And How to Take the Fight to the Adversary
2020 is upon us. It is a brand new decade. What a great time to reset our thinking as it pertains to security. Do you recall some of the most significant data breaches in the past decade?
Wired had an article entitled “The Worst Hacks of the Decade.” It listed a number of them, some included: the Sony hack, Equifax, and the Office of Personnel Management (OPM) breach. The OPM breach hit home since I was in the FBI when it happened, and I was one of the victims.
The article notes that it will only get worse. But why? Let’s do something about it!
Here's my challenge to you—Don't wait for a data breach, take steps now to prevent it.
Year after year, breach after breach, organizations seem not to give cybersecurity the focus it needs. Cybersecurity is akin to “eating healthy.” People know they should, but they don’t until after a severe issue.
Let’s start this decade differently, protect what you value most in an organizational setting: your employees, data, and customers. So to help you take my challenge head-on and succeed, here are the 5 most strategic ways to protect your biggest assets in the New Year and beyond.
1. BUILD A TEAM
The collective effort of your security team ensures your success—you can’t do it alone.
In my years working in cybersecurity, I have seen countless numbers of issues that might have been resolved if a cybersecurity team were in place. At face value, it might appear to be a misconfigured server or an outdated security patch. Still, when you peer closer, the problem is quite simple—no one was thinking about security. A technical team might have been in play, but they lacked the insight in cybersecurity.
Just because someone is “technical” does not mean they know everything that falls in the technical realm. Think of a doctor. You wouldn’t expect your family doctor to be able to perform neurosurgery. And many times, technically practitioners aren’t willing to be forthcoming about that fact. To adequately address advanced cyber threats in the coming decade, you need to build a cybersecurity team.
How Big Should the Team Be?
The size of your cybersecurity will vary on your industry and your exposure to cyber threats. For the following guidance, I am assuming you are an e-commerce business operating on a global scale. I will also be using the European Commission’s business size standards when I discuss the size of your organization.
- If you’re a microenterprise (1 to 9 people): the “team” should be you, your CTO/CIO/equivalent, and a trusted, skilled cybersecurity consultant.
- If you’re a small enterprise (10 to 49 people): the team should be you, your CTO/CIO/equivalent, and a cybersecurity consultancy (with a group of experts that can help you grow). You might even consider bringing on a Chief Information Security Officer (CISO) or a Director of Cybersecurity. Adding a dedicated person at this stage will also help instill confidence in your organization from a Board of Directors (BoD), customer, and business partnership perspective.
- If you’re a medium-sized enterprise (50 to 249 people): the team should be your CTO/CIO/equivalent, CISO (or equivalent), additional cybersecurity personnel reporting to the CISO, and a cybersecurity consultancy (optional but recommended). Noticed, I removed you from the team. At this stage, you should have an actual, internal team in play operating with autonomy. It would be best if you had insight into this process, but not be involved in the daily grind. I also noted that the cybersecurity consultancy is optional but recommended. Your internal team should be able to address most cyber issues, but it never hurts to have a group of experts (that see threats regularly) there to help.
- If you’re a large enterprise (250 or more people): the team should be your CISO, additional cybersecurity personnel reporting to the CISO, and a cybersecurity consultancy (optional, but recommended). I removed the CTO/CIO from this equation. A growing trend I completely agree with is to have the CISO report directly to the CEO or BoD. At this stage, you need to have a robust and organization-wide, integrated team. Your CTO/CIO should focus on addressing other pressing matters that fall into his/her wheelhouse.
An ongoing theme above is to have at least one person serve as your cybersecurity expert (even if they are an external contractor).
Why? Well, ask yourself this: If you have a significant cybersecurity issue, could your business survive? Do you have the customer loyalty, legal team, PR muscle to withstand a massive, embarrassing mishap as Sony and Yahoo did? Having someone slated to focus on security will pay dividends down the road.
And whatever you do, don’t fall prey to the thinking “Pssh…no one wants my organization’s data” or “It might happen to someone else, but not us.”
A thorough selection process for picking your team members has greater long-term benefits, even if this means you spend more time recruiting than you’d like to. Hiring someone just to have bodies in the room can harm your team. Companies that do this wind up becoming a revolving door, whether it’s because prospective employees see the role as a temporary landing pad and are less interested in learning, or because you decide later on that they aren’t the right fit. This winds up costing you more money in the long run. Investing your time and money in people who truly specialize in the role your company needs will have immense payoffs later.
