Basic Cyber Security is Easy (so Why is Implementing It So Hard?)

An effective cyber security posture is pretty basic; we have known the recipe for several years, and nothing about it is overly complicated or expensive: position current hardware defenses at the perimeter, keep the software that connects everything properly configured and up to date, have the wetware (read: people) that make use of everything remain aware of and vigilant against threats, and monitor network traffic for unusual behavior, so you will know when one of the “wares” has let you down and it’s time to take action. Sure, things change and threats are constantly evolving, and there are varying strategies and techniques to layer the defenses, which means our cyber security posture needs to continually evolve, but that’s background noise—a constant that applies to all aspects of business, and life. So, if cyber security is so easy, why are so few organizations good at it? Three reasons usually answer this question: failure to appreciate the risks, assessing the risks as technical ones instead of risks to business operations, and presuming a technology solution instead of a cultural one.

First Barrier: The Risk is not Real

It is my observation that the chief problem is organizations do not yet perceive the cyber security threat as real, or value a breach as costly as they should. This failure to appropriately assess the risks associated with cyber security is particularly puzzling given the string of recent high-profile cyber security breaches, including at Mossack Fonseca, The Hollywood Presbyterian Medical Center, Verizon, and MedStar Health in 2016, Anthem, Experian, Ashley Madison, Home Depot, VTech, and voter registration data in 2015, and eBay, JP Morgan Chase, Sony Pictures, Target, and the Office of Personnel and Management in 2014. That cyber security breaches are on the rise, and that they are costly is not news. Yet there is still a sense among most organizations, and individuals, that it is a problem for the other guy. Why is this so?

A common way to assess a particular risk is to put a number on it by multiplying the perceived probability of an event occurring times the expected cost of the consequences should it occur. If either the probability of an event occurring or the consequences of that event are not valued very high, then there is not much perceived risk. When both have real values, perceived risk is moderate or even high. It’s a useful way to model a very hard thing to measure. Such a risk number can be compared against other numbers that represent other risks, creating a prioritized risk assessment. Cyber security currently does not make it into this kind of list because few organizations are thinking of cyber systems as an integral part of their business processes. Read the latest 10K or 10Q from a few of your favorite companies, and see if they mention their cyber systems as a critical asset or cyber security as a business risk. Chances are good (too good) that they do not, which is odd given that few organizations (or shareholders) could imagine, let alone survive, going back to doing business without cyber systems. In many organizations, and even in most homes, devices outnumber people, and with each passing day we are figuring out new ways to connect old devices, in the name of increased productivity. Connected thermostats, anyone? “We’re starting that meeting this morning an hour earlier than usual, so let’s use our smartphone app to talk to the building and tell it to have the climate control adjusted before we get there.” The Internet of Things is coming fast, which is to say that the number of attack surfaces is increasing fast and, therefore, the risks are similarly increasing. Still, while most folks can rationalize why Sony Pictures was targeted over the release of a film that depicts an assassination plot against the North Korean head of state, they cannot draw a parallel to their own organization. It may be reasonable to discount state-sponsored and terrorist cyber threats, but state-sponsored actors are perhaps the smallest segment of the threat spectrum. Much more prevalent are common thieves (your spam folder ought to substantiate that claim), and the recreational hackers—those who seek to breach systems just to see if they can. Still, the biggest source of potential threats, and the most pervasive, are the inside threats, which include software bugs, machine failures, human error, and intentional mischief perpetrated by disgruntled employees (think Edward Snowden), which can cause just as much harm as external threats, sometimes more.

The risks also are not perceived as real because the cyber infrastructure is evolving relatively slowly (one device at a time) and because each device, by itself, actually does have low probability and consequence values associated with it. This leads to the fallacious assumption that it cannot (or will not) happen here. The odds, however, are against that notion. Formerly stand-alone industrial control systems, with little or no built-in security features (such as thermostats and other environmental controls), are now connected to the Internet and, consequently, gaining access to that system does not require a physical intrusion to visibly sit at a control console. These breaches can now be done remotely and, instead of requiring dexterous and knowledgeable fingers, can be done with even more dexterous automated tools, with no obvious indication of it happening. Once that industrial control system is breached, it becomes a launch pad for breaching every other connected system, again with no obvious indications. What starts off in the thermostat moves to the video surveillance system, then the WiFi access point, then the network router, then the shared drive, which has the financial access credentials on it, and that leads to consequences. Awareness is the key to resolving this first barrier to effective cyber security. Organizations, and particularly the executive leadership team, need to embrace the facts that cybercrime is a chronic problem, there are many, many sources of threats, including from inside our organizations, and the number of attack surfaces is increasing by the day. Add to that the fact that any one breach can daisy-chain its way to high potential consequences. Probability? Even an unbiased casual observer has to conclude that it is not low. Consequence? Recent headline cases indicate that even modest breaches come with significant cost to reputation and brand, in addition to real dollars. Probability times consequence equals risk. Given this, let’s presume your organization recognizes the threat as real. Now what?

