Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

In Cybersecurity, is No News Really Good News?

If You’re Truly Being Proactive, There is No Such Thing as “No News” in Cybersecurity…

If You’re Truly Being Proactive, There is No Such Thing as “No News” in Cybersecurity…

It’s funny how old sayings just become a part of our lives. We just seem to repeat them as a matter of habit without really giving any thought as to whether they fit or not. I encountered one of those situations recently when asking a peer in the financial services sector how they were doing with their security program. His response, “I’m not sure, but no news is good news.” I wish I had thought of it at the time, but the reality of what he had said didn’t really hit me until later. No, a lack of information or news is about the worst possible scenario when it comes to cybersecurity.

Ignorance in CybersecurityThe fact that you aren’t seeing or hearing about potential threats to the organization, or alarms aren’t being raised by the security team, shouldn’t make you feel better as an executive. It should make you wonder if you aren’t doing enough, or even potentially doing something wrong. Millions of attacks take place every day against every type of organization in every market. The idea that you are somehow that lucky corporation that is shielded against sophisticated cyber-attacks is not only misguided and unlikely, but also dangerous.

Just as a couple examples to show the number of attacks that take place every, day, week and year against corporations and government agencies I pulled some statistics from Nextgov.com. According to their research:

• The Pentagon reports getting 10 million cyber break-in attempts per day.

• Energy Company BP says it suffers 50,000 attempts at cyber intrusion each day.

• The government of the United Kingdom reports 120,000 cyber incidents per day.

While these figures are startling, remember that these include the crude, unsophisticated attempts which are easily, and in some cases automatically thwarted, to the more elaborate attacks.  Even if the vast majority are easily stopped these still demonstrate huge amounts of traffic and activity.

According to statistics from the Government Accountability Office, in 2007 — the year that Twitter was founded by the way — US-CERT received almost 12,000 cyber incident reports. That number had more than doubled by 2009, and quadrupled by 2012. Attacks are only increasing and becoming more sophisticated and not decreasing. No matter what business, location or area of government you work in, you are going to get hit in some capacity. Any thoughts to the contrary are an illusion that may lead you to trouble. 

Advertisement. Scroll to continue reading.

Leadership teams in organization also often find themselves clinging to another old saying: ignorance is bliss. It perpetuates the notion that that if I’m not aware of it, I don’t need to address it and won’t be held accountable for it. Well as we’ve seen with recent high-profile breaches over the past several years, that standard no longer applies. Not only are corporate executives being dragged before Congress and being made to explain lapses in security, they are facing actual jail time if it can be proven that they were negligent. There is also the intense scrutiny from boards and stockholders as to why the brand is undergoing damage to its reputation and thus negatively affecting share price. A report published by the Center for Strategic and International Studies (CSIS) and commissioned by McAfee sets the current annual costs of cyber events at close to $300 billion.

Implementing an effective program requires constant vigilance and oversight. The idea of plugging in a product and “checking the box” simply doesn’t work anymore. Despite repeated examples and warnings the majority of breaches continue to happen as a result of unpatched applications and programs. Data plays a critical role in security as it allows you to make decisions based upon probabilities and insight. Anticipating where you may be most vulnerable and where an attacker would most likely try and gain entry is the first step in beating back the attack.

I had an old college professor once tell me that hope is not a plan. As I’ve continued my career in security those words have always stuck with me, as I believe it’s a perfect metaphor for ensuring success. Organizations that take an active role in their security and are proactive in determining points of vulnerability and interest are far more likely to avoid a security event than companies that simply install software and hope that it does the trick.

Perhaps we can get behind a new saying that is more applicable to security? If you’re truly being proactive, there is no such thing as no news in cybersecurity.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...