[BreachExchange] The 3 Biggest Mistakes In Cybersecurity
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Aug 23 19:59:01 EDT 2016
http://www.information-management.com/news/security/
the-3-biggest-mistakes-in-cybersecurity-10029583-1.html
Everyone, from the small business owner, to senior executives in businesses
of every shape and size are confronting a seemingly insurmountable problem:
Constant and rising cyber security breaches. It seems no matter what we do,
there is always someone that was hacked, a new vulnerability exploited, and
millions of dollars lost.
In an effort to stem the tide people have tried everything: From throwing
money at it by buying the latest and greatest tech gizmos promising
security, to outsourcing cyber security management, to handing it over to
the IT folks to deal with it. And, every time the result is money lost,
productivity decreased, and the attacks continue.
Many business people complain that we’re not just losing a battle here and
there. We’re losing the war. Is that true?
The truth is that those that keep losing their cyber battles and risk
losing the war are making three critical mistakes:
1. They think cyber security is a technology problem.
2. They follow a cyber security check list once-and-done.
3. They don’t have a cyber security awareness training program in place.
First, cyber security is not a technology problem. Far from it. It is a
business-critical problem, and more importantly: It’s a people problem, and
we need to address it at that level.
Second, cyber security is a constantly evolving battlefield. The threats
evolve, the attacks take new paths, the underlying technologies change. A
static check list solves yesterday’s problems, not today’s, and certainly
not tomorrow’s.
Finally, if people don’t understand the threat they will not even see the
attack coming, much less be able to respond and protect themselves. Cyber
security awareness training is the only way to prepare everyone for the new
reality we live and work in.
Cyber security is not an IT problem. It is a risk management problem. This
is easier to understand in you work in a regulated industry. There, the
concept, language, even governance of risk management is part of the daily
lexicon.
Not so with small and mid-market business less familiar with the risk
management function. It doesn’t help that the very nature of the threat and
the way the “payload” of the attack is delivered is via information
technologies. It almost makes sense to have IT deal with cyber security.
But the victims are not the computers. The victims are the businesses and
their people.
More importantly: A company’s Information Technology generates Value. It
does so a myriad different ways depending on the business you are in, from
the actual delivery of goods to clients (e.g. software businesses, data
businesses, media and technology businesses etc.) to complementing,
enhancing, and realizing the mission and vision of the company (law firms,
manufacturing, logistics, healthcare, etc.)
Cyber security, like all risk management, is there to protect value.
Therefore, you can never have cyber security (the value protector) report
to IT (the value creator). That creates a conflict of interest. Just like
IT reports directly to the CEO, so must cyber security. They are parallel
tracks keeping the business train aligned and moving.
Once you have the reporting structure correctly in place, you need to
empower it with executive buy-in and engagement. Cyber security needs your
direction on company goals and risk appetite so they can develop the right
strategy to protect the company’s assets. Cyber security professionals,
working with the board and executives, including IT and business units,
will develop the right defense-in-depth strategy that is right for the
company.
Cyber security doesn’t happen in isolation. It is not a set check list. It
is dynamic, adjusting strategy to risk, asset value, and controls. As
market conditions change, as company goals change, and as technology
changes, so will the cyber security strategy.
Neither structure nor strategy will help if you ignore the most important
element in cyber security: People. In 2016 ISACA published the top three
cybersecurity threats facing organizations in that year. They were, in
order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent
Threats.
Excluding the advanced persistent threats typically targeted against large
multinationals, governments, military, infrastructure and the like, the
other two have one common element: People.
It is people that become the victims of cyber-attacks, and by extension,
the businesses they work in or do business with. Be it through social
engineering, extortion, or any of the many vulnerabilities that hackers can
exploit, it is people that get compromised first. They are the ones that
have to pick up the pieces when all the data is gone or when their identity
is stolen.
The good news is that cyber security awareness training is one of the most
effective controls against hackers. Training and sensitizing people to the
threats, the methods used, vulnerabilities, even their own personal privacy
risks, has been proven time and again as the one thing that makes a real
difference in early detection, quick response and recovery during a
cyber-attack. Having a quarterly lunch-and-learn will go a long way in
developing a culture of cyber awareness, saving both your business and your
employees from cyber-harm.
Avoiding these three mistakes in cyber security won’t help win every single
battle. But it will guarantee you win the war.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160823/7948ba65/attachment.html>
More information about the BreachExchange
mailing list