The asymmetric threat has left the building, and the attack surface area has exponentially increased.
Today, there are four billion people with forty billion devices connected to the internet, and these numbers are expected to hit one trillion devices connected to the internet by 2030. Each app, on these Interoperable devices, has sixty-five thousand ports, or end point vulnerabilities for attackers to target.
Cyber threats should no longer be considered a low probability high impact event due to global Interoperability/connectedness, recent unprecedented events across the Nation and World, social unrest, extended isolation, and the increase of the labor force working from home.
The threat surface area, vulnerabilities, and opportunities for attack have been exponentially increased for attackers to infiltrate “Critical Ecosystems” and either perform ACCESS (e.g., exfiltrate data) or EFFECTS (e.g., cause an action) Attacks/Operations.
Here are “Ten Disciplines” leaders can use in ANY business, small, medium, or large, to mitigate their cyber risk, and the impact to their businesses and communities.
1. Think and Act Basically – Basic Cyber Hygiene – I’ve been teaching Krav Maga (Israeli hand to hand combat) to military, law enforcement, and civilians for greater than a decade. When a new student attends their first class, I “do not” teach them advanced level combatives. The first thing I “do” is teach them the BASICS, including stance, footwork, and movement.
The same applies to cyber security, and in life. Crawl, walk, run. Do use multi-factor authentication, “do” use password managers/generators, “do not” use common names, or sequential numbers, eg., 1, 2, 3, 4, 5, etc… “Do” use VPN’s when on external systems, “do” be suspicious of incoming email from unknown outside sources and “do not” click on or open attachments, “do” keep passwords secure, “do not” write them on post it notes stuck to your desks, and “do not” share passwords internally or externally.
2. Think Critically – Define Your Critical Assets – Yes, I want to know your pain points, and what is keeping you up at night. I also want you to know and define what your critical assets are.
What are the aspects of your business, that if compromised would shut down operations?
- Is it your proprietary information?
- Is it your R&D formula?
- Is it the location of your sales force?
- Is it your pricing model?
- Is it your ICS/OT facility and resources?
Once your critical assets are defined, we can implement tiered security measures, allocate resources effectively to mitigate threats faced, and reduce impact to your organization.
3. Be Humble – Assess and diagnose the organization’s level of cyber security competency, and hygiene, to find value deficiencies, gaps, and vulnerabilities, to mitigate that risk. Cyber competency must be assessed and diagnosed starting with senior level leadership, all the way down to the entry level employee.
Does your leadership team know what questions to ask? Does your leadership team understand the answers? Start with the following to elevate your cyber competency;
- How does our organization identify, protect, defend, respond, and recover against phishing attacks?
- How does our organization control role-based IT privileges?
- How do we ensure our current infrastructure, software, and devices are up to date?
- Is our IT architecture applicable to our business today, or are there adjustments we need to make?
- How do we ensure our supply chain partners are protecting the information we share with them?
- What authentication methods do we use to ensure data access controls?
4. Think like a Scientist Anatomically; including Structure and Function – Follow a framework, e.g., NIST – The NIST framework is to Identify, Protect, Defend, Respond, and Recover. Additionally, I like to add Adapt and Thrive. Think of the NIST Cyber Security framework as the blueprints, or foundation of your home. If the blueprints are followed, your foundation will be stable, and able to withstand severe weather and loads for years to come. If not followed, implemented, or corners are cut, Your home, and cyber security controls will not be able to withstand threats faced, and Your family, or business will be compromised. The greater the compromise the greater the impact to your organization.
5. Think Collaboratively – Build out public/private partnerships TODAY – You would not believe me if I told you how many times that I’ve been called in to assist Fortune 500 clients, reactively, after an event took place. Only to find out that there was “no” public/private partnerships already in place that could be leveraged pre, during, or post event.
Unfortunately, this is more common than you can imagine. This MUST change, now! Reach out to your local law enforcement agency, your State agency, and your federal agency. Don’t forget about healthcare agencies, fire, and EMS, as well as local news agencies.
I guarantee that you will find more than willing partners who want to assist.
