Hiscox, an international specialist insurer, released a study that shows how detection and identification is still very challenging. The report found that more than half (53%) of businesses are ill-prepared. The alarming part is that the report included managers and IT specialists from roughly 3,000 small to large companies in the US, UK, and Germany.
Results I Found
- Nearly half (44%) of all US companies are taking two or more days to discover a cybersecurity event and (54%) reported taking two or more days to return to “business as usual” after their largest breach. More surprisingly, it was found that the time taken to complete a cyber investigation took even longer.
- The average cost of the largest cyber-security incident experienced in the past 12 months for smaller businesses was $41,000. An alarming fact, one-in-five (19%) small businesses said they haven’t changed anything following a cyber-security incident.
I understand the motives behind the report and believe in the importance of cyber insurance; though, what I’m perplexed about is the standard cyber talking points that are offered as advice and solutions.
Cyber Readiness Facts
- Involving Top Management in Cybersecurity Discussions. Nine out of ten experts (90%) say cyber-security is a top priority at the board and C-Level. Only 62% of novices say the same.
- Formalizing a Cybersecurity Strategy. Nine out of ten experts (90%) have a budgeting process that is integrated into all security projects and activities vs. only 40% of novices.
- Implementing More Employee Training. Nearly nine out of ten experts (86%) agree that employee training has reduced the number of cyber incidents. The figure for novices is 57%.
- Documenting the Firm’s Processes. An overwhelming majority of experts (96%) say their businesses have cyber-security guidelines for employees, partners, and external users, but only 42% of novices are as organized.
- Tightening Up Technology. The gaps between novices and experts are generally less noticeable in technology deployment. Where the novices need to improve is in internal and external message encryption and the integration of strong authentication throughout their businesses.
More of the same is not a solution in my opinion. I think most of the talking has reverberated for years now and it’s time we start thinking out of the box.
I would argue that Involving Top Management in Cybersecurity Discussions is easier said than done. The fact is, C-Level folks cringe each time IT comes in month after month with a “new tool” that will solve the mysteries of the internet hacking. Think back to when you walked into the board and said “Hey, we are good. In fact, we are cutting cyber expenses because of our new find. We bought a PacketViper and we eliminated 50% of the logging and threats, saved countless hours on investigations and subscription costs per year, made things less complex, and saw a 70% drop in risk to our business.” Walk-in with this information and you’ll probably get promoted.
I would also challenge when you hear Implementing More Employee Training. While this is a great idea and an even better poster, the fact is employees, not IT specialists, are focused on their jobs and not security. The common saying, we constantly hear is, “IT should be worried about security because this is what they are paid for.” Not to mention the very short term memory and out of sight out of mind mentality. Sure, there will be a few of those employees that will embrace and follow, but a good majority will not. These people are the Achilles heel of network security. The fact that we have to tell our users to watch out is an indictment that there are gaps in security. Wouldn’t it be great to tell your users “Have at it, we got it covered!” We both know this is not a reality, but what if?
Tightening up technology is a goal for everyone. Some believe it’s buying more stuff or adding additional steps to authenticate data/information. Some believe it is all about making everything more detailed. There is always going to be the next greatest tool that has an impeccable algorithm to detect some minute anomaly that is moving east and west within a network. We could even stumble across a spectacular list of threats that have insights that no one else has. Unfortunately, I’m here to tell you there is no such thing. We have “band-aids” that will eventually become outdated because of some new form of hacking we are waiting for.
If you want the best security on the planet, then unplug your networks from the world, turn off all wireless devices, remove all disk drives and CD-ROMS, destroy all USB / COM ports/firewires and bolt computers to the ground and weld the cases shut. Short of that, you can forget about it.
I’m not saying for us to move backward; but, new security tools are coming at you at the speed of light. New security items claim they have the solution to fix your problem. Most of these products today are providing inspection, detection, identification, and prevention based on predefined criteria. There’s a flaw with this. None of them are solving the problem. Pretend those devices are like concert guards trying to stop crazed fans mobbing towards a stage. Just not cutting it…
The problem is and always has been the volume, velocity, and variety of traffic entering the security environment. We must clip the firehose of traffic entering environments and unburden ourselves of inspecting everything. If we do this, the C-Level conversations become easier, the employee training is less nerdy, and you are tightening up security. PacketViper can eliminate as much as 70% of the wasteful traffic volume entering the environment. Stop and think about that in relation to inspection, detection, identification, and prevention. You will have fewer inspections (logging), detection (alerting), and faster identification (investigations).
Not too long ago, RSA published a study that showed only 24% of organizations are satisfied with their current ability to detect and investigate threats using their current data and tools. There is a reason for this, they didn’t have PacketViper.