“Give us 50K in bitcoin or you'll never access any of your data again.”
Cybercriminals have many ways to hijack your data, and ransom schemes like the one above are just one trick of many. These “geeks gone wrong” are a real threat to customers and brands, and everyone knows we need a plan to fight them. But what’s the right way to safeguard your data?
In my role, I’m fortunate to have a front-row seat at analytics implementations around the world. And from that vantage point, the biggest shocker for me has been the number of organizations that still don’t have much of a plan for cybersecurity. Here are some other trends I’ve observed.
Size doesn’t matter
You might expect that the ability to ward off crooks is dependent upon the resources of the company in question, but that’s not what I’m seeing. The level of preparedness ranges. I’ve seen everything from full-on security centers that would make the NSA proud to a lone person taking on this type of work as a part-time job. Too many multibillion dollar organizations still don’t have fully staffed cybersecurity teams with the requisite skills, while some smaller companies are doing fine.
Either way, it’s a fallacy to believe that only the big-name companies get hacked. Cybercrime is a money-making industry, so hackers have segmented their prey into market categories, with enough approaches and objectives to cover the bases. Everyone’s at risk. Now it is true that the bigger the organization, the more tools you’ve probably acquired. Big companies are facing board-level pressure to get protected, fast. But making that investment is a double-edged sword because more tools can mean you’re drowning in alerts, forcing you to plow through reams of false positives to find the needle in the haystack.
Know your assets
Hackers love this. An avalanche of false positives creates their perfect cover, so that’s why I suggest that buying software shouldn’t be your first step. The first thing that needs to happen is to get your house in order by focusing on what’s far more important than technology: your people.
It isn’t fair to assume that the CIO you’ve had for 15 years will also be an expert cyberwarrior. Fighting cybercriminals is a whole new skill set with ninja moves, like the blocks and tackles that stop thieves from getting in, and the silent sleuthing that ferrets them out once they’re there. You have to invest in building those skills, or bring them in. As we all adapt to the new normal of inevitable breaches, education, certification and accreditation will be key in preparing us to fight.
If you don’t start with the people side of your cyber strategy, you can waste a whole lot of money real quick. That’s because the first thing a new security apparatus tends to do is expose your lack of knowledge about your own infrastructure. Think about it: What really is on that network of yours? This can be surprisingly difficult to answer, especially in our ultramobile society, with employees signing in from 50 different locations.
To know how thieves can break in, it’s essential to know what your assets are and where they reside. You start by considering why someone would want to hack you. Different types of assets require different protection strategies, so know your valuables, isolate the important things, and don’t try to do everything at once. When it comes to a cyber strategy, you’re looking for bespoke, not ready-to-wear.
Design a custom solution
Once you have a good handle on your assets, then you can go buy the best technologies. But keep in mind that there will never be one technology to fix everything. One technology may build a wall around your organization. Another hunts down people once they are inside. The best strategies layer approaches together rather than relying on just one solution. And that makes sense – the threat is broad, so the solution should be multilevel, too.
The crucial thing is to get the best “first page” of alerts. Let’s face it – if you’re given a ream of paper with trouble spots, you’re only ever going to work the first page. So that first page better contain the most serious of threats.
Make it better, not worse
As I said upfront, I’ve been surprised by how many organizations lack a plan to adequately protect and fight back. Some seem to accept defeat up front, and they rely on insurance to reimburse their losses – when what they should be doing is inventorying assets, compiling a plan, and designing a solution. And this is where SAS can help.
The main thing to remember is don’t wait. Security projects are complex, so as with diets and home improvement projects, there’s always a reason not to do it. But don’t wait for the time to be right to kick off a monster project. Break it into smaller pieces, and move quickly. And don’t just go out and buy a solution without thinking it through. If you do, you’ll make the problem much worse by giving yourself an exponentially bigger haystack to comb for threats.
For more on cybersecurity, read: