Despite the wealth of available resources on the subject, cybersecurity remains one of the most misunderstood facets in both industry and government organizations alike. Though one could fill volumes with the number of misinformed views on the subject, let's take a quick look at five misconceptions.
1. "We've never been hacked."
For the sake of context, when we refer to "hacking," we are referring to a cyber incident—a compromise or potential compromise of the confidentiality, integrity, or availability of organizational information or information systems.
As a retired US Navy Cryptologist turned "defense coach" to government and industry regarding cybersecurity, there's a question I like to ask CEOs or boards of directors—a question that quickly reveals a company's approach to cyber incident response:
"How many times have you been hacked in the past 12-months?"
Contrary to popular belief, that answer should never be “zero.” If it is, this company is experiencing significant hidden risk. The oft-repeated tale of only two kinds of companies in the world is absolutely true. There are those who know they've been hacked, and those who don’t.
The question every company or government entity must ask itself is, "Which am I?"
2. "Robust cyber defense isn't pivotal to my industry."
There is another misconception that there are particular government offices, industries, or company sizes in which cybersecurity is not as relevant. This attitude may be felt because of the smaller footprint of the government office, the size of, or perceived lack of sensitive data contained by a particular company.
The truth is that there is not an office, industry, or company exempt from the need for cyber defense capabilities that match their risk profile. Not everyone will be able to maintain a large full-time staff with the latest tools for their cyber defense, but everyone needs to have a plan for a cyber attack, how they deal with it, how they recover from it, and how they mitigate the risk associated.
Cyber cuts across everything. It touches small business, medium-sized business, and big business. It reaches the local, state, and federal government. Whether the office in question is a local utility company, a two-person repair shop, or a defense industrial base company that manufactures parts for Ford-class aircraft carriers, cyber touches everything, and the risk of a cyber incident increases enormously as your organization develops intellectual property.
3. "I haven't been hacked because my systems are working."
Many entities don't believe they have been hacked due to a lack of overt indicators. In a similar vein, some of the tell-tale signs of a cyber incident may be masked by a perceived routine software, hardware, or system issue.
One example of an undetected cyber incident being mistaken for a routine IT issue is one from my own experience. A relatively decent-sized client company was considering a substantial bandwidth upgrade within their company due to perceived internet speed issues. My team approached the company's system from a "cyber hygiene" perspective. What did we find? 60% of their network traffic had nothing to do with their business. Several cyber incidents, including spam, bots, and other nefarious programs, were running on their system. Once all of the cyber threats were identified and eliminated, the company's bandwidth issues were resolved to the point of no longer needing an upgrade.
4. "My IT department tells me that we've never been hacked."
"The boss rewards me for telling them when good things happen—not that we're hacked. No CEO wants to hear that."
Much like the details of personal tragedies, there are some things we don't want to know or express. For many IT departments, a cyber incident may fall into this category. Technology specialists employed to protect an organization from cyber incidents pride themselves by making sure that such an event never occurs. The truth? A hack is going to happen eventually. This doesn't mean that the specialists in question have failed, but rather that they and the organization employing them should be open to that unfortunate truth—it will happen. Though such attacks are inevitable, their skills should be gauged by how they respond to such incidents. All company leadership should consider how they foster an environment that brings them the bad news, and then supports the people that do in recovering from the issue, and putting in place additional controls or capabilities that can reduce the probability and/or impact of a similar incident in the future.
5. "When will we be done investing in Cybersecurity?”
Many organizations can fall victim to the idea that cybersecurity protection is a product—much like a safe for your digital valuables. This mindset led one CFO to ask me, "When will I be done with cybersecurity?"
Like business, cybersecurity is an operation. It is not something your organization has, but is instead something your organization does.
While fortunately, this "doing, not having" mindset has shifted in recent years, what has been lacking among growing organizations is the scalability of their cybersecurity operations as these organizations grow. This change in scale also means that the management of cyber incidents needs to be reassessed regularly. It can be easy for many IT departments to put less severe events on the back burner; however, it is essential to manage them before they burn the house down, technologically speaking.
A vast majority of these cyber incident misconceptions are birthed from a lack of understanding. Often business leaders consider this an “IT problem.” Cyber is not an IT problem, it is a business problem that business leaders need to be aware of as they are the financial risk in a particular deal, or what the risks are in their product supply chain. Another systemic problem is the truths that many do not want to acknowledge. An unwillingness to realistically discuss the elephant in the room has only made organizations increasingly vulnerable. Open-mindedness and open dialogue are crucial to the continued success of any organization’s cyber incident response.
Remaining educated on the evolving needs of cyber incident response is crucial for any organization. An excellent resource I can recommend are the publications of the National Institution of Standards & Technology. These guides and articles are among the best for planning cyber incident detection and response. For more on such topics, you can always stay posted to the blog of SENTIR Research Labs headquartered in Tulsa, OK.