Set it and forget it! While this sounds like something from an infomercial, unfortunately, this is often the mindset that many organizations have when developing their cybersecurity strategy. Fundamentally flawed, stupendously short-sighted and remarkably reckless, here are three common mistakes which highlight why cybersecurity is (wrongly) viewed as a one-time-deal rather an ongoing project.
Misplaced Focus on Compliance Rather Than Strategy
We see the focus more often on compliance rather than security, which is much to the detriment of the industry as a whole. People tend to fixate on compliance as being the goal to cybersecurity and lose focus on the reality. “I have to be compliant with PCI,” or “we need to work towards HIPAA compliance.”
While these mandates provide a solid foundation to measure yourself against, unfortunately, passing grade does not mean you are perfectly secure. Look no further than the many headlines telling the story of major data breaches at companies like Home Depot, Target, or Anthem Healthcare, or even the US Federal Government’s Office of Personnel and Management to prove this point. Each of these organizations was deemed ‘Compliant’ with PCI, HIPAA and FISMA, respectively, and yet still wound up on the wrong side of a huge data breach that might have even exposed your own data.
Compliance is often looked at the goal, or the finish line in the Cybersecurity race, when in fact it should really be viewed as the starting point. You have to be compliant to be in business, but compliance shouldn’t be the sole focus. When approached correctly, Compliance should really be thought of as a product of doing security right. If you are doing security right, then you will probably be compliant. Remember, compliance doesn’t mean you’re secure.
Over-Reliance on Prevention
The majority of organization’s cybersecurity budgets are allocated to preventive controls. Next-generation firewalls, and sandboxing Anti-Malware are all the rage, and all purport to give you the advantage over the attackers. Prevention controls seek to stop the attack from succeeding in the first place, so that seems smart, right? Well sure, you have to try to prevent that which you are able to. And while there are some great ways in which you can do this, such as that shiny new NGFW, this can’t be your only strategy.
Relying completely on preventive controls is much like crossing your fingers, and hoping to be perfect. But, as I hope we all realize, there is no such thing as perfect security, and there is no preventive measure you can take that will protect your organization 100% of the time. With over 18 Million new malware samples discovered in the third quarter of 2016 alone, even a .001% success rate equates to 180 really bad days.
With cyber threats that evolve every single day, what really separates the high performers from the headline-grabbing data breach victims is how quickly they can detect those successful attacks, contain their impact and eradicate the threat from their environment. With 60% of data in breaches stolen within hours, and 54% of breaches going undetected for months, the lopsidedness – and ultimately ineffectiveness – of the typical approach to the problem is clear. It’s simply not possible for any prevention tool to be perfect. Even you have all of the best preventive controls money can buy, the probability of an attack making it past all of the prevention items you have set in place, means you have to be prepared to detect and manage the incident.
Pro-tip: If you don’t, make sure your resume is up-to-date.
Misconception That it’s Just a Technical Problem, not a Business Problem
Cybersecurity is a major business risk that needs to be managed at the board level. Thankfully, we have been seeing more of a push for strategic cybersecurity management at the board and executive levels recently. But there are still far too many organizations that just look at cybersecurity as a technical problem to delegate to the IT team. Unfortunately, that’s really missing the point.
Whether you realize it or not, your company is operating in hostile territory, and when calculating the potential risks to your organization, consider that 60% of small businesses that suffer a cyber attack are out of business within 6 months. With the threat landscape changing constantly, It’s imperative to think about your cybersecurity strategy as a continuous improvement loop – trust us, the bad guys continuously strive to get better. Shouldn’t you?
Relegating cybersecurity to IT means that the budget for cybersecurity is probably a fraction of the organization’s IT budget, which already faces many pressures from operations that really should not be in competition with security. Is financial risk managed as a subset of IT? I hope not.
Managing cyber risk at the board level has several positive outcomes. First, when your leadership starts taking security seriously, initiatives like policy and training become higher priorities. These are key aspects of a sound cybersecurity strategy, and very often overlooked when security is viewed as a technical issue. Additionally, board visibility into security will mean cybersecurity has an accountable and responsible party within the organization, most likely a CISO. The CISO will need to produce metrics to the board, and metrics mean you are measuring your performance. The ability to measure performance means you have regular process checkpoints, and tools which help you track – and improve – your maturity over time. That ability to measure yourself and promote ongoing improvement is the critical point.
Because it’s not just about buying the antivirus software and the firewall. It’s all about putting those pieces together in a layered, meshed, and strategic approach to solve the bigger problem – reducing risk. This requires strategic thought, budget, and the right tools to support the process – none of which will be available if the board is not involved. And another point to remind the board of if they continue to feel this is an IT problem – they are often personally liable for data breaches. Personal liability is usually a wake-up call for leaders who don’t think they’re a target.
Understanding the difference between cybersecurity as a one-time task and an ongoing strategy is imperative to the security – and continued existence – of your organization. If you aren’t completely confident in your organization’s security posture or the ability to manage today’s growing cyber risk, find out how we can help provide you with the support you are seeking as an award-winning managed security service provider.
If you liked this article, check out our predictions for the 2017 Trends that Could Impact Your Cybersecurity.