This article was originally published by Jason Busch at InBusiness Magazine.
According to a recent World Economic Forum report, data theft/fraud and cyber attacks are the third-highest type of risk to businesses based on likelihood — behind extreme weather and natural disasters. Yet, Gartner, a global research and advisory firm, predicts business spending on information security and cybersecurity tools and services to rise another 8.7 percent to a total of $124 billion in 2019.
How is it that we’re not seeing a decrease in cyberattack likelihood when businesses and organizations are spending more than ever to combat them? Christopher Gerg, vice president of risk management at Madison-based Gillware, a data recovery and risk management firm, says it’s all in our approach. “When you are really concerned about your organization’s cybersecurity, it’s easy to get in the habit of following the trendiest, latest products in hopes of alleviating that worry. But, what happens is businesses implement the latest and greatest tools without covering some very basic fundamentals. It’s like installing a premium sound system in your car but forgetting to put air in the tires.”
So, what are the best ways for businesses to spend time and money protecting themselves?
Except for rare cases where someone has it out for a company and wants to see them specifically damaged, or if a business is a bank or payment processor and has money to be stolen, the greatest information security threat to a business is malware, notes Gerg. Specifically, ransomware. “The reason is simple. The attacker is after money.”
Ransomware is a specialized evolution of viruses, worms, and trojans. The malicious software enters the environment through vulnerable computers attached to untrusted networks — think of coffee shop Wi-Fi networks or the public internet — or because someone clicks a link or opens a file in a malicious email from an attacker, tricking the recipient into thinking it was legitimate. The software then encrypts the important data on the system and attempts to infect other computers on the same network. A message may appear on the computer saying that your machine’s data is locked away and demands a ransom be paid using cryptocurrency like bitcoin, which is commonly untraceable. The requested ransom amounts have increased significantly in the past years, says Gerg, as the cybercriminals’ ability to interrupt the business of entire companies before being noticed has improved.
Unfortunately, the solutions put in place to mitigate these cyber risks are often just muddying the waters.
“First, and with the best of intent, governments and organizations have created laws, certifications, and requirements to protect payments, personal data, privacy, and communication,” explains Gerg. These regulations are typically a hodgepodge of letters and numbers that mean little to the average observer — things like PCI-DSS, PCI-DSS, PCI-3DS, PA-DSS, P2PE, AICPA Trust Services Criteria, FedRAMP, GLBA, Sarbanes-Oxley, FISMA, FERPA, GDPR, PIPEDA, CCPA, HIPAA, SSAE-16, SAS-70, SOC2 Type x, and more.
“Very often these laws and requirements do not account for the real-world technical challenges, edge conditions, interpretation, and applicability,” Gerg says. “Add on top of that a myriad of best practice frameworks, each written differently, written to fit a specific law or requirement, written to address the needs of a particular industry, or written to try to address every possible organization or situation.”
Further adding to the confusion are the multitude of businesses selling cybersecurity solutions claiming to remedy a company’s vulnerabilities, when most only address the tip of the iceberg, if anything at all. “Gap analysis, risk scores, audit readiness, monitoring tools, management tools, antivirus, antimalware, anti-spam, encryption, authentication and authorization tools, the cloud — each of them expounding on how they are built on proven technologies, or that they are better because they are new and disruptive,” says Gerg. “What results is what we call the ‘whack-a-mole’ scenario: multiple point solutions that each cost money, take time to manage, and provide questionable benefit when taking the complexity — and IT department’s limited availability — into account.
“And did I mention that there’s a shortage of qualified information security professionals, despite many [people] claiming that they are experts?”
Despite these sometimes misplaced efforts, Gerg says there are still cybersecurity fundamentals all organizations should pursue to improve the maturity of their information security program first. “It does not make sense to implement a solution that is specialized or bleeding edge if you aren’t taking care of the basics,” he notes. “Houses have a foundation, so does an information security program.”
Gerg says because of Gillware’s incident response work, he’s seen countless real-world examples of what went wrong, and how the incident started, progressed, and was discovered. Some of these compromised organizations had existing information cybersecurity programs, and others had very low maturity in their information security practices, but in nearly every case the story was similar.
“Consistently, compromises occur because of an unpatched system or service, or someone doing something they shouldn’t, or a combination of the two,” says Gerg. “The old saying about the weakest link in a chain has never been more applicable. It only takes a single system or service to not be up to date, or a single person clicking on a link in an unsolicited email. Things get worse in almost every case when networks are not segregated, and traffic progresses to systems that are not necessary. It also gets worse when attackers use internal user accounts to log into more services and accounts.
“It takes longer to notice that something happened when monitoring and alerting configurations are not effective,” Gerg continues. “Recovery is more difficult when backups are not effective. These consistencies we see day in and day out set pretty clear objectives: prevent compromises from happening, keep them from spreading, and notice it if they happen as quickly as possible.”
The absolute basics, according to Gerg:
Only once the absolute basics are addressed should companies consider spending money on more elaborate cybersecurity solutions. Know what you have, keep it updated, know that your users are actually your users, and stop known methods of attack, advises Gerg.
“The worry with building a list like the one above is that it may lead us down the path that creates the ‘whack-a-mole’ problem in the first place,” cautions Gerg. “We need to look at the big picture to accomplish our tasks of reducing complexity and cost. Is there a single solution or strategy that might accomplish not only the fundamental things in the list, but also make the IT department’s job easier and the business flourish while reducing the chances of a business interruption?”
Gerg offers the following advice, regardless of business size and complexity: