Over the last month, our Tulsa office has watched on as constant rain storms across the Midwest filled the nearby Arkansas River to capacity, then beyond capacity, and ultimately to flood stage, closing roads, overwhelming parks, digging out sink holes, and compromising the structural integrity of buildings. Just a few blocks away from our secure, high-rise office, and visible from the floor-to-ceiling windows that encircle our workspace, we have had a front-row seat to this disaster. In fact, some of our own people have even been forced to evacuate homes that were ultimately consumed by waves of flood waters. With the fallout so close to home, many of us have been recalling the floods and mistakes made in years past, finding an uncanny correlation to steps people often fail to take in other types of disasters, like cyberattacks and security incidents. In some of the worst local floods throughout history, the technology in place for prevention was not being properly managed, resulting in completely preventable, but devastating outcomes for people who live and work in the miles along the river. This got us thinking about what other missed steps are similar between physical and cyber disasters, leading to massive losses that could have been prevented, or at least contained and promptly remediated to minimize damage.
Cyberattacks and Disaster Response Strategies
As a holistic IT Security provider, TRUE sees the constant threat of flood as a visual reminder of what our clients face daily, and the need to layer security controls not just to prevent, but to mitigate and recover when prevention doesn't work. For example, what happens when your organization layers security controls widely, but someone on your leadership team is hit with a very convincing spear phishing scam, or their credentials are otherwise compromised. Now all of your preventative silver bullets are rendered powerless, because an attacker is on the inside of your fortress. If you have over-relied on protecting the perimeter, or trusting policies to cover all behavior, you might be in real trouble. Likewise, it seems the biggest mistakes of past flood teams were due to an overreliance preventative or first-layer backup technologies, (the dam, lake, and levee system), and an under-investment in training for personnel who would be using them. In your environment, this would equate to securing firewalls, anti-virus, and IP shuns, then focusing on other tasks in the organization, trusting them to continue doing their jobs. Those technologies, like dams, lakes, and levees, are only as good as their constant managementлвand their constant management is only as good as the experience, knowledge, and available time of the people who do the managing. Are they busy with other tasks? Are they truly experts? Additionally, gaps in having tested backup plans and around-the-clock teams who would mobilize across efficient communications channels, first responder deployment, policy, plan management, and resource allocation in a disaster, meant greater damage and slower recover times. If teams have a list of emergency protocols, but have never tested them, how will that help? Or if teams are already busy with other tasks, unavailable to help for a period of time, how can the destruction be staved off? In those cases, destruction of property climbed into the thousands, devastating commerce and progress for months. In fact, a number of those affected never recovered what was lost, moving on to new places or new jobs entirely. Sound familiar? Think Equifax, Marriott, Yahoo, and other infamous cyberattacks.
Measuring the Damage of an Attack
While some of these companies have managed to survive, time is proving the enemy, evidencing that lost business, loss of customer confidence, and stock drops take their toll. In fact, industry research by experts at a well-known data protection vendor shows that 80% of all companies who experience malware attacks are completely out of commission for 3 full days. Of those organizations who suffer just 3 days of total loss, 80% will no longer be in business two years later. No longer in business. It may take a few years, but that's the ultimate end of most companies who suffer these attacks. So, just as our town has had to plan for the future based on the past, how can you learn from others' cyber-attacks, ensuring that your organization is among those who come out on top? Especially if you are a mid-size or smaller business, with fewer available resources than an enterprise company, your goal should be to become what analysts at the Ponemon Institute, famed for their security breach research and reports, refer to as cyber resilient.
The Concept of Cyber Resilience
Ponemon Institute researchers gather data from and hundreds of breached organizations every year, measuring the actual costs to their productivity and bottom line, the length of time it takes them to recover, the dollar figures attached to reputation loss, and so on. After compiling this data to identify trends, year after year, drawing conclusions about what factors directly affect the degree of damage done in a breach, Ponemon analysts have identified what they call cyber resilience, a term ascribed to those companies who are able to bounce back from a cyberattack. They go on to explain in last year's report that this ability hinges on the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyberattacks. This refers to an enterprise's capacity to maintain its core purpose and integrity in the face of cyberattacks. Just as cities must approach potential disasters like a flood, you would use the same type of layered approach to protecting your company's business continuity, but one has to wonder sometimes if people are beginning to hear IT security best practices like Charlie Brown's teacher, as a series of unintelligible babblesл_and anyway, it's the doingof the thing that matters here, not just the knowing. Many IT Security teams are exhausted from asking for resources to mitigate risk, only to be put off by leadership that hasn't yet seen the value.
