I was asked recently during an interview, “In two minutes, can you tell me why many organizations are not prepared for cyber threats?”
The answer is simply this: The world has changed.
The threat actors have become far more sophisticated in how an attack is orchestrated and organized.
Many organizations’ mitigating controls are reminiscent of what they might have been in the late 90s; in many cases, the controls used have not evolved very much.
Internal IT professionals spend most of their time keeping the business moving and the users functional.
Years ago, an attacker or small group of attackers would individually find a vulnerability, craft software or methods to breach systems leveraging that vulnerability, then orchestrate the breach themselves. Often, there were one to a few threat actors working to carry out the tasks to orchestrate an attack. Now, threat actors are working en masse in a collaborative manner. One person or group may write or construct the methods and code to find and leverage a specific vulnerability to breach systems. The first actor or group of actors then make their code and methods available to others (secondary and sometimes third parties) willing to give them a cut of all the dollars they harvest with the tools and methods. Thus, a threat actor does not need to be good at writing code, finding flaws, breaching systems, and exploiting companies. A single threat actor can focus on the portion of a breach chain where that individual or group is most effective. The threat actors are far better orchestrated than they once were.
Nearly every company has three basic controls (or at least believes they do):
- A firewall
- A backup
Depending on the firewall technologies being employed, I would argue in many cases firewalls are basically performing similar function as they did in the late 90s, nothing more than a basic fence, because namely, 85%+ of the Internet is now encrypted. If the firewall hasn’t been configured to perform deep packet inspection of HTTPS, the firewall is blind to a majority of traffic. Many companies also have only one control on the endpoint, but the battle is usually ultimately won or lost on the endpoint. Backups are rarely checked, often misconfigured, rarely tested, and rarely immutable (meaning if a delete command is sent or the backups are encrypted, the backups are not actually deleted or destroyed; they can be recovered). The reality is that mitigating controls’ implementations within many companies have not evolved that much; however, the threats and risks continue to increase. There is an old saying, “If you are not changing, you’re dying.” That is certainly the case as it relates to managing and mitigating digital risks.
I asked a question in return, “How much of your IT staff’s time is spent on managing risk?” I told him that I thought it was likely less than five percent; he agreed that my guesstimate was probably accurate. Technology adds efficiencies, but it also imposes organizational risks. These risks are often unnoticed and unmanaged.
The threat actors are cunning and crafty. They must only find one open window, crack, crevice, or door. Your IT professionals must find and close them all. Couple this with the fact that IT resources are often understaffed, underfunded, and improperly focused: you have a recipe for a disaster. Usually, internal IT professionals are spending most of their time keeping systems running, users happy, and reacting (not proactively planning and orchestrating) to imminent risk. They have little time to manage risks holistically.
It breaks my heart to see organizations’ users, leaders, and IT professionals suffer. We do breach recovery work for this reason. We extend our hand to those who find themselves in breach situations. We want to help!
There is a better way. Many digital risks, especially the common ones, can be known, mitigated, and managed. I hope to educate our business community regarding what, why, and how these events are occurring.