Our businesses are inundated with incidents of ransomware, malware, adware and many other intrusion variants, it’s no wonder that 90 percent of healthcare institutions have been affected, at a total cost of $6 billion a year, according to a recent study from the Ponemon Institute. As we make our way through these threats, one needs to ask; if so many companies offer solutions, and institutions hire top shelf network security engineers, why are there so many breaches?
The Security Triad published in FIPS Publication 199 distinctly categorizes the security threats within the domain of Risk Identification, Monitoring and Analysis, and defines their potential impact. FIPS Publication 200 follows up with minimum government CIA regulations for government information systems. On to NIST 800-53 for the risk management framework and guidance for security controls, and NIST 800-35 describes the computer security lifecycle in detail, and so well in fact that this framework should work. We know what we need to do, but we are having a difficult time implementing it.
From a perspective of Security Operations and Administration, within the access controls domain there is a plethora of controls including SIEMS, firewalls, IDS, IPS, proxies, PKI services, and endless software programs claiming to protect our networks. If all defenses were in place and working, then why is this problem increasing exponentially? It may be, according to numerous studies that upper management may not be doing enough to protect company assets. Security is not about firewalls and advanced IT measures, it is about education and awareness of employees. Senior management’s responsibility is to put safeguards into place to protect the company.
Our systems are managed by high-priced security professionals, yet the expectation in many cases is that it is just luck that the system has not been hit. Based on this scenario, complacency, lack of knowledge and top-down politics seem to outweigh a value proposition in mitigation of threats. Yes, threat mitigation is a value proposition with a tangible outcome that can enhance profit. It is an unexpected inverse relationship where higher profit is related to decreased threats. Upper management complacency in simply educating employees seems to be the norm.
In some cases expensive devices are purchased through capital budgets approved by C-level directors with the assurance that the money is well spent. IT budgets are spent with the expectation that hefty equipment purchases will prevent the inevitable breach, making the incurred cost unrecoverable. In other words, that money has been spent with very little value in return, making it a non-recoverable cost.
Moreover, employee engagement, training, and common sense seem to fall by the wayside when focus is on short term monetary goals rather than overall company value. Executives sometimes hire overzealous “Security Experts” who are out to impress the executive team with their knowledge rather than getting down to basics and understanding the root of the problem. Research suggests that the majority of breaches are caused by simple social engineering tactics that could be negated up front at a very low cost through engagement and training.
As an analogy, let’s talk about a wave of car thefts. Think about how many of those cars were left unlocked or had the keys left in the ignition; probably the majority of them that were stolen. That is just the point, the criminals exploit the easy opportunities, yet there is no need on the criminals part to even try to open one of the locked cars, just as complicated plans to infiltrate a network are usually are not needed. It is the simple things like opening a malicious email and taking advantage of untrained employees that entices criminals, and if the car owners simply locked their doors, they would not incur the costs involved in theft. Human nature is being exploited by the lack of focus on the simple things.
In May 2018, the European Union (EU) invoked the General Data Protection Regulation (GDPR) which adds penalties for breaches and defines consent and data subject rights along with data standards to try to minimize breaches. Data protection officers will be responsible for data protection and fines will be levied for breaches. It is a step in the right direction and forces C-level executives to get their act together. In a recent Ponemon security study done in the UK, it was found that 86 percent of respondents throughout the EU felt that new security architecture was needed while 76 percent felt that security procedures were outdated. These are troubling statistics as the number of threats increases it seems that attacks will continue with more variants, and more exploits that take advantage of complacency. GDPR may be a step in the right direction, and the jury is still out on its effectiveness, especially now that a governmental body is involved. And will the financial penalties be a stimulus?
Let us put the issue in perspective in the United States; we have very good NIST documents, very good hardware and software controls, very smart network engineers, and we are losing the battle. We are at the edge of government involvement since the private sector cannot seem to get their act together. But it just does not need to go that far. According to Baker Hostetler’s 2016 Data Security Incident Response Report, phishing and malware accounted for approximately 31 percent of incidents; employee action and mistakes, 24 percent; external theft, 17 percent; vendors, 14 percent; internal theft, 8 percent; and lost or improper disposal, 6 percent. This data suggests that simple education and an engaged workforce could be the first line of defense in risk mitigation.
In the aforementioned study, if the majority of the issues could be preventable by training, engagement and common sense, how could our experts who are failing to make the grade not rethink their methods? The current state of affairs does not work, and the bad guys know it. Security companies are getting rich; experts are getting paid to administer their expertise in a market that the bad guys created. It is unfortunate that complacency seems to be the norm across the board, with an attitude that cybercrime is just something that we need to live with. However, if employees are simply trained, and therefore become concerned, the “laypeople” become part of cybersecurity for the greater good of the company. It just seems so simple, yet engagement is so difficult because it may just be too basic.
While researching ideas based on the stated statistics, there are numerous articles, white papers, and websites devoted to cybersecurity, and many state the obvious that C-level management is responsible for company’s demise in being hacked. It makes sense that companies are dependent on these high-level executives to create profit, however they seem to be missing the boat on a relatively simple risk mitigation strategy with a relatively low cost when the average cost of a forensic investigation exceeds $60,000 with the highest cost at approximately $750,000, according to the Baker-Hostetler Cyber Security Report for 2017. In addition, the report found that a back-to-basics strategy would be a prudent approach to establish baseline procedures such as training to reduce the company’s risk profile.
In addition to the basic premise of educating employees through comprehensive training, an ESG research study suggests that over the past two years there has only been an increase of 39 percent in security budgets and only a 33 percent increase in training for cybersecurity, and clearly there are large gaps as threats are increasing by orders of magnitude. Most distressing is that there was a strong conclusion that the government should be more involved and executives should lobby the government for better controls. Clearly, executives are looking for a bail out instead of just engaging the simple things.
As threats become more commonplace and invasive, the battle is being lost due to complacency and lack of focus on the most prevalent and obvious controls. This could be the defacto reason why the bad guys are winning, as C-level management has created a monster. In fact, according to a CompTia study, only one-third of CIOs surveyed required cybersecurity training for employees and in more than one half of surveyed companies training decisions are being made at the top. The basics are being overlooked, and cybercrime is flourishing on the lack of basic, simple and inexpensive controls like training; criminals prefer that CIOs just throw money at the problem with high-priced detection systems with the expectation that things will be better.
In a recent CIO article regarding human liability, it was stated that a company could buy the best equipment and same level of investment should be put into employee education, and that rarely happens. When was the last time the staff was brought together and taught what to look for in an email that could be malicious? When was the last time employees were concerned about their company getting hacked? It just does not seem to happen and always seems to be IT’s problem. In the UK Ponemon study, 76 percent felt that their IT procedures were outdated which suggests that a culture change is needed across the board. Our highly intelligent and educated network engineers and security professionals are being outsmarted by criminals. Dare it to say that that there is no need for criminals to be educated or even smart because our companies, with their complacent IT cultures, just make it too easy.
Think about it for minute. This problem is getting worse and worse. Every day we hear about ransomware attacks, hundreds of articles are published with solutions to the problem, and new hardware and software solutions are introduced, yet we continue to lose the war. Rarely do we hear about an engaged and educated workforce on the front line playing offense in protecting their company’s assets. Cybersecurity is not a problem that should be shrugged off to some other department. CIOs and upper management that engage employees and create a culture of educating everyone in the company, not isolating the issue to just the IT department will start winning. It is just that simple, and criminals will not like it!