An integrated solution to a complex conundrum
Over the years, those tasked with combatting cyber threat have fixated on technical solutions. Automation is our panacea, they believe. Large software companies have fed us propaganda and made billions feeding the beast they created. Many businesses dispense vast sums on digital solutions which they are assured will make them safe, yet they still become victims. The solution? Well, defence hasn’t worked. Nor, now, is detection. Are more complex automated solutions really the answer, especially when around 80% of breaches have their genesis in a physical act?
Software patches are regularly issued by vendors. These are to cover vulnerabilities in their software. Adobe has recently released patches for 56 holes in Adobe/Acrobat, and Microsoft six bundles to fix 33 problems in Windows and Office. These are vulnerabilities on top of those patched the month before and those patched the month before that… What vulnerabilities have they missed?
Technical defences are, of course, part of a concatenated answer. Some solutions are even very good. No human could replicate their contribution. But these defences can only work successfully against vulnerabilities that we know about. They invariably will not – cannot – be effective against vulnerabilities of which we know nothing, the ‘known unknowns’ as Rumsfeld put it. These ‘Zero Day’ vulnerabilities are out there, hackers have access to plenty of them, and, trust me, they are looking for opportunities to use them.
Governments set standards – NIST, CBEST, and 27001, for example – and create laws to ensure they are met. But rules only create start-lines. Any box-checking culture is doomed to fail. Being compliant is not being secure. Arguably, if you think it is, you are even more at risk because you will likely be complacent. The Zero Day threat means that there is a very high chance that all of us face getting breached at some stage, no matter how big or small we are.
Criminals will happily mix cyber attack, physical attack and social engineering to get their job done. Each tiny little hole in our overall security is an opportunity for the criminal. We must combat them in a similarly flexible way. Sensible, risk-based, cost-justified, security governance is imperative to overarch ALL of our security. Management must lead. Information security is everyone’s responsibility, all of the time. Resilience and crisis management must be in the foundations of our security plans, then the culture has to be honed for perfection.
BeCyberSure offers subscribers an end-to-end ‘Information Security’ solution. This assures that the architecture of their entire digital and physical security is best in class – and stays that way. We then work with the client to strengthen governance and resilience processes. This integrated approach ensures that when (not if) an attack takes place, the subscriber is well placed to respond robustly, block or eject and mitigate before getting back to business swiftly.
CEO of Bronzeye IBRM
BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.