Offensive Cyber Defense

Offensive Cyber Defense

It’s More than Just Crude Security

As we round January’s corner into the new year, there’s so much to think about, from ambitious goals and adventurous plans, to lingering concerns. One thing’s for sure, with a slew of unprecedented data breaches, 2014 did what it could to keep cybersecurity on the brain. So whether it’s still taxing our nerves, or if we’re in transition, let’s build on what we know, get out in front, and leave this worry behind.

Can’t See the Forest for the I.T.’s

In early December, Deputy Secretary of the Treasury Sarah Bloom Raskin dropped a bomb with this figure: Globally, 2014 saw 43 million detected cybersecurity incidents, a 48 percent increase over 2013. You heard that right—almost 50% more cyber attacks worldwide. With such a major uptick, we will all have to take our turn.

Understanding the inevitability of an attack, let’s encourage practical action, forestall liability. So in this new year, try something different. The evolution from hapless victim to well-equipped cyber strategist often begins with adjusting viewpoints.

“Probably, a good tip for approaching the problem is to forget the name “cyber.” This is not just a threat to your IT systems, it is a threat to your business potentially enabled by your IT systems. Sometimes, just the change in perspective is all that is needed to get things going.”
— John Glowacki, Chief Strategy and Information Officer at Protexit

Industry jargon tends to blind us to the big picture, puts us in need of a healthy paradigm shift. So let’s shake things up and get down to some hardcore self-analysis. Now is the time—before a serious breach occurs—that business owners and decision-makers need to stand up and take an active role in company management of sensitive data. So let’s be vocal, not shy: Openly voice expectations for the use, protection and management of company and client data. And then, work to implement your ideas, be they internet usage policies, restricted access to critical information, or securely backing up records.

Don’t worry; no one is looking for you to become an expert in cybersecurity. What is expected though, is a conscientious level of alertness and action. As Glowacki asserts, “there is an obvious need for each of us to raise our awareness relative to what we manage.” We couldn’t agree more. Because risk is relative to the data your clients have entrusted to you, an earnest security checkup is in order.

There’s No “I” in Cyber

Naturally, your clients’ best interests will prompt you to be proactive, developing a solid incident response plan before a crisis. Here is where your employees and fellow leaders must be kept in the loop. In fact, experts suggest setting up an incident response team. In the event of a data breach, this group will handle all communications with the public, investigators, etc. And no worries, you aren’t left without direction. The National Institute of Standards and Technology (NIST) lays out extensive guidelines for all things incident response.

The goal here is not secrecy, but instead a focused and conservative approach to revealing sensitive information. Openness is always a best practice, but when sharing information about a breach, disclosing certain technical details could actually assist other attackers. On the other hand, releasing all relevant and ‘safe’ facts builds trust and shows that you are working to remedy the situation. Composing and maintaining a statement on the incident status will keep all communications accurate and consistent. And jokes aside, practice sessions and mock media interviews are a smart way to prepare for a stressful situation. Again, the NIST is on the ball, offering probable media questions your team will have to skillfully field.

Companies’ plans may vary, but the constant is protection: For clients and businesses alike. Showing the public a united front shifts attention from what happened, to what needs to happen to make it right. Quick, focused action will shut down perpetrators, while boosting trust: It shows that you care, and that you will work to fix this. In the aftermath of a data breach, it’s this sort of can-do spirit that will tip the scales toward recovery. Clients, vendors, suppliers and employees are trusting that you will make the right move. Ensure their protection by making thoughtful decisions now.

Good Business Practicing

While your incident response plan is a fundamental part of your overall approach to cybersecurity, by no means is it a standalone. Planning and preparedness need each other to thrive. Realistically, why bother developing a response plan, if you’re not investing time in employee training? And what good is their training, if your system’s weak spots remain a mystery? You’d be driving blind.

