5 sins cybersecurity executives should avoid

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/3018743/security/5-sins-cybersecurity-executives-should-avoid.html

With the advent of 2016, I was tempted to touch upon my thoughts on what
the future of the cyberlandscape will hold, prognosticating trends and
shifts and what the next big threat would be.  However, upon deeper
reflection and further review of 2015, I’ve decided to focus on what we as
cybersecurity executives have control of and can influence, as those have a
direct and more profound impact on the organizations we steward.

The “Five Sins” may seem hyperbolic but given the fact that organizations
are continuing to make the same mistakes without trying to rectify them, I
think it’s fitting particularly at the end of the year when we aspire to be
better than we were yesterday, but not as good as we hope to be tomorrow.

Trying to be perfect. The one constant in cybersecurity is that the bad
guys have a marked advantage over the good guys. Network defenders try to
remain vigilant against an onslaught of automated and targeted attacks that
seek to exploit vulnerabilities to gain unauthorized access into their
networks.

The adage, “attackers have to be successful only once; defenders have to be
successful all the time” holds true in cyberspace. This is our reality the
current condition. However, trying to make our networks 100 percent
impenetrable is an inconceivable path forward as myriad anecdotes have
shown that even the most robust and layered security networks get
penetrated sooner or later.

By shifting focus from trying to deter all attacks toward a more risk
management focused approach allows organizations to understand their
cyberthreat profiles to support a strategic cybersecure posture.
Identifying, analyzing, and prioritizing threats will better position
organizations to allocate material, fiscal, and personnel resources
accordingly, the results of which should bolster resiliency and recovery
capabilities when breaches occur.

Betting on cyberinsurance equaling security. By its definition, insurance
is protection, in many times in the form of guaranteed compensation,
provided to an organization against a possible eventuality. In 2015,
cyberinsurance gained significant traction as a must-have for many
organizations, particularly as more breaches were reported on and class
action lawsuits were filed against organizations such as Target by those
impacted by data losses.

Like most insurance, cyberinsurance will help organizations absorb some of
the costs that may occur after a breach. Granted, the exact particulars and
amounts of coverage will largely depend on the type of coverage purchased,
but in a time when surreptitious theft of sensitive and personal
information is increasing, organizations will need to balance that risk
mitigation investment with other investments such as those supporting
continuity of operations. But just because much of the expenses associated
with a breach may be covered by an insurance policy doesn’t mean that’s the
only security an organization needs.

With a proper policy in place that best meets the need of your
organization, cyberinsurance can support an organization’s resiliency,
integrate with a risk management focused cybersecurity strategy, and
protect an organization’s brand by demonstrating its commitment to
protecting its assets thereby promoting public confidence.

Thinking that cybersecurity is a one-and-done solution. Layering
cyberdefenses and purchasing advanced technical solutions is a necessity
for any organization. As technology continues to advance, cybersecurity
tools and products develop with it enhancing organizations’ abilities to
quickly identify threats, reduce their response time to them, and ensure
that business operations do not suffer long periods of inoperability as a
result. But buying the most sophisticated monitoring device or data loss
protection solution is not a panacea to breaches, theft of sensitive
information, or other forms of cybermalfeasance.

A capable cyberdefense strategy will include defense monitoring that occurs
on a 24x7x365 basis. Considering that in 2014, there were approximately 143
million malware samples, roughly 12 million new variants a month, in
addition to at least 24previously unknown vulnerabilities for which
detection would not have been possible, it’s easy to see why organizations
cannot rely on the productivity of technology as their sole defense
mechanism. Integration of technical solutions, proactive threat
intelligence reporting, and an analyst team compromised of both technical
and strategic threat analysts to communicate important information up the
chain is a critical security reality for organizations in 2016.

Forgetting about getting employee buy in. It’s long been maintained that
the weakest link in most cybersecurity apparatuses is not an unpatched or
misconfigured device, but the human factor. This should come as little
surprise given the fact that phishing and spearphishing attacks remain a
favored tactic used by hacktivists, criminals, and cyberespionage actors
alike. Most e-mail message-based attacks do not involve advanced malware,
although certainly they can. What they seek to exploit most of all is the
recipient – whether it’s his trust, his lackadaisical approach to security,
his interest in specific topics, or any other human factor that can be
manipulated.

Developing a cybersecurity culture starts with ensuring that an
organization’s employees including senior-level officers understand their
part to preserving the confidentiality, integrity, and accessibility of
their information systems and the information resident on them. Training
should not be a yearly event but an ongoing process educating all employees
of the threat landscape, particularly as it applies to their organization
or the business that it’s in, as well any significant developments that
need to be socialized among the group.

In this paradigm, cybersecurity is a common denominator, bridging the gap
between the C-Suite and the most junior employees. Getting organizational
buy-in to commit to improving cybersecurity is best led from the top down
with accountability shared equally among everyone.

Not having enough focus on an incident response plan. As the year of some
of the most prolific breaches comes to a close, how organizations that were
victimized handled the breaches is a direct reflection of the plans they
had in place. Breach response is more than just a reaction to an
infiltration; it needs to be a legitimate course of action that an
organization had developed and tested in times of crisis.  Perhaps more
importantly, organizations need to have confidence in the plans they have
developed.

In a 2015 study conducted by the Ponemon Institute, 81 percent of
respondents said their company had a breach response plan, but only 34
percent believed they were effective. While there is no conclusive template
in developing a breach response plan, a good breach response plan will
include risk assessments, business impact assessments, disaster recovery
and continuity of operations models, contact list of appropriate law
enforcement entities, forensics companies, and a post breach communications
strategy to provide transparent and updated information as necessary. The
Target breach introduced the greater public to realities of large amounts
of data theft, but it also provided a lesson in crisis communication.
Sticking your head in the sand is not a viable option in 2016 and
organizations need to be prepared.

With the New Year here, I was tempted to alter the title of this piece to
reflect the cybersecurity resolutions that executives need to undertake.
But to say that the above five areas should be “resolutions” would be a
misnomer, as resolutions are often superfluous gestures that are soon
forgotten. These are sins for executives as they cover areas that are well
known and about which there is substantive literature. There is no excuse
for not implementing them. We need to be better and we need to start now.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.