How to measure and reduce cybersecurity risk in your organization

With certain measures in place, organizations can defer intrusions and respond quickly when they occur. 

In 2019, former MIT Technology Review’s San Francisco Bureau Chief Martin Giles, who covered cybersecurity and the future of computing, was interviewed in a podcast where he offered a realistic, but bleak observation. ‘There are two kinds of companies,’ he told the interviewer. ‘There’s ones who’ve been hacked, and ones who’ve been hacked but don’t know it yet.’ 

What that means for IT professionals and corporate management, he continued, is that you need to keep a mindset that says, in essence: ‘We’ve been penetrated. What our systems really need is the capacity to spot somebody who’s gotten in and then shut them down before they can do any damage.’ In other words, speed in recognizing when a breach has occurred, and having a well-rehearsed plan in place for addressing it, are tools which are vital to network defensive. 

It’s like Charles Dickens, A Tale of Two Cities, ‘It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, …’. Now, more than ever, organizations’ actions around cybersecurity determines their business success. You are one hack away from a potential reputational, financial or compliance mishap. 

At the same time, though, that doesn’t mean good digital hygiene, prevention and security measures are useless; in fact, they continue to have real value, particularly against less-determined cybercriminals, who can be discouraged from going to all the fuss and bother of breaking into a network if its defenses are too strong. But highly motivated teams of hackers, including state-sponsored cyberattack squads whose time and resources are essentially unlimited, can penetrate even a heavily fortified system. So, while adding layer after layer of security would seem to help – which they do in some cases – configuring those layers can also create new opportunities for error and, as a result, introduce new vulnerabilities. 

Giles’ point of view is that the danger of being cyberattacked is a near certainty for most organizations, regardless of their sector or region. And the attack surfaces where a company’s defenses are most likely to be penetrated can extend to include its cloud services, which many have come to falsely believe are invulnerable. At the same time, he dismisses as being no-longer effective the types of perimeter firewalls and antivirus programs that companies have traditionally used to keep themselves safe. The internet is the new perimeter and endpoints are now globally distributed. Think about a mobile app being downloaded from an App Store anywhere in the world that connects to your core transactional systems through internet facing APIs. APIs are the new virtual walls and they need to be defended. 

What can work, or can at least be helpful, is machine learning and artificial intelligence, which is rapidly becoming a standard feature of most security software. But Giles has reservations about that as well. ‘Cybersecurity defenders are overwhelmed with attacks,’ he said. ‘These attacks are getting more and more sophisticated. What AI can do is to automate hunting and automate responses to hacks that do occur so that things can happen much faster, much more efficiently, than if humans were in the loop.’ But he points out, the AI learning process can also be tricked into misidentifying toxic data as good data, so it should not be mistaken for a security panacea. And getting good data involves answering a few hard questions – is there a large enough data lake that is being constantly updated? Do we have the right cybersecurity data scientists working on this data? How do our AI and ML models adapt to the ever-changing threat landscape? 

At the same time, the attack surfaces for cybercrime and cyber-mischief have expanded exponentially in the last few years. Internet of Things (IoT) devices have proliferated in recent years with more connected devices hitting commercial and industrial businesses. Smart appliances, thermostats, light switches and central security systems are few of the many types of internet-connected devices that are proliferating, and most have weak security provisions with a tendency to leave their factory default settings in place. Those devices, in turn, can become backdoor portals to an organizations internet accounts and to everything residing within them. 

Mobile app developers don’t fare any better in securing consumer data. Developers of phone apps aren’t writing secure code, my own company concluded, because they don’t generally think about ways that hackers can access and use the code they created.  Beyond that, security and development teams seldom have access to the automated tools and platforms that could help them set up effective cybersecurity programs. As a result, mobile apps perform poorly in protecting personal data – which was by far the most common vulnerability identified in a series of application tests conducted by Positive Technologies. 

Building a strong cyber-defense involves answering some fundamental questions regarding data collection, storage, and use. For one thing, do you really need all the data you’re keeping? If you do, is it being held in a secure database – one that’s strongly encrypted and protected with multiple authentication factors? And finally, how secure are your third-party suppliers? If hackers can break into a contractor’s system that has access to your network; they can navigate their way into your data files as well. 

But not all hackers are the same. There are also legitimate IT specialists whose work focuses on penetration testing – white hat hackers whose job is to try penetrating companies’ secure networks to see if they can get inside. Implementing automated tools that help identify vulnerabilities and supplementing it with penetration testing to further ensure finer assessment can assist white hat hackers to proactively protect their network. If they find a vulnerability, they report it, giving the company time to address the risk, preferably before any damage has occurred or any public news of the bug has been published. 

In summary, cybersecurity risks are imminent. Putting certain measures in place such as securing vulnerabilities, enlisting a dedicated team to continuously monitor threats that may occur, and implementing tools such as application security, can help assess and reduce intrusions. Finally, time has come that we recognize that while automation has a large role to play to provide baseline and table stake defense, it’s only with a combination of automation, artificial and human intelligence that we’ll be able to comprehensively defend against an everchanging threat landscape created by the anonymous adversaries.