Time to Secure - Everything

Never before has cybersecurity been so important to our daily lives. Breaches effect everyone, and failure to protect personal information is no longer acceptable. Yet we see companies of all sizes continue to make the same mistakes.

First, investment in cybersecurity tools and resources needs to be a priority. What we see in various surveys and reports is that the boardroom is actually reducing their investment in tools, focusing on profits instead. However, the old approach of risk management needs to be recalculated. It is no longer a question of if the company is breached, but when.

After a breach occurs, it is too late for making investments, as the impact to a company is substantial. A loss in consumer trust and confidence has a direct impact on the companies bottom line, and usually in drastic proportions. There needs to be more focus on preventing breaches to begin with, rather than taking the risk and doing as little as possible.

Investment in new tools is paramount. Studies have shown that many of the tools used today are obsolete and insufficient for the types of breaches we are currently seeing. According to the Mandiant "Security Effectiveness Report 2020"; only 9% of security events generated an alarm of some sort in current tools. Some 53% of events were missed by security controls. This is unacceptable by any standards, and can be resolved through more investment in tools and training.

Speaking of training, many of the attacks seen in the last year have started as phishing attacks. Hackers are getting more and more sophisticated in their tools and whether through email or text messaging, it is becoming harder and harder to determine if a message is legitimate or not.

One example hitting Asia and Europe right now is the Flubot malware. Text messages telling the recipient that their package is out for delivery and providing a link for delivery status is the most commonly used, but Europe recently reported text messages declaring the recipient's picture has been posted on a website, providing a URL to a rogue website. Most people do not know how to recognize the tell-tale signs of a phishing message, and hit the links delivered.

A training program teaching employees how to recognize the signs of phishing emails and text messages should be something every organization is doing on a regular basis (I just went through one here at Oracle and it was excellent!). And while we are at it, we should be training employees about basic hygiene as well (cyber hygiene that is .... rest assured we don't have to train them on personal hygiene).

Passwords continue to be a problem everywhere. If the passwords are not obtained through phishing, its usually because default passwords are not changed, or because passwords are so easy that hackers do not need help in figuring them out. Passwords are a pain. They are difficult to manage and it requires a real discipline to remember to write down when you change a password.

Password managers are fine, but when you are accessing things through multiple devices, password managers don't help. Not to mention if a password manager gets hacked, you are exposed (full disclosure ... I have not seen any reports of this happening, but it still concerns me). Eliminating passwords is key, but we are still a ways off from that becoming reality in all networks.

Governments are now getting involved through regulation that will require reporting and possibly demonstration that adequate security controls have been put in place. A new bill circulating around the US Senate requires companies to disclose in their SEC filings who in their management team possesses cybersecurity skills and experience (S.808). I anticipate other countries will follow this trend to ensure that companies hire qualified Cybersecurity professionals as part of the management team. Its a good time to be a CSO/CISO!

We have seen a tremendous amount of activity in the last few years around security breaches. Many are not reported, or very little is shared. This has prompted the US Government to consider legislation that would require companies providing critical infrastructure to report to the Government within 72 hours all breaches (S.2407).

Likewise, the EU is pushing legislation requiring companies to report within 72 hours (NIS2). This legislation is being proposed in an effort to learn more about breaches in real-time rather than weeks or months afterwards, and provide a mechanism for sharing of information about breaches to a broader community.

And finally, all of this is happening so fast, while there is a shortage of cybersecurity professionals available to do the job. The last report I saw cited +4000 positions globally left unfilled because of a lack of qualified candidates. This is alarming, because it means our educational institutions are not delivering graduates in this area.

To solve this issue, the educational institutions around the world need to offer more programs and incentives for students to follow this path. But that will only work if companies incentivize through better pay and a path for promotions.

According to an (ISC2) 2020 Cybersecurity Workforce Study, 40% of cyber professionals polled had salaries cut and hours reduced. In addition, 23% were furloughed, and 9% moved to part time or contractor roles. This is the wrong direction for cyber investments.

As we continue to see threats and breaches increase dramatically, we can only hope that companies will finally realize that cybersecurity is just as important to their companies bottom line as product, if not more important. Investment in security should come before investment in R&D, and must be part of the equation whenever discussing new product introduction.

Failure to invest in cybersecurity tools and people will result in the collapse of many companies large and small. Hackers are highly educated and well funded, and they are coming after you next. Time to recognize the threat for what it is and ensure our networks and the data they hold are secure.

These viewpoints are my own and do not necessarily reflect the opinion of my employer. However I will say that Oracle puts security first, in every product. We take security very seriously around here.