Own Goals – Managing Cyber Security Risk
Learn how to kick some goals to improve your Cyber Security Risk
We continue to see instances of “cyber security own goals” – i.e. security failures at companies who either should know better (probably overly harsh criticism when faced with a determined, targeted attack) or who are founded on the basis of providing greater security or trust, but then found to be fallible just like other businesses.
Cyber Security learnings from the past
Past examples would be the well-publicised incidents and cyber security data breaches at the US National Security Agency or at security firms Symantec and RSA, but also these cases of cyber security failure and cyber security risk being realised:
- The personal data breach at Talktalk, which wasn’t significant (as it turned out) in terms of volumes, but in terms of the communication and handling of the communications after the crisis.
- News of an attack on Russian security firm Kaspersky that ended up providing them with a good excuse to show off their forensic and investigatory skills;
- Password management service LastPass who suffered an attack that, in post-event analysis, seems to be have been a lot less frightening than it could have been; and
- The US OPM (Office of Personnel Management) exposure of the details of personnel information and security clearances – arguably one of the worst data breaches of all time.
What do these show?
Without trying to be critical or singling out any particular organisation, these cases show a number of things:
Even a well-funded or expert cyber security team can find itself the target of a successful attack if the prize for the attacker is worthwhile – faced with a sufficiently attractive goal the assailant will try as many ways as it can find and use any and all resources available to be successful. This is very hard to defend against.
Early detection is vital; and doing this early means the response can be more effective. This should form a fundamental KPI for all security teams.
The response and publicity handling will have a big impact on the reputational damage and coverage received after a breach – get this right and you can certainly be painted more positively than if you get it wrong.
The need to understand an attack, and quickly
In both the Kaspersky and LastPass cases, the analysis of the issue and level of understanding of what had happened, how it had happened and the implications (including for users) were promptly published and showed a high degree of technical and business understanding – this is a welcome change from some past breaches where delays, denials, obfuscation and vagueness have been more the order of the day. From May 2018 onwards, under the GDPR, organisations in Europe for example will need to have a clear understanding of an attack within just 72 hours.
The challenge of course, for many organisations without the security focus or technical expertise of these industry players, is their ability to detect, diagnose and understand how a breach is affecting them.
Get the right recipe to manage your cyber security risk
This problem is part technology (the right solutions with the right capabilities that are configured to do the right things), part business case (the right levels of investment in prevention, detection and response), part people (both number and skills) and also the recognition that breaches are unavoidable. It’s the way they are handled that matters – this is a mindset change.
Gain some insights into cyber security incidents and attacks by watching our 8 minute video, below: