lenny actually felt a sense of admiration for the clever manner in which the crooks were augmenting their inventory.
Back to the auto supply store, a couple of hours and $100 later he returned to his car with yet another new battery and, this time, a security upgrade. Lenny purchased a lock and chain to secure his second new battery. If the bad guys were so smart, he, an Ivy League Ph.D., could surely be smarter. Lenny installed the battery, the chain and the lock. Life was good again and Lenny enjoyed his trip to the country.
The following week Lenny returned to where he had parked his car and discovered that, despite his increased security measures, the bad guys found a workaround -- they stole the entire car. Lenny quickly became a fan of public transportation.
Three hard truths about the cyberthreat landscape
Within the context of today's cyber landscape, there are (at least) three important lessons we can take away from Lenny's experience:
1. When you think you are safe it is natural to become complacent, leaving you the most vulnerable.
2. When you think you have mitigated your risk with enhanced technology, someone will come along with better technology that will significantly increase your risk.
3. Cybersecurity is a continuous journey, not an absolute destination.
The CIO cybersecurity checklist
Given the state of the cyber situation described above (the tip of the iceberg), here are some critical ways and means for CIOs and IT executives to manage their cyberthreat landscape:
1. Ensure everyone in your organization understands that cybersecurity is not just an IT problem; it is everyone's problem. All the advanced technologies, firewalls, passwords, tokens, SDNs and so on, will provide no value if someone inadvertently responds to a phishing, smishing, spoofing or similar low-tech/no-tech attack. Communicate, train, monitor, improve and communicate.
2. Hire, train and retain the best possible cyber talent you can afford. Cyber experts are in high demand, competition is great and compensation is greater. Do not be penny-wise and pound-foolish.
3. Executives have become an extremely popular target group for low-tech or social engineering cyberattacks. They tend to be the least tech-savvy and have access to the most valuable enterprise assets. Successful attacks and breaches on this group tend to be the most visible (and embarrassing), both internally and externally. Communicate, train, monitor, improve and communicate.
4. Most enterprises commonly accept the fact that becoming the target of a cyberattack is a "when" and not an "if." There is no such thing as too much communication, preparation and testing. Communicate, train, monitor, improve and communicate.
5. Ensure you and your team are fully versed in the latest set of external regulations and internal cyber-risk management policies and procedures. Compliance violations are not only embarrassing; fines and penalties are typically significant unbudgeted items. Communicate, train, monitor, improve and communicate.
6. Make sure your incident response process includes well-documented and tested escalation procedures to ensure all the right internal and external stakeholders are notified in a timely manner. Communicate, train, monitor, improve and communicate.
7. Most security experts agree that there is no perfect defense to completely prevent cyberintrusions and the best defense includes early detection of intruders and timely mitigation of the negative impact of malware after it has entered your environment. Acquire and install the best tools that your budget will allow.
8. Spending on cybersecurity should be managed by business case, similar to other IT investments. All enterprise assets are not created equal and some must be more fully protected than others. Identify, locate and classify assets based upon the business impact if asset classes are corrupted, lost or stolen, and budget for their individual protection accordingly.
9. IT spending on next-generation firewalls, cyberthreat intelligence and analytics are among the most popular areas of network security investment.
10. Ensure any existing or newly acquired network inspection tools you are running or implementing have the ability to inspect SSL-encrypted traffic as more and more websites are moving from HTTP to HTTPS protocols.
11. Containerization/microvirtualization technologies are considered "best practice" solutions for endpoint security.
12. When you think you have finished with everything you need to do, go back to No. 1 and start again.
Let me know what you think. Post a comment or drop me a note at firstname.lastname@example.org. Discuss, debate or even argue -- let's continue the conversation.
More from Harvey Koeppel:
Welcome to the AI Age
Mobile payments: Déjà vu all over again
Goodbye to the enterprise data center