According to the FBI’s James Comey, there are businesses which have been breached and know it, and those who have been breached and don’t. No others.
The phrase ‘Absolute Cyber Security’ is a triple oxymoron. We have three simple rules for achieving absolute cyber security: 1. Don’t own a computer. If you do: 2. Don’t turn it on. If you do: 3. Don’t use it.
We are all, courtesy of propaganda that is constantly pushed our way by mainstream vendors, fixated with automated solutions for our data security needs. A panacea, they say. You will never worry about the protection of your data again, they promise. Well, you cannot create a vaccine against a pathogen of which you know nothing. It follows that nor can you create a solution to a cyber threat that you don’t know you face – no matter what that nice snake-oil salesperson is telling you.
By far the biggest problem we all face is ‘Zero Day’ vulnerabilities. We have no clue what they are and who is deploying them. Unfortunately, criminals have access to many ‘Zero Days’, and they are using them. Further, nobody has yet managed to invent a patch to prevent error or stupidity. A mistake is often all the criminal is waiting for, and may even create, to provides access through which to deploy their ‘Zero Day’.
Over half (55%) of all cyber breaches involve insiders. We must keep in mind that we may not be the ultimate goal. Four in five breaches at large companies have their genesis in the supply chain (think Target Corp.). Smaller companies, where individuals frequently wear several hats and where resources are limited, can provide a good launch pad for attacking a larger enterprise. Frequently, larger companies lack the time, inclination or money to conduct comprehensive checks on suppliers’ cyber security. Many rely on undertakings alone. You will not be loved if you are the original source of a breach higher up.
Attacks can be digital (cyber), physical or socially engineered. Criminals will mix and match whatever combination works. They will frequently access a system to gain intelligence, perhaps based on information they obtained from an insider or social media. Once they have worked out who does what, where, when and how, they can then work out how to exploit this. Believing that you don’t have anything worth stealing is irrelevant (and probably wrong anyway – every company has something of value). You might just be a stepping-stone to greater things.
We must assume that no matter how good our cyber defences are, they may fail. If – and when – they do, you will depend on non-cyber crisis management and other resilience procedures to limit damage and get back to business. Make sure you are ready.
For all of the above reasons, we must ensure that our information security has three aspects; good cyber security, good physical security and a good governance regimen. A robust security culture held together with good management will go a long way to surviving a cyber breach.
Think human, not cyber. Think security, not compliance. Get integrated, get secure.