Against the backdrop of today’s threat landscape, too many organizations are “throwing spaghetti at the wall” instead of what they should be doing–creating a security plan. The plan should incorporate:
- Organizational expectations for security that reflects the business charter, as well as customer and compliance expectations for security;
- Multi-year plan and budget commensurate with those expectations;
- Milestones and validation on plan execution. This follows our guidance of plan the work, work the plan.
Looking at thousands of reported security breaches in 2016, the Department of Health and Human Services concluded the following vectors for attack.1 Do not focus your security strategy on a device type or single vector of attack.
Deloitte did a study that looked at the cost of a breach. Commonly, people focus on press announcements of fines and/or credit protection costs or cost-per-record of $250.2 These costs are above the surface. In summary:
89% of breach costs lie beneath the surface!
Translation: the risk is even larger than you might think.
I’ve spent the last several years talking to hundreds of customers about their security posture and here are 3 key takeaways:
a. We have experienced significant upticks in customer requests to conform to SOC1, DoD, NIST, FFIEC standards.
b. RFPs and Vendor Agreements are starting to require 3rd party attestations of an organization’s security posture.
c. Organizations are increasingly publicly advertising Security Statements (outline of their security maturity) on their website.
2. Focus is too often prioritized on TECHNOLOGY, as opposed to PEOPLE or PROCESS. Some evidence points:
- “Known but unmitigated vulnerabilities are the highest cybersecurity risks faced….” (White House Cybersecurity Order).3 Translation: solid patch processes needed.
- 70% of businesses paid ransomware demands (IBM 2016). Interpretation – backup / restore processes failed.
3. Focus is too often prioritized on PREVENTION over other aspects of security framework. As evidence, try to answer these questions:
• What are your 10 most critical data sources and vendors to your organization?
• The industry average “dwell time” for an Advanced Persistent Threat in a network is 200+ days.4 On a scale of 1-10, how well is your organization detecting threats?
• Assuming a breach occurred, do you have an Incident Response Plan (IRP) outlining who, what, and how your organization will react?
As the frequency of cyber-attacks rises, “throwing spaghetti at the wall to see what sticks” is no longer an adequate approach to security. Organizations need to develop an end-to-end security strategy. Wondering how you can get started? Check out some of our other great security resources or send an email to firstname.lastname@example.org. We’d be happy to help.
1HHS Breach Summary – https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2Deloitte – https://www2.deloitte.com/us/en/pages/risk/articles/hidden-business-impact-of-cyberattack.html
3White House Cyber Security Executive Order – https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal