When it comes to cybersecurity, business leadership is constantly challenged to find balance between securing business privacy while meeting regulation requirements and mission imperatives. By Pierre Roberge, Chairman of the global cyber defense firm ARC4DIA.
The good news is there are concrete steps that can be taken to effectively and safely achieve this balance. However, complicating matters is the fact that for a very long time, there was a prevalent misconception that computer breaches rarely happened or only occurred in isolated cases. Reality begs to differ. Many factors contributed to this perception. Often breaches weren’t being reported and thus not talked about. In fact, it is common for breaches not to be detected for long periods of time, resulting in a limited number of known breaches to discuss. Because of this false sense of security, few resources were spent on detecting hacking activities and in many cases, the management default position was to hope a breach did not happen under their watch.
Obviously, this head-in-the-sand approach simply is not acceptable. In order to find balance between mission imperatives and acceptable risk, three distinct activities must be undertaken: prevention, detection and remediation. It used to be that IT security was very heavy on prevention but had very little in investment in detection and remediation. This was largely because security solutions in the past were expensive and inefficient. However, now is a time of transition where more attention is being paid to all three steps in the cybersecurity process. Keep in mind that most breaches start with only a low level of anomalies to indicate there might be an actual breach. These first indicators are most of the time simple changes in the IT environment or, in other words, false positives. The higher the amount of false positives, the more work there is to determine if the false positives were simply due to normal changes in the IT environment versus actual hacking activities. This revelation has steered the demand for security solutions generating a low level of false positives, which we now understand, are the exact reason why they are easy to bypass.
Although there is a wind of change sweeping the IT security landscape, there is still this prevailing thinking that technology will solve all of our problems. This mindset leaves businesses extremely vulnerable to hackers’ activities. To change this mindset, a business must recognize the fact that there will be breaches, and especially, undetected breaches that go for a period of time. From this awareness position, a business can plan accordingly to remain competitive as these events come and go. When it comes to prevention, detection and remediation, maintaining a balance of effort across these activities is key in staying agile and efficient while keeping business operations up and running. The first step is to start with quick and easy achievables across all three categories to establish a baseline of activities based on best practices.
Next, the focus should be on augmenting detection capabilities, as good detection will bring valuable information that will help identify the preventative work that should be done to avoid future breaches of the same categories. Another important aspect of detection is internal human resources awareness. Employees and members of an organization greatly benefit from a relatively small investment in awareness training. It will have a direct effect in augmenting the level of prevention by helping reduce common human error pitfalls but more importantly, training raises the level of awareness of potential hacking attempts. For example, internal reporting of suspicious activities and abnormal functioning of IT equipment should be reported to the security team for further investigation. In my experience, malfunctioning IT equipment or software is quite often the initial lead in finding malware. As prevention and detection are improving, the remediation will become more efficient with practice.
In case of small and medium businesses, all of the detection and remediation work should be contracted out to fully managed services in IT security. Historically, security vendors were taking this role with the magical all-in-one security solution. Such an approach is no longer sufficient and while building internal capabilities to find and eliminate malware sounds logical, it does not make sense from a return on investment perspective. Seasoned security experts dealing with malware on a daily basis are best qualified to perform the detection and remediation part of the process. Only very large enterprises will take on such activities themselves. One of my biggest recommendations in implementing cybersecurity is to start with the guidelines provided by the Australian Signals Directorate (ASD) who has developed a prioritised (top 4) mitigation strategy to help technical cybersecurity professionals in all organizations to mitigate cybersecurity incidents.
A more recent publication worth leveraging as a guideline comes from the New York State Cybersecurity Requirement For Financial Services Companies. It is a very practical guide to implement and focuses on solving today’s problems and challenges. It is worth noting this guide emphasizes a push for encryption of data at rest. Stolen encrypted data does not have any value for a thief without the secret keys to decrypt and read the information. Data encryption is underutilized in the industry as a mechanism to protect sensitive and mission critical information. This is certainly something worth investing in, considering the availability of encryption technologies. Remember, when striving to find balance between mission imperatives and acceptable risk, the first step must be to acknowledge there will be breaches. However, once businesses accept that fact, they can then break down the required activities – prevention, detection and remediation – into smaller, more manageable pieces in order to regain control of infrastructures against hackers.
