In this article we will discuss:
A flawed corporate cybersecurity approach
As companies become increasingly reliant on technology, cybersecurity is becoming higher on the list of corporate priorities. This is especially true due to an uptick in cybercrime. But there is a major disconnect between CEOs, CFOs, CIOs and corporate board members. Many business executives who lack technical knowledge are happy to throw large budgets at cyber protection units to make cybersecurity threats ‘magically’ disappear. This is of course a flawed approach – CEOs need to learn to accept that no matter how much they spend, there will always be some degree of cybersecurity vulnerability.
Which questions cybersecurity stakeholders should avoid asking
In an attempt to appease boards, and shareholders, executives are asking all the wrong questions:
Question one: What are the metrics I should track and report to management?
Why this question is flawed
More often than not, Chief Information Officers (CIOs) are busy putting out fires instead of practicing proactive preventative cybersecurity measures as part of a robust underlying strategy.
Question two: How can I comply with cybersecurity regulations?
Why this question is flawed
Many government led compliance regulations force companies to invest in cyber regulations which more often than not give corporates a false sense of security:
Compliance does not equal protection!
Question three: What threats are most commonplace in our industry and how can I best prepare our organization against them?
Why this question is flawed
Companies do not have any control over threats but what they can control is what resources they invest as well as operational readiness for live, new and unknown threats, regardless of sophistication or origin.
A better way to approach cybersecurity
Instead of being reactive, companies need to be proactive. Organizations need to view cybersecurity as a business, and customer experience issues and not merely as ‘technical’ failure or success. Businesses need to reevaluate the way in which they measure, report and prioritize cybersecurity issues.
Ask yourself: What are my organization’s key business outcomes and which technologies are paramount to support said outcomes?
Business leaders need to make their peace with the fact that cybersecurity risks are the other side of the technological coin – there is no such thing as 100% secure. What you can do is define and recognize your most important assets, business outcomes and customer experiences, and work towards creating a protective environment.
Nuanced approaches to corporate security threat- management
Here are three types of cybersecurity threats companies are currently dealing with. These companies were able to work towards identifying their biggest assets and correlating threats, ultimately leading to a winning cybersecurity strategy.
Distributed Denial-of-Service (DDoS) attempts
The threat: DDoS attacks have become a common way for attackers to overwhelm companies’ networks in a way that triggers a crash and does not allow authorized users to access the sites and information they need.
The correct approach: Companies need to first identify that operational networks as well as network accessibility is their most important asset. Once this is recognized, the company can work to simulate and prepare for these kinds of attacks and make sure that their firewalls are defense-ready.
Digital asset attacks
The threat: Cloud-based attacks targeting company stakeholders (CEO, CFO) at crucial times via email or social. Attacks can vary from blackmail to shutting down mission-critical systems in exchange for ‘ransom’.
The correct approach: A company first needs to make a list of their key figures and leaders and provide them with a secure place to communicate and save important documentation. Companies can then look outwards and scan the web for crucial data points (‘whois data’ ) that will enable them to keep corporate personalities safe. In this instance, creating a data pool and a ‘risk map’ can also be an extremely effective tool as far as targeting malicious actors in and out of real-time.
Malicious code injection
The threat: Malicious code injections into corporate systems and websites from external, ‘untrusted’ sources. Attackers simulate everything from arbitrary SQL injections to vulnerable applications, cross-site scripting (such as injecting malicious JavaScript), and Shell-command execution on web servers.
The correct approach: These dire risks can be mitigated by first identifying which of your applications are most crucial to operations and at risk. Then you can have your cybersecurity team work with a large variety of IPs, for instance, in order to secure treatment of untrusted input and leveraging ‘defense in depth’ thereby imposing privilege limitations of applications that you are running.
What all three of these use cases have in common is that a business context was first established and only then was the cybersecurity threat addressed.
Summing it up
Business executives need to accept the fact that hermetically protecting an entire company, assets, and interactions is not a realistic goal. Rather, by identifying and prioritizing operational business necessities and core functions, you will be able to achieve and maintain defensible cyber assets.