Cynthia’s concern is especially true in building a skilled technical team. Now that you have your team, what do you do next?
2. EMPOWER THAT TEAM
Once you have your team in place, arm them with the tools needed for success.
Your team should present you with those tools. They will inform you on what they need to keep the organization safe. So I will defer to them to provide you that guidance, but the one tool I will share with you that every team needs is trust.
There is nothing worse than being on a team where the person calling the shots does not trust the team’s judgment, or constantly underminds their recommendations.
For example, if your team recommends that you use BlueVoyant’s Vulnerability Management Services, or if they request access to FireEye’s Threat Intelligence, be careful not to first ask “How much?” following by “What? [coffee flying out of your mouth] How much? Ahhh…do we really need that?”
Instead, ask them, “Can you help me understand why we need these services?” Here’s the reality, some of the cybersecurity solutions will be cost-prohibitive but don’t lead with that segment, lead with trying to understand the need. Show them that you trust their judgment. If after you fully understand their rationale and it is cost-prohibitive, help come up with a compromise. Another simple step is to give them a budget and empower them to make purchasing decisions.
In the Forbes article entitled “The 6 Key Secrets To Increasing Empowerment In Your Team,” Joe Folkman states the following:
When a team member has the authority to make a decision, they feel more empowerment. If they make a decision that gets reversed by their manager, the empowerment dissipates. Leaders need to make sure that employees are skilled and knowledgeable enough to make a good decision before they are given authority. The more control people have over their work and how it is done, the higher their sense of empowerment.
Remember, your initial job is to build your team carefully. Once created, you should strive to enable your skilled team to protect your organization, not inhibit them.
3. LAYER SECURITY
Think of protecting your organization like protecting your home and family—create layers of security.
What do you do to protect your home and family? You educate your family, especially kids, of the threats. You tell them what to do in case of an emergency. You instruct them not to answer the door if they don’t know the person (or come and get you). You might do some practice scenarios. You have a lock on your door. You might pay for a security service to add a layer of defense. You could also add another layer by participating in a neighborhood watch. And let’s not forget about the Internet of Things (IoT). You could have an external Nest or Ring camera installed. You also might have a watchdog and maybe some IoT smart lights that you can control remotely.
So what can you do to layer security in a corporate environment? Again, I would defer to your team to guide you through the technical solutions. I instead will recommend you layer security at a high level using the People, Processes, Technology Framework (sometimes referred to as the “Golden Triangle”).
People, Processes, Technology (PPT) Framework
- People: This is such a critical element in the PPT. Fun Fact: People might be the greatest vulnerability to an organization, but they are also the greatest asset. The way you help your people become a fantastic cybersecurity asset is to help educate them on the threats (much like you would do with your family in the aforementioned home example). It would be best if you also insulated your employees from outside predictors by filtering phishing e-mail properly. Ensure they can operate in a safe environment with the needed hardware to perform the tasks asked of them, to include updated anti-virus protection, firewalls, virtual private servers, etc. You will also want to create a way for your employees to report suspicious e-mails and unusual happenings on organizational hardware.
- Processes: This layer of cybersecurity ensures your team has strategies in place to proactively prevent and to respond fast and efficiently in the event of a security incident. In this layer, you should have an incident response plan, a collection of threat intelligence (an excellent place to start building this would be to go to https://attack.mitre.org/), and a prioritization of assets. This layer is also where you ensure your team receives adequate training, they see how they fit into the processes discussed, and they receive proper instructions on how to execute the processes. It would help if you also considered how you would measure success and reward it!
- Technology: This is where your meticulously selected cybersecurity team comes into play. Your team should help you layer your technological solutions. One factor to carefully consider (that some teams might miss) is the origin of the technology and the company itself, especially when it comes to sensitive data at rest. For example, data is protected when held by a US company operating in the US by several US/international laws. Those same protections are not afforded to you when your data leaves the US, at least not in all countries. Let’s focus on Russia. Russian law empowers Russia’s security service, the Federalnaya Sluzhba Bezopasnosti (FSB), to use SORM (the acronym translates to “System for Operative Investigative Activities”) to collect, analyze and store all data transmitted or received on Russian networks. Data includes telephone calls, email communications, website traffic, and credit card transactions. The FSB does this through the installation of monitoring devices on all internet service provider networks; thus, allowing the FSB to collect all user traffic directly. So if you are working with a Russian company, your data/your customer data is not protected.
