In the wake of the Yahoo, Equifax, Whole Foods, Sonic Drive-in, Deloitte, Securities Exchange Commission, Viacom, Vevo… all in the last month, btw. I feel confident in predicting the future, there will be another major data breach this year.
Ok, so maybe those words aren't as surprising as they once were, and you're already annoyed about the clickbait title. Good. That means we've progressed in terms of our collective consciousness with respect to the realities of attacks and InfoSec risks. Just a few years ago, most of the organizations I worked with felt fairly confident in saying, "I have a firewall" or "we've never had an incident here." Times have changed. Good.
However, what hasn't changed, at all, are the commonalities amongst the majority of breaches, be they highly publicized or not. There's fundamental control breakdowns that inevitably exist, are eventually reported on, and debated at nauseum on CNN, Fox News, or whatever your favorite talking head platform may be. Here's where I earn my Doctorate in Fortune Telling. This next breach WILL involve:
Time and time again these same issues come up as root 'contributors' if not outright causes. Why? The momentum is shifting in many organizations towards a more proactive approach that would address these fundamental issues, we haven't hit a critical mass, not yet. Each incident the general public rightfully asks, "How could this happen?" or "How could this happen at BIG COMPANY?" The C-suite of the breach victim will release statements or make public appearances to re-assure us that this breach was unavoidable, that all reasonable measures had been taken, that these magical hackers are just too darn good, that it's not their fault. Negative.
Advanced Persistent Threats (APT) and Nation State actors absolutely exist, and at times may play a role in some of the well-publicized breaches, but overwhelming evidence points to these basic blocking and tackling functions as being on the critical path to a breach. To be clear, I'm not advocating you completely ignore the potential APT attack, rather I'm challenging your organization to more effectively prioritize the boring but important or the simple not easy risks. Many organizations fall victim to the line of thinking where if only they had the next latest and greatest tool/solution, they would be secure. The focus on Technology alone stands as the flaw in the approach. People, Process, and Technology. All must work in concert to meaningfully reduce breach risk.
In the midst of Cybersecurity Awareness month, consider my prediction and take action. Refuse to accept that your organization will be the next victim, that this new normal is inevitable and therefore pointless to fight against. Avoid chasing the next latest and greatest solution at the expense of the fundamentals. Invest your scarce resources smartly. Some quick wins you can execute on today:
With quick wins comes an energy which you can then employ to viciously execute your strategic plan… you do have a strategic, comprehensive, prioritized, InfoSec plan… right?Read more...