Cyber Threat Analysis 12 Dec 2016

Analysis & Commentary on Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.


Subscribe to the Cyber Threat Analysis Weekly


/* I’m changing up the format for this, the last letter of 2016. */

We end the year much like we started it: disturbed but not surprised that organizations of all stripes either remain ignorant of the threat they face, or are simply unprepared despite their best efforts. It helps to remind ourselves that only security companies are in the security business; everyone else is just in business, period. The need to remain functional will always trump the desire to be secure, right up until insolvency. As advisers and practitioners we would do well to remember that success for us is measured in inches, not touchdowns. Any win, no matter how minor, helps because security will simply never be the issue we think it should.

And while every system would be more secure if it weren’t for those meddling users. This is also a good time to remember that your greatest security threat AND resource isn’t rooted in technology, it is flesh and bloodCode is neutral. It is only the motivation of the person executing it that makes it “good” or “evil.” Likewise, while users can contribute to security problems, there are far more ordinary users than their are security staff. Well trained employees are a force multiplier, especially if your security team is viewed as enablers, not knuckle-rappers. If you do anything different in 2017 it should be making yourself and your team more approachable.

Yet despite our best efforts all of us will get hacked eventually. And while some claim that a hack will have serious financial impacts, we’re reminded that there are a finite number of retailers or service providers in any given market, and none of them take security that much more seriously than the other. I’m handy, so the Home Depot hack impacted me, but Homer’s house is a lot closer than Lowes, so guess what? (Reminder: I do this security thing for a living).Consumers are not going to start growing their own food and making their own clothes. Customer loyalty is driven by more than PCI compliance and up-to-date firewall rules. This isn’t an excuse to slack off on corporate cyber security efforts, but a reminder that you focus should be viability overall, not short-term dips in per-store revenue.

Even if a given firm does everything it can to lock itself down against cyber security threats, they still have to do business, and that often means doing business with other businesses. It is these trust relationships that are increasingly becoming problematic from a security perspective. Ask the former CEO of Target if he thought his career would be undone by an HVAC contractor. Like most risks, this is one that can be managed, but it should be a collective effort, not an unfunded mandate. Second- and third-tier subcontractors are working with thin enough margins as it is; requiring that they spend money on issues they know nothing about isn’t productive. Extending your defensive influence and power doesn’t have to be expensive, but it has to be done if you want to reduce the likelihood of being unintentionally stabbed in the back by your partners.

Another realm of commerce that needs radical improvement with regards to security it is in start-up world,where the drive to get users to sign up to your Uber-for-X service trumps all, especially security. There are few companies that haven’t realized that there are 100 ways to monetize the data they collect; 99 of them have nothing to do with the core business. Start-ups have CEOs, CTOs, and “Chiefs” for growth, fun or even “everything”, but they rarely have a CISO because that guy is going to ruin all the fun and point out that the firm is one misstep away from going from “unicorn” to donkey with a paper cone taped to its head.

Finally, just as in past years, your best bet for success in 2017 is to focus on the basics of blocking and tacklingThreats aren’t changing, but avenues for attack are growing. The more pervasive technology becomes in our lives, the more ubiquitous connectivity, the more convenient things become the more vulnerable we become. Not everything in our work or personal lives needs to be automated, wired, connected, or otherwise ‘cyber-ed.’ When we do it though, we need to understand the full scope of the risk we are accepting, and we should take some time to game plan how we’re going to operate when things go sideways (you know they will).