As the Internet of Things (IoT) and interoperability facilitate the
increasing collection, storage, and distribution of huge amounts of data, it
has become clear that not all data is created equal. While organizations may
produce comparable amounts of data, the sensitivity of the data may vary
substantially and so will the cyber-security needed.
With an ever-increasing number of people utilizing the IoT and participating
actively in cyber-space, it has to be determined what kinds of data need the
most protection. Proactive measures aimed at preventing cyber-attacks are often
regarded as unnecessary time and resource drains with little return.
Additionally, it seems that, within organizations, properly carrying out
security protocols is often a thankless job. This reality makes employee
compliance even more difficult since cyber-security is an area of regular
business operation that really only gets noticed once something goes wrong.
Unsurprisingly, I have found that this is an especially prevalent attitude
among people that have never experienced the devastating consequences of a
breach firsthand. However, preventive measures are most effective when paired
with adequate detection and resilience protocols that fit the sensitivity of
the data in question.
Levels of Cyber-Security
When confronted with the risks of being online, aiming for a fail-proof
approach to cyber-security is simply not realistic. Investing all resources in
prevention minimizes an organization's ability to efficiently spot and
respond to a breach if or when it occurs. A primary step in developing a data
protection plan is figuring out what data you have is the most important and
where it is stored.
To illustrate, there is a huge difference in sensitivity and importance
between biometric marker data like fingerprints in a government office and a
grocery store's inventory list. It only makes sense that the efforts we
take are appropriate in matching the types of data we want to keep safe. This
is an especially salient point when it comes to the public sector, health care,
legal offices, and human resource departments.
So, once you identify and locate your most important data, try to figure out
where the doors to it are. That is, are there any immediately glaring
vulnerabilities in your security system that make it easy for someone to access
this data? Many cyber-security experts, including myself, like to illustrate
the layers of cyber-security with a house.
Let's say your house is filled with valuables, representing your most
important data. And let's also say that you have some valuables that you
store in your front yard since they are not so valuable that you must store
them in your house. You have a fence, a gate, a locking front door, locking
windows, and an alarm system that sounds off in the event of an intrusion.
In this setup, the fence is a preliminary layer of defense with the alarm
system being the final and strongest layer of defense. Now, even though this
house seems pretty secure, all of the security controls need the active
participation of its residents for maximum efficiency.
For example, how good is an alarm system at alerting a family and the police
to a break in if it's turned off? Is a front door a useful security measure
if it's left unlocked or ajar? Or what if a family relies on the white
picket fence alone for protection, deciding to leave some valuables out in the
open? In real life, I think the average person is pretty good at doing what he
or she can to keep their home as secure as possible. However,
"cyber-homes" tend to be left much more open to attack, often without
the users' knowledge or awareness.
Fixing the Perimeter
There are a few main reasons for this that I encounter when conducting
security assessments. The following returns to our house analogy.
- Organizations invest way too much in the fence and disregard the other
tiers. It's sometimes like a house with no front door, no security
system, lots of valuables, and surrounded by a giant wall. Yes, the giant
wall is going to prevent a large number of attacks, and that's great. The
issue is that this initial barrier is not going to necessarily deter all
cyber-criminals and hackers, and, when they do manage to get around this
first layer of cyber-security, there is nothing standing between them and
your data. Furthermore, there are often no reliable or consistent controls to
detect an attack once it has occurred.
- Organizations don't actively and consistently keep their doors and
windows locked. So, in this situation, the middle layers of cyber-security
are not being maintained effectively. Even if the safeguards are there, they
are not being used properly. This level is directly connected to issues of
employee compliance, software update automation, and ongoing training. Think
of it as someone jumping the fence. Now, how do we keep them from getting in
the door? Employees clicking on malicious links and being unaware of phishing
scams are ways in which this level of protection is not effective.
- The alarm system is turned off, doesn't work, is not used properly,
or is ignored. Imagine waking up in the middle of the night to your
house's alarm sounding and, in response, you calmly turn it off and doze
back to sleep. I don't think anyone would be comfortable doing this;
however, this is often exactly what happens with organizations that invest in
the best cyber-attack detection systems. Even when that alarm sounds,
it's often ignored by IT and upper management.
Why? Again, I think that many organizations trust their perimeter security
(that fence) way too much. Tied with the mentality of "That could never
happen to me" or "My data isn't that valuable anyway," even
the best alarm system isn't effective without external support. While a
good wall may deter the majority of bad guys, you have to account for the
determined cyber-criminals that really value your data. And, no matter how good
your wall is today, it might not be great tomorrow. Technology is always
evolving and with it, cyber-crime. To stay ahead, organizations have to stay
apprised of the latest trends.
Conclusion
When creating or assessing a current cyber-security strategy, keep in mind
that mitigating risk is more important than trying to avoid it all together. Of
course, preventive measures are important, and cyber-attacks are not
necessarily inevitable, but investing appropriately in all the protection tiers
is crucial. Too much focus on one level is detrimental to your overall
security. Prevention, detection, and response are all equally important in
developing a cyber-security strategy that fits the value and sensitivity of
your data.