Posted by Tim Femister on May 21, 2019 10:00:00 AM
This blog is kicking off a series on a topic that many of you likely think about quite often: Why is it so hard to protect your organization’s information? This is a fair question, and one I’ve thought about often. To understand the answer, we’ll need to peel back a few layers and understand the root challenge.
Taking a quick step back, we can see the enormous impact amongst the Top 10 Data Breaches of 2018 alone. In total, these breaches impacted nearly 2.5 BILLION records. To put that into perspective, this accounts for over 60% of the global population connected to the internet! Furthermore, the average cost per data record in a breach is $141, which means the economic impact of just the Top 10 data breaches is estimated at $351 billion. That’s larger than the entire GDP of Ireland!
We know the impact is BIG, so let’s look at why protecting your information is so hard. It may surprise you to hear that there’s a fundamental truth accepted by most experts in the industry: No system is impenetrable and thus, every system can be hacked. Generally, all systems require the ability to be changed. This means systems can be changed for the right reasons—or for the wrong reasons.
All digital systems functionally rely on passwords and the concept of identity. Take a moment to think about that. In today’s world, our lives – our ability to receive communications, healthcare, money, transportation, energy – are protected by passwords that govern accounts. When someone gains unlawful access to an account, especially a root or system account, the results can be devastating. Imagine being able to press “delete” or lock up an entire virtual or cloud infrastructure. It happens every day. Banks, hospitals, electric companies, car manufacturers: no one is immune.
In addition, anything that’s digital has and can be programmed. Programming is still performed by humans and we’re not perfect. As an industry average, there are 15 to 50 bugs per 1,000 lines of code. Many of these bugs result in security vulnerabilities, which can be exploited with well-known, easy-to-use malicious tools.
What about the internet? Is it feasible to take down the entire internet? Absolutely. It would require incredible talent, vast resources and the consequences would be unfathomable, but it’s certainly possible. No system is impenetrable.
While we can’t change the fact that all systems are penetrable, we can implement effective protection, detection, and response systems. Let’s use the White House as a physical example. Could someone gain physical control of the White House? As a nation, we spend billions of dollars, create entire federal agencies, and implement extensive systems – the best money can buy – to ensure that such a thing doesn’t happen. But is the White House impenetrable? No. Remember that just a few years ago, a man hopped the fence and ran deep into the White House. This could have resulted in catastrophic damage had that been the intention.
No system or structure – whether digital, physical, or both – is impenetrable.
After reading the above, you may have a very bleak view of the world. While it is concerning, there are a lot of positive things in motion that should be considered. Organizations now have the ability to leverage robust strategies that are quite effective at protecting sensitive data. Never before has there been more research, tools, and visibility available to organizations of all sizes. I was working with a law enforcement organization a few years back, and after a particular implementation, they asked, “Why is 30% of our traffic originating from China?” Until that point, they didn’t have the necessary tools or visibility to understand what was really going on—but now they do, and they have the ability to better protect their organization.
HOW TO MAKE YOUR CYBERSECURITY GOVERNANCE
Cybersecurity is a business issue. Cyber events now rank among the top three triggers for Director & Officer (D&O) derivative actions. The introduction of the concept of cyber-risk now necessitates that we take steps to make our governance “next-generation,” just like many of our current security tools. Organizational structures and Board-level involvement in cybersecurity are now front and center as assignment of liability moves from a trickle to a tidal wave. Learn 10 ways to make your cybersecurity governance model “next-gen,” take a digital asset approach to risk formulation, and keep your organizational senior leaders engaged with you every step of the way.