Advocates of comprehensive cybersecurity tactics stress the importance of an offensive, not defensive, strategy: Know where to expect the breach. Sadly, while the time that generally elapses between breach and detection varies, it averages from 90 to a staggering 229 days, even years. That’s a crazy long time, and much better spent in planning and protection than as a sitting duck.

More often than not—roughly 70% of the time—companies aren’t even equipped to detect breaches from within. Waiting to hear from a third party just isn’t the way to handle cyber liability. Lag time gives cyber criminals ample opportunity to slash and burn, or snatch and store precious data. These miscreants aren’t conservative; they will take any potentially valuable data that’s made available. Anymore, the “we had no idea” excuse just doesn’t cut it—this is a fight to the death.

So instead of unknowingly leaving the gates open, take charge and find those easy entrance points. If you don’t have IT experts at the ready, then think seriously about hiring an outside company that specializes in penetration testing and the like. They can clue you in; you can get to fixing the holes. We can’t overstate the value of this step.

Gates closed, walls patched, you’re done! Think again. With technology developing at a staggering rate, we’re already finding that protections can be rendered obsolete fairly quickly. So, if despite your efforts, hackers find a way in, your best resource is a well-trained employee. Phishing and spearfishing attacks—among other “social engineering” threats—are ridiculously common, and have adopted a more believable style. Are you confident that your employees—or you, for that matter—would know that you were being phished? Well-executed “mock phishing,” AKA “social pen-testing,” is the best way to be sure.

“Firstly it can shock complacent staff into realizing how vulnerable to social engineering they really are, and through that keep them on their toes and improve overall security. Secondly it opens a valuable communications channel between users and security staff.”
— Joe Ferrara, President and CEO of Wombat Security Technologies

Along with employee training, continual checkups and analyses are vital. Figure in regular testing to be sure that defenses are up to snuff. Of course, “regular” will be defined by numerous factors: system size, level of sensitivity of data stored, and compliance regulations, among others. Regardless, when you determine your company’s magic number, be sure to hold to the schedule.

Covering Your Bases

While you’re in the preventive mindset, spend a little thought on cyber insurance coverage. A logical addition to a secure liability approach, cyber insurance covers what you can’t prevent. Ask yourself: How much do I spend every day, just to keep my business running? In the event of a data breach or other inevitable cyber attack, operations could be suspended, leaving cash flow at a standstill. Where will you find the capital to keep the lights on? Healthcare funded? Employees paid? A scary thought at best. Not to mention out-of-control notification and legal fees. After the storm, cyber insurance helps you to stand up, dust off, and move forward.

You could take our word for it—this is what we do. But as with any insurance policy, reading the fine print is essential. If you already have coverage and aren’t sure what your protection includes, check with your provider—Concise explanation is part of the deal. In her aforementioned speech, Deputy Secretary Raskin mused:

“It strikes me that when we think about cybersecurity we are still thinking that we have to communicate in ways that are obtuse, overly technical, and impossible to penetrate or understand without cyber experts in the room. …we need to recognize that cyber risk…is something we…already have the framework to understand…

While “cyber experts” are absolutely necessary, the core message of cybersecurity is risk; otherwise a natural, easily understood concept in the business world. So let’s take that accepted fact and translate it to positive action, mitigating risk and embracing a comprehensive cybersecurity approach.

En Garde

It is so true that, “For businesses, data is the gift that keeps on giving.” If you faithfully and attentively work to guard the data that’s been entrusted, your digital storehouse can reap rich dividends: Think repeat customers, positive reviews, and word-of-mouth business. Most of all, that warm, fuzzy feeling, knowing you’ve done the right thing by the people who count on you.

So resolve to make planning, preparedness and overall cyber awareness high priority now, and throughout the year. With a focus on educating and preparing staff, your own knowledge will grow. And by keeping communication free flowing with your comrades in IT, you’ll be oiling the gears of collaboration and teamwork. Because whether planning for or responding to a crisis, effective communication is where cybersecurity begins and ends. So go get ‘em, we’ll be rooting for you!

Want more? Subscribe.