Cyber security. It’s on everyone’s mind. That’s not surprising given the spectacular thefts of private or confidential data constantly making headlines. Each seems worst than the last. No industry is immune.
Damages are both tangible and intangible. Monetary losses from intellectual property theft include the foregone profits from technology now being produced by a competitor and the loss of customers. Expensive lawsuits arise when companies are found guilty of lack of due care for customer data. Consumers choose to shop elsewhere where they believe their data is more secure.
But there are also intangible losses that can be difficult to quantify. How can you assess the cost of reputational damage -- especially if your brand is supposed to be synonymous with stability, security and responsibility? National security is likewise hard to measure, since the downstream effects of poor data security might not be readily apparent to a country’s defense. (After all, a smart adversary will not reveal what he knows about your gaps.)
The Weakness in Current Approaches
With technology inherent in the title “cyber”, most organizations believe the solution must lie in applying better technology to combat the problem. After all, it’s best to “fight fire with fire”, they reason. This approach may be necessary but it’s also definitely not sufficient. It’s possibly wrongheaded, because once an organization plugs in a new monitoring technology it assumes that all is well. Time to go back to the normal course of business. We’re secure now.
Yet, outside threats are constantly adapting. And the cyber-tool-as-panacea doesn’t even begin to address the Insider Threat. This malevolent individual has legitimate credentials to your system because he is supposed to be there. Perimeter information security will be totally blind to his activities. Add to this the advanced external threat who has hijacked or spoofed user credentials. To the system he looks perfectly legitimate -- and walks right in the front door.
Gotta Have the Tools
So, if the cyber tool approach is not the right one, how can we use a holistic approach to tackle this difficult issue? Glad you asked.
First, let’s flip this model on its head. The normal cyber security approach assumes that building higher walls will keep the bad guys away from the crown jewels of the castle. Instead, consider the following: assume your network is already penetrated. Not just penetrated from outside, but from also from within. What do you do then?
Before you do anything else, take a risk-based approach to your assets. What does this mean? In practice, you cannot protect everything, so you need to be clear on what is worth protecting. Identify your key assets, quantifying the amount of damage if these assets were to be lost or compromise. Such a forced ranking will require you to make some hard trade offs, but ultimately apply limited security resources to the areas that matter most.