Allegations of hacker attacks across the globe are shaking the minds and spreading fear across industries. Attacks like WannaCry or Stuxnet are no longer carried out by anonymous hackers or people seeking fame. These are well organized and orchestrated attacks often sponsored by large groups that are interested in taking down competitor networks and industrial espionage.
This is more often the case for huge, international corporations that have sensitive and valuable information, as well as financial assets. These activities can cause huge financial and reputational damage to companies, and in some cases, financial loss can reach billions of dollars.
Being a part of a large consulting group has allowed me the opportunity to witness the way companies develop cyber security. I’ve also had the unique chance to be one of the first pioneers in developing new tools and mechanisms for companies to be better prepared and resistant to cyber attacks.
With the help of one of the biggest insurance companies in Europe, my team design and develop software which will help underwriting departments better assess how prepared corporations are in the face of cyber attacks. This is something insurance companies haven’t had the ability to do, and it can affect the amount of cyber insurance coverage provided.
Know your enemy
Another initiative I am actively involved in and evangelise is a set of techniques called LACS (Lean approach to Cyber Security). The truth is that corporations are spending millions of dollars creating robust infrastructure, hiring in-house information security and data privacy departments, and external agencies. But, the number of attacks and loss due to cyber attacks is not decreasing, it’s increasing daily. No one is secure anymore.
The problem is that most companies don’t know who their enemy is.
Cyber warfare is a real war with real casualties, and to be able to fight, you have to be well prepared and evolve your techniques and defences. In this case, your enemies are hackers and the organisations that sponsor them. Without knowing your enemy and thinking like them, there is no way corporations can win this war because they stand alone against a well-organised secretive network whose only goal is to expose your sensitive information and profit from it.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Forget whiteboard planning
Part of knowing your enemy is thinking like your enemy. If the number of cyber breaches is increasing, business owners need to ask themselves what they are doing wrong.
A lot of companies will say they’ve been planning the security system for the last decade, their network is secure, or that they have the best specialists on the market. With this mindset, you’ve already lost the game.
I need to break your illusions – WHITE BOARD PLANNING DOES NOT WORK. The trust is that the hackers are sitting on the other end of a well-hidden, secure network has a totally different mentality.
Words like planning, matrixed organisation, hierarchies mean nothing to them. These people are neglecting everything that is valuable in your company in order to be one step ahead of you. They don’t think like you. They are flexible and fast. They will take risks, and that is something that can’t be said about corporations. These businesses are often hesitant in taking action and risks, and that is a huge benefit for hackers.
It is so unfortunate that security specialists have their hands tied, because of internal corporate politics or protective labour unions that don’t allow for white hacking or internal covert testing. Good luck in defending yourself and your assets with this approach.
Where is the threat?
Besides internal company policies that slow down or even stop security teams in their actions, business owners usually fail to realise one truth. The biggest threat to company cyber security is not the quality of infrastructure or the software. The biggest threat is the company employees.
Cyber breaches appear in most cases in the 3Ps, which stands for perimeter, people, and partners. And guess what? Most of the attacks come from people or partner. People are the employees, and partners are vendors and contractors providing services for the company.
No security team or firewall can block your assistant from writing down the CRM password on a piece of paper and leaving it on the desk when they leave for the weekend.
People who want to profit from your company can hire a cleaner or disguise themselves as a cleaner to get access to the office and steal the paper. That’s it. Your competitor now has access to all of your leads and prospects.
Or, in the case of partners, if there is even a single non-protected computer in the network that your system is connected to, you can forget about privacy and security.
Remember one simple thing. No matter how much money you spend, Social Engineering is still the biggest potential for hackers to expose and target your company. And no matter how much whiteboard planning you do, if you are not ready to take risks and agile, lean actions, you have already lost the war… and possibly your business.
Easy, LACS is the leanest and most agile approach to securing your organisation.
You do not have to spend a lot of time and money just to end up with an outdated set of techniques. Because, by the time you finish your whiteboard planning, a new virus or breach will appear, and you will have to start from scratch.
LACS allows you to develop your own techniques on the fly and with a reasonable amount of time and cost investment. You just have to be ready to change the mindset of the organisation to understand cyber warfare is evolving, and we need to prepare ourselves with the best tools and approaches.
In the next articles, I am going to go through a set of techniques we have identified and united within LACS, and I will provide you with fast and more efficient methods to fight cyber warfare.
- Cyber Security