Our IT Executive Roundtables are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss preparing for the next generation of data security attacks, led by the CISO of a leading telecommunications equipment company. This Session was sponsored by Tanium.
There have been more successful cyberattacks in the last few years than ever before. Customer data is often the most valuable asset a company has and protecting it has become a primary concern for organizations. But why and how are data security attacks successful? And how do you prevent them? Is compliance all that you need?
At the start of the discussion, the group talked about the significant risk factors for data security attacks in most organizations. Many executives agreed that the ignorance or indifference of people is often the main reason why attacks happen. A network administrator added that the cloud's complexity and large attack surface are major contributors. A VP of Engineering mentioned that data security starts from product security, and their biggest challenge is securing all the third-party components of their software. A director of cybersecurity told the audience that 80% of the successful breaches can be attributed to unknown attacks or zero-day vulnerabilities. Lastly, a technology strategist remarked that it has become much easier to execute a successful attack. In the past, you’d have to do sophisticated social engineering to spoof credentials; today, you can just buy them off the dark web.
An attendee said that the technology landscape is evolving at an unprecedentedly fast pace. People’s ability to absorb change and truly understand it is stretched to the limits. Organizations should put special efforts towards educating their workforce on cybersecurity, its risks, challenges, and how to avoid and overcome them. Moreover, technology and security teams should stop using buzzwords, acronyms, or complex jargon when talking to non-technical people. Instead, they should prefer more straightforward language to get the message across to most people.
A participant used an analogy to explain the difference between risk and compliance. Suppose you are traveling on a highway. Compliance teaches you to have your seatbelts on, keep your hands at the 10 and 2 o’clock positions on the steering wheel, drive the speed limit, and stay on your side of the road. What it doesn’t teach you is to keep your eyes on the road and always be on the lookout for potential risks. An approaching car may pull out to overtake a truck and crash right into you if you don’t sway in time. The same rules apply in the security world. You can be compliant with standards and frameworks, but if you aren’t always conscious of potential risk factors or threats, they won’t make a difference.
Another executive chimed in to say that you can’t categorically remove risk. You have to mitigate it and apply compensating controls. A critical prerequisite to mitigation is identification. This includes internal, external, and supply chain risks. It is imperative to know who your X-parties (third-parties, fourth-parties…) are and how they are handling risk.
During the discussion, different speakers shared ideas on what to call employees who are not well-versed with technology and often don’t take cybersecurity seriously. One suggested the word “unsophisticated.” Another used the phrase “well-intentioned but careless” to refer to such people because they are mostly good at their respective jobs but can sometimes be careless when it comes to security. They mean well, but they can sometimes make mistakes when in a hurry.
A contributor exclaimed that we should never waste a crisis in the cybersecurity world, especially someone else’s. For example, suppose another company gets hit by ransomware and goes down for a few days. In that case, you can share that news with your high-level management and talk about the real-life ramifications of weak security and/or targeted cyberattacks. When they see just how real the threat is and how it could lead to financial, data, and reputation loss, they become muck likelier to give you their approvals.
A participant said that an organization’s data center should never be directly connected to the internet. You should use network address translation (NAT) to hide the IP addresses of internal machines from the internet. Any-and-all access to the data center should go through the LAN or the desktop environment. Only allow a group of authorized vendors to access a segmented group of servers by whitelisting IPs. All other accesses should be blocked by default. Implementing all these controls requires creating an inventory of your network assets and resources.