Bringing C-Suites Into Your Security Planning
So how do you help your c-level leadership to understand the importance of a unified approach to IT and Security when they are creating budgets and making key planning decisions for the next year? Data. Begin with solid data and concise, decipherable reporting. That message is loud and clear from our customers, partners, and basically anyone else who has worked in IT Security. You need actionable reports for CFOs and other key decision makers. To that end, you'll need specifics on what steps need to take place, in what order, and for how much. So determining your baseline with objective evaluations like a penetration test or in-depth security assessment is always an excellent place to start. This will enable experts to assist you in identifying immediate areas for remediation and gives leadership actionable steps to take, to which they can tie specific line items in the budget. Don't go soft with this, either, because cheap pen tests or security assessments, while readily available on the interwebs, offer limited evaluations and deceivingly generalized results. Those will shoot you in the foot when leadership looks to you to understand why they didn't know about a particular vulnerability that later led to a disastrous attack. Use a reputable provider who knows what they are doing and will give you steps custom to your own environment that will help you harden your security posture and become more cyber resilient. We highly recommend that you take the time to ask around and vet your pen testers well.
Provisioning Teams to Execute
Once you have your team's attention with identified vulnerabilities and key action items for remediation, you know where to go from there, don't you? Knowledgeable experts' advice is probably on repeat in your head: Architect your network updates or cloud migrations securely, not just functionally, use most-secure configurations and a least-privilege approach to roles and permissions, update your firewalls, implement 24/7/365 network monitoring and remediation with Managed SIEM* or MDR*, test your Disaster Recovery plans and off-site backups, and create a culture of awareness, but who is going to do all of this work when 70-80% of large organizations have IT Security positions they can't fill, and your IT teams are massively overworked as it is? To some CISOs trying to implement change, it's like being between a rock and a hard place all day, every day hence the tremendously high rate of overwhelming stress and turnover. They know what to do, and they have some budget to take steps, but implementation requires teams of people they just don't have available. It's exhausting at best.
Where to Get Help When You Need It
That's where we have some good news. After having been on the front lines and seeing what our customers struggle with day-in and day-out, True Digital Security has stepped in to address the current cyber security staffing crisis, lack of internal IT resources, and clearly identified a gap between IT and Security. To help bridge this gap for our clients, we have developed a new approach to IT Security, a holistic approach maintaining experts on bothsides of the house who can help architect solutions and mitigate risk from end-to-end. Many of our clients already have their own IT and security departments, so we collaborate with those teams, assisting them in identifying gaps and vulnerabilities, developing security policies, tracking and managing compliance, architecting secure cloud migrations, training their people, implementing data protection plans, and so on. End. To. End.
So, what ever happened with the recent flood?-you may wonder. Tulsa and our surrounding communities are pulling through one day at a time, though some properties have sustained severe and irreparable damage. We will bounce back, but not without some serious blows. At this moment in fact, the water is still splashing against the banks, and we are all watching to see what will happen with next year's budget, when proposals come in to repair the leaking dams, update old technology, remove barriers and debris, staff disaster teams, and further develop the levee system. Our municipalities will have to gather the necessary data, pull together actionable baselines and reports for leadership, educate them as to why it's time to look at the whole system for gaps that need remediating, and get help from experts just as many of you will have to approach your own boards and decision-makers with the necessity of investing in next steps that will move you closer to having a mature, layered, tested, end-to-end IT security program. We're all in this together.
To speak with one of our True Digital Security experts about identifying gaps in your environment, reach out to us at firstname.lastname@example.org.
To learn more about security assessments and penetration testing, watch our webinar, Hardening Web Applications, with TRUE expert Kris Wall (available on-demand).