Cyber-Security is Complex & We Need to Start Treating it That Way

I know, we all hear the same speech every single day like a broken record, but we're shouting it out one more time for the people sitting in the back.

In a perfect world, you wouldn't have to worry about cyber-security because all your employees would have great security habits.

Fully aware of the inside threat to cybersecurity, you'd train everyone from the mail room to the C-Suite. You'd feel confident that you'd created a savvy workforce who would never put your systems or data at risk.

You'd also have an IT department who performed all the recommended safeguarding measures like strong boundary protection, vulnerability management, and strict access controls.

Through the combined efforts of your IT department and your fully-trained, cooperative, cyber-minded employees, your organization would be covered.

Living in Denial Puts Your Company at Risk

This isn't a perfect world, however, and whether they mean to or not, employees engage in a lot of risky behavior when they're online. No amount of training, boundary protection, or enforcement in the world will give you full protection from an ever-evolving landscape of cybersecurity threats. Eventually, one of these threats will break through your curtain of defense.

If that sounds unlikely to you, then you're living in denial. All you have to do is look around you to see even the organizations who have the most to lose don't get cybersecurity right.

Not Even the National Security Agency (NSA) is Secure

We all know about what happened to Target, whose profits plunged when criminals stole personal data and payment card numbers of tens of millions of customers. Both the CEO and the CIO lost their jobs and the company's brand has been tarnished as well.

Earlier this year, the hacking group called Shadow Brokers demonstrated just how vulnerable even the NSA can be. They stole data on spy tools used by the Equation Group, an elite force within the NSA.

Then there was the widely publicized Cloudbleed incident. Ironically, in this hacking event, the victim was an internet security firm!

Cybersecurity Training to the Rescue, Right?

The Target incident was back in 2013, which might as well be a lifetime ago in terms of cyber time. Since then, most forward-thinking companies have instituted cyber training for their employees, hoping they will not follow Target down that dark pathway of vulnerability and risk.

Four years later, after millions spent on cybersecurity training, and users everywhere are still clicking on bad links. Just this year, there was the data breach at Washington University School of Medicine, where patient data was potentially accessed.

The cause? A good old-fashioned phishing scam.

So yes, four years after the Target incident, employees are still falling for phishing scams sent to them at their business emails. In fact, in 2016, the last year for which there is data, it was reported that business-context phishing scams are still the most difficult for employees to recognize.

As a result, 2017 has been a banner year for cybersecurity meltdowns:

• The NSA incident mentioned above
• Cloudbleed
• Visionquest Eyecare and breaches at other healthcare organizations
• WannaCry
• Wikileaks CIA Vault 7
• Voter records exposed at Deep Root Analytics
• French President Macron campaign hack

In 84% of cyber security incidents reported this year at the Black Hat USA 2017 conference, human error was at least part of the cause. Although phishing scams aren't the cause of every data breach, the fact remains: total cybersecurity just isn't possible.

Common IT Measures that Don't Work

How about your IT department? Can't their advanced techniques keep your systems secure and your data safe? They're your first line of defense and you invest heavily in their ongoing training. Shouldn't that cover you? Again, here's why total cybersecurity just isn't possible...

Most companies employ a standard set of security practices to keep their network and data safe. Basic IT training covers the following techniques, each of which is far more effective against outside threats than threats from within:

Strong Boundary Protection. Again, even the highest security wall won't keep out the authorized user who's got bad intentions.

Access Controls. "Rules, Schmules", is what a malevolent employee thinks if they're intent on stealing assets. Telling your staff not to use their company-issued devices for personal use is neither realistic nor effective.

In addition, shielding certain data from employees who don't need access is important but rarely carried out successfully. A 2016 survey found that only 29% of companies were fully enforcing a 'least privilege model' of access to company data, which would ensure only those workers who needed it were granted access.

That same survey revealed that only a quarter of companies monitored all employee and third-party file activity and emails.

Cybersecurity Training. Training is often ineffective and does nothing to prevent intentional harmful actions.

Password Policies. Requiring employees to change their passwords regularly means they're going to write them down somewhere near their desks. Anyone can pluck those right off the post-it note and gain access.

Vulnerability Management. Considered the core of any comprehensive information security program, vulnerability management (VM) is the continuous analysis of your systems and data to reduce risk. It's an ongoing process of discovery, reporting, prioritization, and response to uncover and handle security risk factors. Some risks will be considered mild and can be handled later or 'accepted' while others will be considered urgent and require immediate attention.

Like the K-9 unit that roams an airport looking for whiffs of illegal substances, the VM process is always on the lookout for something that's awry.

The problem with VM techniques, however, is that they don't work well when there's an inside threat. Security patches, a common fix for a vulnerability, won't keep out the outsider who gained access by stealing an employee's credentials.

