If You’re Truly Being Proactive, There is No Such Thing as “No News” in Cybersecurity…
It’s funny how old sayings just become a part of our lives. We just seem to repeat them as a matter of habit without really giving any thought as to whether they fit or not. I encountered one of those situations recently when asking a peer in the financial services sector how they were doing with their security program. His response, “I’m not sure, but no news is good news.” I wish I had thought of it at the time, but the reality of what he had said didn’t really hit me until later. No, a lack of information or news is about the worst possible scenario when it comes to cybersecurity.
The fact that you aren’t seeing or hearing about potential threats to the organization, or alarms aren’t being raised by the security team, shouldn’t make you feel better as an executive. It should make you wonder if you aren’t doing enough, or even potentially doing something wrong. Millions of attacks take place every day against every type of organization in every market. The idea that you are somehow that lucky corporation that is shielded against sophisticated cyber-attacks is not only misguided and unlikely, but also dangerous.
Just as a couple examples to show the number of attacks that take place every, day, week and year against corporations and government agencies I pulled some statistics from Nextgov.com. According to their research:
• The Pentagon reports getting 10 million cyber break-in attempts per day.
• Energy Company BP says it suffers 50,000 attempts at cyber intrusion each day.
• The government of the United Kingdom reports 120,000 cyber incidents per day.
While these figures are startling, remember that these include the crude, unsophisticated attempts which are easily, and in some cases automatically thwarted, to the more elaborate attacks. Even if the vast majority are easily stopped these still demonstrate huge amounts of traffic and activity.
According to statistics from the Government Accountability Office, in 2007 — the year that Twitter was founded by the way — US-CERT received almost 12,000 cyber incident reports. That number had more than doubled by 2009, and quadrupled by 2012. Attacks are only increasing and becoming more sophisticated and not decreasing. No matter what business, location or area of government you work in, you are going to get hit in some capacity. Any thoughts to the contrary are an illusion that may lead you to trouble.
Leadership teams in organization also often find themselves clinging to another old saying: ignorance is bliss. It perpetuates the notion that that if I’m not aware of it, I don’t need to address it and won’t be held accountable for it. Well as we’ve seen with recent high-profile breaches over the past several years, that standard no longer applies. Not only are corporate executives being dragged before Congress and being made to explain lapses in security, they are facing actual jail time if it can be proven that they were negligent. There is also the intense scrutiny from boards and stockholders as to why the brand is undergoing damage to its reputation and thus negatively affecting share price. A report published by the Center for Strategic and International Studies (CSIS) and commissioned by McAfee sets the current annual costs of cyber events at close to $300 billion.
Implementing an effective program requires constant vigilance and oversight. The idea of plugging in a product and “checking the box” simply doesn’t work anymore. Despite repeated examples and warnings the majority of breaches continue to happen as a result of unpatched applications and programs. Data plays a critical role in security as it allows you to make decisions based upon probabilities and insight. Anticipating where you may be most vulnerable and where an attacker would most likely try and gain entry is the first step in beating back the attack.
I had an old college professor once tell me that hope is not a plan. As I’ve continued my career in security those words have always stuck with me, as I believe it’s a perfect metaphor for ensuring success. Organizations that take an active role in their security and are proactive in determining points of vulnerability and interest are far more likely to avoid a security event than companies that simply install software and hope that it does the trick.
Perhaps we can get behind a new saying that is more applicable to security? If you’re truly being proactive, there is no such thing as no news in cybersecurity.