In today’s threat landscape, where cyberattacks are usually multi-pronged, multi-staged, and multi-faceted, a layered approach is, realistically speaking, the only way you can truly defend your digital assets.
Layered security is a critical defense strategy. One key element that is a part of the process piece in PPT is ensuring people are aware of the processes in place. Following that line of thinking, let’s turn our focus to creating awareness.
4. CREATE AWARENESS
Your greatest asset is an educated workforce aware of the threats and prepared to address them.
As I mentioned above, we have all heard the saying, “People are the greatest vulnerability.” That might be true, but I would argue that people are your greatest asset when appropriately trained and educated.
Awareness training doesn’t happen overnight or without an organization taking purposeful steps to make it happen. If you are a large enterprise organization, you can always develop an in house solution, but for the rest of us, there are some reliable off-the-shelf options. I am partial to the stylish, hilarious musings of Curricula, but there are others like KnowBe4.
When looking for an off-the-shelf option, I would urge you to focus on two key factors:
- High Entertainment Value — If it is boring, you are wasting everyone’s time.
- Simplicity — If it is complicated, you are wasting everyone’s time.
I was in the FBI for 14 years, during which time I had my time wasted every time I did the FBI’s information security training. Their failing was the training was tremendously dull.
In a SecurityBoulevard.com article entitled “How to Buy a Security Awareness Training Program,” Nick Santora provides a very comprehensive and robust look at what it takes to select a cybersecurity awareness program. I especially liked his perspective on simplicity:
Simplicity is the key. Employees are not security experts. Most of them aren’t lawyers or very technical. They will not sit and watch a 40-minute video of someone blabbing about technical security topics. They will not pay attention to an hour-long Death by PowerPoint presentation written by the legal team. You will need to choose a partner that can articulate difficult and technical concepts into a message that is simple, relatable, and easy to understand.
If you were to do everything I recommended to this point, you would be as secure as one can be—a formidable security titan in the global cybersecurity arena. But I challenge you to go one step further, share Intel.
5. SHARE INTEL
Don’t let threat actors operate with impunity, share Intel with others empowered to take action.
There are many reasons why organizations don’t share with law enforcement, most of which are unfounded, or they stem from misinformation. It could also be that the perceived value proposition isn’t there.
But what I want to focus on is the bad guy. Let’s not forget what is behind every cyberattack—a person(s). Ask yourself, if you could, would you stop a burglar in your neighborhood? Let’s delve a bit deeper into an analogy I call the “Neighborhood Watch Effect.”
Neighborhood Watch Effect
You are new to a neighborhood. You and your family are excited to live in your new home (located right in the heart of the neighborhood). You are looking forward to all the new experiences. One of those experiences is likely not a break-in. But what if there are a series of break-ins, starting with the outer edges. What if no one reported them, not even on Nextdoor, and law enforcement was never alerted to the activity?
What would happen? The threat would escalate. Undeterred, the actors would continue to make their way to the center of the neighborhood. Breaking into one home after another until they arrived at the heart of the neighborhood—your home.
Now, this is an alarming thought. This analogy mirrors what happens in the corporate landscape when organizations do not share data breaches, indicators of compromise, or threat Intel with the appropriate authorities. The threat actors will continue and escalate their activity, moving from organization to organization until your organization is next unless you share Intel.
If your organization operated in a similar capacity as a “good neighbor” in a neighborhood watch program, you could share valuable details (indicators of compromise, the threat actor’s Tactics, Techniques and Procedures, and any other piece of information used to better protect an organization or help identify the actor) with others including law enforcement.
This “Neighborhood Watch Effect” can be quite profound. Relevant information shared promptly can eliminate the threat caused by the threat actor, even the actor themselves.
Sharing Intel can be done is a very thoughtful and controlled manner. In a previous article, I authored entitled "How to Propel Your Organization Forward by Working with Law Enforcement," I explain how one might share with law enforcement. I also listed several benefits to sharing; one was:
Take the Fight to the Adversary—You...have a unique perspective, one that can be used to help paint the threat landscape mosaic. If you share with law enforcement, you can shift from merely defending against the threat to helping eliminate the threat.
There they are, the 5 most strategic ways to protect your biggest assets in the new year and beyond. Now it is up to you to take the most crucial step, enact them in your organization. Remember, you don't have to do it alone, I and others are here to help. Working together, we can protect you and your organization, to include your employees, data, and customers.