Hackers are Just Too Smart for Traditional Countermeasures

Clearly, hackers are smarter than most company employees, including those who work in IT. You can train your flock to resist the most basic of outside threats but eventually, someone will unwittingly allow a crack in your defenses. And that's all it takes: a tiny crack and the threat will wedge itself in, forming a security breach as wide as it needs to get the job done.

Managers are finding that identifying and preventing insider attacks is even harder today than ever. A study conducted in 2016 found that just over three-quarters of IT professionals said their company had experienced loss or theft of data since 2014.

They also said the leading cause was insider negligence.

Total Cybersecurity is a Myth

As you can see, focusing just on preventing threats is short-sighted and it will get you into trouble. Training only goes so far, and you can't simply rely on technology to protect your organization, either. A great antivirus program is only as good as its last update and it's merely a reactionary tool, at best.

Of course, a full-fledged training program and a strong IT department are important but they are just a start. If all you're doing is trying to stay ahead of hackers with training and technology, then you're fighting a losing battle.

Hackers are still getting in, even at top governmental agencies and security firms. There's an evolving landscape of threats that's impossible for even the NSA to stay ahead of.

A better solution to cybersecurity is to develop a solid plan for dealing with threats if and when they happen. You need to protect your company's liability for when the inevitable happens. For that, you'll need a whole portfolio of tools.

Why You Need a Portfolio of Cybersecurity Solutions

There's no turning back from being digital in today's marketplace. Companies who want to remain viable and thrive can't simply batten down the hatches and close their borders, hoping to block or prevent cyber attacks. The threat of cyber attack will never disappear, no matter how well you think you've locked down your company or how high a wall you've put up or how well you've trained your staff.

A better way to handle cyber threat is to develop a risk mentality that embraces risk. It should be easy for any CEO since that's how other types of risk get managed.

A New Way to Think About Cybersecurity

Just like financial risk, cybersecurity risk should be managed. Instead of thinking of the threats to your systems and data as something that should be neutralized, think of them as something that should be managed. You may recognize this approach as risk management.

In typical risk management theory, risks are acknowledged, understood, and embraced.

In other words, business owners, leaders, and IT managers should embrace the idea that breaches happen. Don't live in denial but embrace the idea that total cybersecurity is never possible. Only by acknowledging this can business owners successfully deal with incidents when they happen. And as we've seen, breaches do still happen despite the best efforts by top organizations in the world.

What that means for executives is an investment in a number of different ways to ensure their companies stay safe. Cybersecurity training is simply one piece of the puzzle. A strong IT department is another.

Protecting your organization and your employees from liability with forensic imaging is yet another piece.

How Forensic Image Preservation Helps

Problems arise, breaches happen, and total cybersecurity is a myth—that's clear. How you manage the problems and handle the breaches is everything, and ultimately affects your bottom line.

If and when a security breach leads to legal action or the involvement of law enforcement, you'll want to be able to provide admissible evidence to the proper authorities. Without it, you're at the mercy of uncontrollable forces that may not have your company's best interests in mind.

Forensic image preservation allows your company to collect and store forensic evidence in case a breach happens. By extracting a hard drive image from company-owned phones, tablets, computers, and other devices, you are preserving important evidence about your company and your employees.

It may lead to the exoneration of your employees or it may help you confirm what you suspect about employee activities. Either way, forensic imaging may help to protect your business from legal liability.

Your IT Department Shouldn't be Conducting Your Forensic Image Preservation

Most IT departments aren't equipped or trained to conduct forensic image preservation. A true forensic image is produced after a complex process performed by a trained professional. Having your internal team conduct the imaging may severely compromise your chances of obtaining admissible evidence in the court of law:

• There can be questions of evidence tampering
• There is the issue of evidence spoiling after mishandling of forensic imaging process
• Evidence is best collected by an objective third party
• May not follow industry standards
• Can be accusations of internal sabotage
• A third-party team can establish a chain of custody that adds another layer of protection

Conclusion

With data theft continuing to rise, companies should be enlisting everything at their disposal to protect their assets. Leaders who move forward with a risk mentality will no longer be leaving cybersecurity matters entirely to their IT department.

The complexity of IT has risen dramatically over the past several years. As more companies adopt cloud-based services such as outsourced call centers, logistics, and customer relationship management services, their security perimeter becomes more difficult to maintain. With no plan in place to handle breaches, companies are more vulnerable than ever to the legal consequences of insider attacks.

That's why today, responsible cybersecurity measures include preparing for when a breach happens. That includes covering your legal basis in all cybersecurity matters with digital image processing services performed by a professional, objective, third-party organization.

Safeguarding your assets to this degree will pay off by bolstering the resilience of your company. You're reducing risk to your organization while continuing to allow technological innovation. It's a win-win for everyone, which means great things are on the horizon for everyone at your organization.