Last month, ProPublica obtained 15 years of personal tax records for some of the wealthiest Americans from an anonymous source. The leak was a jarring reminder that no organization is excluded from today’s ongoing cybersecurity threats, whether they be orchestrated by internal actors or external hackers.
As infrastructure trends as one of the top national priorities, the leak is an important reminder that we need to prioritize innovation in our digital infrastructures simultaneously. Today, we entrust the control of some of our most crucial national resources online, including oil and gas, digital banking systems, government communications and more.
These large-scale attacks can often inspire trepidation – after all, if agencies like the IRS and organizations as large as Colonial Pipeline aren’t able to protect themselves, how can my business?
We must remember that intelligent cybersecurity isn’t about having the most expensive or most complicated software. It’s about creating the proper safeguards for what you are trying to protect, which may be where the IRS fell short. Chances are, your business won’t need the same defenses the IRS needs to protect personal tax information, or Colonial Pipeline needs to secure its IT systems. Let’s look at a few key insights both public and private organizations can heed to improve their cybersecurity and protect their digital infrastructures.
Cybersecurity isn’t one size fits all
Individuals who don’t work in IT or cybersecurity often associate setting up cybersecurity protections similar to purchasing standard computer antivirus protection from Norton. If that protects our computers in one fell click, we should be able to do the same with our businesses, right?
The problem is that this idea of general protection software doesn’t work so well in cybersecurity, especially when you’re protecting high-risk assets like personal tax information.
Here’s an excellent way to think about it - if you have a million dollars of cash hidden in your home and an external cleaning team that comes in twice a month, plus a realtor who’s showing the space frequently to prospective buyers, would you be comfortable leaving a general home security system to secure your cash? Of course not, because these individuals – who in this case are potential threats – can pass right through that security system undetected as part of their routine services.
Let’s take this lens and apply it to the tax leak. If the IRS employed a general cybersecurity system, it would do an excellent job of making it challenging for external hackers to breakthrough, but it may not have a specific protocol flagging when an individual on the inside emails a tax record for a case they’re working on to someone external to the organization, for example.
It’s an essential reminder that we need to dispose of ideas around a one-size-fits-all approach. This includes fads around incorporating new or trending software for the sake of it, rather than developing protections based solely on the unique needs of your system and the assets you’re trying to protect.
AI-based cybersecurity has gained much traction in recent months; however, it’s not going to be the best fit for every business, and in some cases, will create more problems than it solves. Cyber budgets are increasing, but effectiveness won’t improve unless we develop custom solutions for each business’s unique cybersecurity needs.
Give cyber infrastructure the attention it deserves
The digital revolution we’ve all experienced in our lifetimes is only a few decades old, and so many businesses have never put substantial resources towards cybersecurity and have never experienced an attack. It can be challenging, then, to understand why they need to change now. Unfortunately, cyber threats have innovated as quickly as the internet and every day, month and year that isn’t spent making sure we are innovating as soon as bad actors, the more vulnerable we become.
It’s for this very reason that cyber insurance companies - now a very hot commodity - have recognized how likely significant losses are and, in many cases, will not even quote protection without some proof of existing competent cybersecurity measures.
With this in mind, the first meaningful step businesses should take towards having better cybersecurity and the most common problem we will continue to see as cyber consultants is just starting the conversation.
Businesses that suffer the most from cyber threats often don’t become victims because they’re a few months behind on protecting against a new kind of attack. Instead, they’re usually years behind and have procrastinated even the first few steps to improve their cybersecurity out of either intimidation of the subject or continually prioritizing other areas.
Once we begin the conversation, send that email or do an hour of research into the new threats impacting businesses in our sector, the better we arm ourselves in the short term and begin the snowball effect that ends with large-scale changes protecting us against the most significant threats.