Second Barrier: It is an IT Problem

Once an organization accepts that the risks associated with cyber security are real, it needs to next properly assign them as operational business risks, which require a cross-functional approach to address. The next obstacle along that path is that cyber security is viewed as just an IT problem. This common misconception is perpetuated by users and business leaders, and embraced by IT, because it just seems right; information technology is what introduced cyber security vulnerabilities, so it is natural to presume it is an IT’s problem. Nothing could be more dangerously wrong. Overall cyber security is not an IT function any more than finance is an IT function. Though all financial information is stored in and processed on IT infrastructure, no one in their right mind would categorize finance as an IT function. Why do we let ourselves do so for cyber security? The threat of a cyber breach is a business risk. Until it is viewed as such, it will not get the organizational attention it needs to be addressed. It is not just a security problem, it is not just an IT problem, it is an imperative operational/business risk management challenge. We expect IT to provide technical security of the financial systems, and we can similarly expect IT to provide technical security of the cyber systems, but overall cyber security, like overall financial security, requires a cross-functional enterprise-wide solution—everyone needs to own it and be part of the solution. Otherwise, as the saying goes, they are part of the problem.

Most organizations that get this far do not have trouble with this mental shift initially but, because the discussion can quickly become complicated with tech-heavy jargon, actually pursuing this path seems hard and causes business leaders to want to push it back toward IT. That is because they are approaching it as if the solution will be a technical one instead of a cultural one.

Third Barrier: There is a Technical Solution

It is not the technology that is the biggest target. Recalling the threat sources, inside threats are by far the most prevalent, and users make up the largest vulnerability of inside threats. Everyone with access to your systems, including current and former employees, customers, and suppliers, is a potential attack surface for a cyber breach. People are the weakest link. You can have the most expensive and up-to-date hardware and software, but one careless user can render it all impotent with the click of a mouse. To implement effective cyber security, organizations must turn their users from weakness into strength by converting them from potential threats into vigilant defenses. This is a bridge too far for most organizations, because it requires a cultural change. Culture change is hard, so they look for a technical solution instead. There is not one. Technical tools can help, but as long as you have still got users, you have still got a problem. Even the most drastic technical solution of disconnecting your organization from the Internet will not work because employees will still get targeted at home or on their phones, and then walk the threats to work right through the front door. Cyber security only works when it is everyone’s responsibility. There needs to be a cultural bias toward cyber security, just like there is with safety and financial reporting. Nearly every industrial workplace has a sign indicating the number of days since the last injury, as a means of reminding employees of the importance of safety, for themselves and for each other. Publicly traded companies impose quarterly quite periods on wide swaths of their employees, not just to comply with FCC rules about non-disclosure of financial data in the weeks prior to release of quarterly results (which could be met with a much smaller group of employees), but because doing so helps remind everyone involved of the importance of accurate and timely financial reporting. Cyber security demands nothing less—an enterprise-wide effort, regularly reinforced through a common cultural norm or practice.

Change is hard under normal circumstances, but especially so when the members of an organization do not recognize the need for change, and what is asked of them is inconvenient. Security is inconvenient. It is also inefficient, at a time when we praise efficiency (and introduce IT tools to improve efficiency!) Efficiency is not good for security; security gets in the way of convenience. The battle lines are clearly drawn. All security comes at a cost to convenience; it is a trade-off we are willing to make when we see a value exchange. We once left the keys to our cars in the ignition, because that was the most convenient place to find them when you needed them. After a few people and businesses got their cars stolen, because it turned out that hanging in the ignition was also a convenient place for thieves to find the keys, we started taking the keys with us and locking our cars. We are not yet that far along in the value exchange with cyber security. We still find it too inconvenient to remember complex (read: secure) passwords for each application we use, so we use simple ones that are easy to remember and, therefore, easy for thieves to guess. But, worse than with our cars of old, we now have the ability to use the same key for multiple applications, so once thieves have one password, they may have them all. As a society, we are probably still a long way from getting everyone to recognize their role as cyber warriors. It is going to take several more high-profile data breaches to get the message to sink in. Will your organization be one of those who serve as a bad example, or are you ready to take action to protect yourself?

The Solution

Just like the recipe for basic cyber security, the recipe for implementing it is simple. All three barriers will be brought down, eventually, through awareness. Start a cultural change by building awareness throughout your organization about the threats of cyber security. This will not be hard to do, but it will take specific effort. It needs to be a part of your precious few subjects in employee outreach programs. Every time there is a cyber breach in your industry, or in any industry that your employees can relate to, your organization needs to push out a message to employees calling their attention to it, and asking if the same thing could happen here. Executives need to mention cyber threats in every one of their workforce engagements, and challenge employees as to what they can do to reduce their vulnerability. As awareness and validation of the cyber threats rises, introduce the concept of good cyber hygiene, which will help naturally dispel the myth that cyber security is an IT problem with an available technical solution. The more employees become aware of the threats and the steps they can take personally to reduce their and the organization’s vulnerabilities, the more they will be empowered to do something. When they are at that point, introduces the link between cyber security and corporate social responsibility: taking care of employees, customers, and business partners.

This is not a one-time effort, though. Employees leave and new ones arrive, cyber threats evolve and the hygiene to combat them must also evolve. Like safety and financial reporting, cyber security needs to be regularly reinforced through organization-wide engagements that are story-based and engaging, not from slides on a screen, and those stories need to draw from recent headline-grabbing breaches to explore how that breach could happen here, and what can be done to prevent it. Organizations that rely on annual online training as a requirement for gaining network access are teaching their employees that cyber security is an annoyance to be avoided. Cyber thieves thank you. Do not be that organization. Instead, take a positive, proactive approach, now and for the foreseeable future. Your shareholders will thank you.

Originally published in Issues in Maritime Cyber Security, Westphalia Press, 2017