Original post here https://www.vestigeltd.com/thought-leadership/name-doesnt-target-one/
The truth about CyberSecurity is that every organization, regardless of the size and significance, IS a target of CyberCrime; the problem is we only hear about “the big ones” in the mainstream media. But dig just a little and you’ll learn, for instance, that 62% of Cyber Incidents actually affect small- and mid-size businesses*. Could your organization be the next statistic?
I speak to a tremendous number of executives, business owners and management at organizations across a wide segment of industries and geographies and I’ve come to learn that there are almost always four prevailing thoughts as it relates to their organization’s Cyber Awareness. As astute business people, as a class, we are very good at differentiating ourselves. We do it in our businesses daily. We differentiate our organization from our competitors, we differentiate ourselves from our peers, and we differentiate our culture from other competing alternatives…we’re just really good at differentiating ourselves. And so when we read about the misfortunes of other organizations’ struggle with CyberSecurity we swing into Differentiation Mode and convince ourselves that “we’re different – it can’t happen to us!”…until it does.
When I talk to business owners, executives and management, I almost always get one or more of the following universal answers:
And while these reactions have well-grounded foundations and I understand where these reactions come from, the fact of the matter is these individuals fall victim to the “we don’t know what we don’t know” syndrome.
So why aren’t these things adequate answers? Well, it’s not that they’re not good answers – it’s that those that don’t understand technology and more specifically, CyberSecurity tend to rely too heavily on these as gospel.
The fact of the matter is that every organization, small, medium or large, profit/non-profit, personal or business, we’re all part of this cyber-economy and because we’re a part of it, we’re each a potential victim. For those of you that have long followed my writings, you know that my analogy of what is going on at the edge of your organization’s Internet connection is a scary place. Imagine driving into your neighborhood after work this evening and finding not 1, not 2, not 5, but 50 burglars going up-and-down the street rattling all of your and your neighbors’ windows and checking the doors to see if they’re locked. We wouldn’t put up with that – but yet, that’s exactly what happens in this cyber-landscape. This happens day-in and day-out, 24x7x365 and it happens not because organizations aren’t shoring-up their Internet perimeter – after all, just like you, everyone else has a firewall. It happens 24x7x365 because the cyber-landscape is a dynamic landscape. What might be in place and working perfectly fine today may not be good enough tomorrow. New vulnerabilities are being discovered at an alarming rate (100+ daily). Exploits that take advantage of those vulnerabilities are often widely dispersed within the cyber-underground at the same time or even before the vulnerabilities are made public–before a fix or “patch” is made available to the public. Unfortunately, many times, the bad guys have the exploit well before the appropriate safeguards are enacted by the organization. This leaves organizations vulnerable.
And What Is It That The Bad Guys Want?
That of course depends on what they perceive that you have that is of interest. The reality is, however, that most of the cyber attacks are not highly targeted, nor highly sophisticated designed to hit the organization where it hurts the most…sure that happens, but those are the ones we read about all the time. Instead, most of the attacks are crimes of opportunity; smash-and-grabs. Bad guy tests the locks on your doors, finds the window left unlocked and enters your house – they’re in and they have a few minutes so they grab whatever they can and they’re out of there. Back at their safe-house they sort things out and determine what, of value, they have.
While it’s a similar situation in Cyber, there’s at least one important distinction. I want you to change your perception of the smash and grab to “enter, linger and find out what you have”, as that resembles the reality a little closer. You see, when an attacker does manage to get into the environment, the last thing they want is to be discovered. The name of this game is “persistence” and “hang low”. Persistence from the standpoint of making sure that the attacker has a way back in to the environment in the future. Therefore, once in, the attacker will do whatever they can to install a back-door so that they can get back into the environment down the road. From there, in order to avoid discovery, the attacker will generally lay low – perhaps checking back every couple weeks to a month, or so. In fact, today the industry average is 9 to 12 months that the attacker is rooting around inside your system before they are discovered. And, the vast majority of times the cyber incident or attack is not discovered by the organization themselves, but instead through an outside party. By this time, the damage is generally done – the attacker has figured out what is important, has taken steps to steal and/or use that information in a manner that is beneficial to the attacker.
Like the security in your home, the good news is there are steps that can be taken to ensure that a would-be attacker moves along. The trick is in knowing and understanding what risks your organization faces, where the gaps in controls exist and prioritizing what can be done about those.
Ready for more? Browse additional articles in Technology!