6. Think Strategically – Leaders MUST think of Cyber Security as a strategic business problem and NOT an IT issue. Why? Because it is! Once You are the victim of an attack Your IT manager will not be the person answering questions on NBC, ABC, CNN, or FOX. That person will be You, the CEO, or Senior level leader, who will have to speak with internal and external stakeholders, employees, families, supply chain partners, and customers.
Some may say, I’m only a small business owner, I would not be on those news stations. To which I would share statistics and facts that show that ransomware is predominantly a small business problem. Seventy-two (72%) percent of all ransomware attacks in quarter four (4) of 2020, affected small businesses ranging in size from 1 – 1000 employees, with an average size of companies attacked of 234 employees, up 39% from quarter three (3) of 2020. https://bit.ly/3jCH4rE
You may not make national news, but You would have to answer to your employees and their families, customers, supply chain partners, and possibly law enforcement. Hopefully, the impact of the event does not shut down your organization entirely, negatively impact your community, or cost someone their life.
Are you prepared? Don’t let your worst day be your first day, plan and prepare NOW! What are you waiting for?
7. Be Hungry for Knowledge – Build out a Cyber Education/Training program and plan, within your organization, with an all playing the game approach, from the board room to the entry level employee.
Remember, people do not rise to the occasion, they fall to the level of their training!
8. Conduct SWOT Analyses and Take Action – An imperfect plan implemented today, is better than a perfect plan implemented next week. Act now!
Conduct Cyber Security stress tests/exercises/drills, and penetration tests. Training and exercising are two different things. Fighters train, and then have sparring matches to ensure efficacy of their training. Doctors study medicine, and then intern in teaching hospitals to practice their craft under stress.
You must also conduct stress tests/exercises/drills, and penetration tests to ensure that Your tiered security measures currently in place are efficacious. Allowing adjustments of allocated resources as needed, to mitigate risk, and further reduce impact to your organization.
Leave your ego at the door when reviewing the after-action reports (hot washes). These exercises/drills are not meant to find blame or point a finger, rather they are designed to find your strengths so they can be leveraged and replicated 360 degrees enterprise-wide.
9. Develop a Culture of Trust, and Mutual Aid Assistance – Design an incident response plan, create an incident response team, define roles and responsibilities, and include checklists of steps to take and who to call in the event of an incident, etc… Collaborate with internal and external stakeholders including relevant law enforcement partners, other agencies, public/private partnerships, outside counsel, public relations firms, and investigative and cybersecurity firms with relevant competencies needed in the event an incident occurs.
Have you actually defined what a crisis is? Are you dealing with a minor event, major event, or a full-blown crisis? Do you know the difference? Do your homework now so that your worst day is not your first day.
Then when an event or crisis occurs, You are prepared to push play and follow the plan!
10. Think in Venn Diagrams; It’s a Mindset! – You must address the convergence of all four (4) pillars of Risk; Physical, Technology, People, and Process.
There is NO Technological black box that you can implement to solve all of your, your clients, your customers, or your partners problems. You must address physical security, as there are many examples of attackers walking right through the front door to carry out cyber attacks.
You need to address people via education, training, drills, and exercises, as studies show 90% of cyber breaches are caused by human error.
Planning and preparing proactively with the future in mind, provides the process needed so you can push play when an event occurs, and therefore your worst day will NOT be your first day.
Streamlining organizational strategy and mitigating risk begins with a security/risk mindset holistically integrated 360 degrees enterprise wide. It should not be looked upon as a standalone silo or division.
Look for the #AbsenceOfNormal and the #PresenceOfAbnormal #cybersecurity #HumanFactor #Leadership #SuccessIsMyDuty #WhatAreYouWaitingFor #L5LElevatesRiskIQ2SaveLives #L5LElevatingRiskIQ2SaveLives #L5LWeSolveLevel5LeadersProblems #AttackersWalkThruTheFrontDoor #PhysicalTechnologyPeopleProcess #10DisciplinesofEffectiveCyberSecurityLeadership
Copyright © 2020, Andrew J. Peden. All rights reserved.
For further information or reproduction, contact the copyright holder at [email protected].