These days, there is no such thing as a genuinely secure system, breaches will happen, but resistance is not futile. The focus should be to reduce the risk of attackers achieving their objectives and responding appropriately to minimise damage when they do. Read on to discover three common cybersecurity mistakes, and how they can be avoided with a cyber risk analyser process.
Time for a new perspective: Cyber Risk Analyser
There is a preference among media outlets and vendors to use ‘end of the world’ scenarios to generate revenue and headlines. This is counterproductive, causing business leaders to experience ‘threat-fatigue’, whereby messages no longer get through, and the whole subject of cyber security is left in the hands of IT. And guess what? The CIO and the CISO are just as bored as everyone else of being told that the entire corporate infrastructure is in jeopardy if they don’t buy the latest software. A more rational approach is to look at cybersecurity in the context of business risk, whereby devices, teams, departments, and processes can be rationally assessed to establish not only their likelihood of being exploited but crucially what the impact to the business will be. This strategy allows an organisation to have a constructive discussion at the board level and take logical actions that are commercially and fiscally sound, thus alleviating the following three common security mistakes made by IT leaders.
3 Common Cybersecurity Mistakes
‘Don’t buy what everyone is buying; buy what you need’.
If you’re not familiar with this philosophy, Pavlov was a scientist, whose theory involved a dog, a bell, and some food. He (by accident) discovered classical conditioning, whereby the dog would salivate just at the sound of a bell even without the food and found that salivation was a learned response. It’s an unfortunate observation that a lot of security spend is based on brand prominence, and if you’re not in a market analysts’ top performer category, it’s tough to make it through. Many organisations’ procurement and product approval processes are largely influenced by the marketing and advertising of those top performers. This leads to money being spent on either unnecessary or ineffective technology because it’s not aligned to your risk appetite. Conducting cyber risk analysis brings benefits in the shape of refocusing business expenditure based on evidenced risk. Can you prove that you are investing in the right places?
‘It’s not until you observe and monitor your security state that you know where it stands’.
Physicist Erwin Schrödinger created an experiment to illustrate the nature of quantum theory as it relates to subatomic particles. In the thought exercise, a cat was positioned into a box containing a radioactive substance, with a 50% chance of decaying whilst the cat was in the box. But without opening the box, the cat will exist in both states, alive and dead. It’s not until we open the box will we know the cat’s state. In the name of cybersecurity, how do you know if the framework you’ve put in place is working at any given point in time? By understanding your security posture and hygiene challenges and regularly testing your defences, you know whether you can withstand threats facing your organisation (the cat is alive) or if something has already happened (the cat is dead).
3 Monkeys Incident Response
‘Be observant, follow advice & demonstrate responsibility through effective governance’.
The three wise monkeys embody the proverbial principle “see no evil, hear no evil, speak no evil”. The phrase is often used to refer to those who deal with situations by turning a blind eye. In cybersecurity, you cannot afford to turn a blind eye, as threat actors will take your ability to control the narrative of a breach away from you. If you rely on products for your security posture rather than addressing the fundamentals, you’re going to have gaps in your observability, which will inevitably be exploited by attackers. “Ignorance is bliss, but we’re concerned because it’s a crazy world.” – quote from Mandiant’s 2021 Threat report.
Using Cyber Risk Analyser to Combat 3 Common Security Mistakes
It is an around the clock challenge to secure your organisation, but it’s made even more so by a tendency to be distracted by threats rather than focusing on business risk. It’s in our nature to respond to Fear, Uncertainty and Doubt (FUD), which is precisely why threats make for powerful headlines;, but out of context, they are meaningless. It results in confusion, unnecessary expenditure, inefficiencies, and false alerts Instead, organisations need to consider the above common philosophical mistakes and utilise cyber risk analysis to determine the risks that are relevant to their business, or if it’s yet more propaganda.
With an ongoing CRA approach, a well-managed environment through good hygiene and consistency over the software and technology in use is achievable. Combine this with a System of Record (SOR) and set Indicators of Compromise (IOC) such as abnormal profile abuse, persistent services, malware and unusual login behaviour and change can be detected. This is the fastest route to breach awareness as change is the best indicator that someone or something has control. Once you are aware, you can then apply forensic analysis to determine anomaly versus incident; from there, you can decide upon the appropriate course of action.
For more information on cyber risk analysis and to alleviate the common security mistakes, check out Secrutiny’s Cyber Risk Analyser Platform.