When it Comes to Cyber Deterrence, One Size Fits…One

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  

Protecting yourself in cyberspace requires multiple solutions working all together

Be cautious of the cybersecurity vendor that promises you a technical solution that will solve all of your cybersecurity problems. Life, unfortunately, is not that simple and a one-size-fits-all approach is bound to get you in trouble given today’s cyber complexities. Similarly, simply adopting a solution may not be enough. How you implement that solution could be the difference between operating a safer network or, inadvertently, making your network more vulnerable. One such solution is encryption.

In two articles posted on Tripwire, I make the case with Paul Ferrillo of Weil, Gotshal & Manges LLP that encryption and tokenization are good solutions (that are under-utilized from our experience) but that poor implementation of them can be the perfect recipe for your worst nightmares.

Why do such useful technologies come with this big caveat? The reason is because a “big picture” approach to cybersecurity has not really taken hold yet. As I have mentioned in a previous post, I view cybersecurity security in the following manner: network security + information security = data security. The most basic questions, particularly at the board level, may not be getting asked, such as “what are our crown jewels?” or “where do we house our data?”

These are governance issues at their core, not technological ones, meaning that whatever technological steps you take to protect your data, you still may be overlooking the big picture (which will result in a loss of resources and open you up to liability). And because they are governance issues, there is a heavy dose of “human element” challenges associated to them.

If you accept the notion that you cannot achieve 100% security, your strategy should be to make your life as difficult as possible for your adversary. Let them seek out low hanging fruit as opposed to your own crown jewels. The only way to do this is by identifying what matters to you (the governance/human side of this problem) and then employing technological solutions (like encryption and tokenization) in the right places, implementing in a correct manner, and still accept that there are a series of human vulnerability challenges that need to be worked on.

All the encryption in the world does little for you if you have an employee that is a victim of a spear-phishing attack, all of which are getting better and better. Gmail users have been the latest targets with very real looking Google Docs emails coming from trusted sources.

Ultimately, you want your adversary to go elsewhere. I recognize this may come off as a deflection and some would question it as a strategy, but nefarious actors are humans too and they do have a preference for the path of least resistance as well. If your data is a bunch of meaningless garble to them (encryption and tokenization are good steps to make this happen), that is a big win for you and a big frustration for them. These types of actors will probably spend little time trying to attack you if you have taken these sensible steps.

It is the actors that are determined and want your crown jewels that should be keeping you up at night. These actors will undoubtedly focus more on social engineering attacks and good ole fashioned tradecraft to try to get what they want, reinforcing the point that the cybersecurity challenge cannot be looked at through a solely technological lens. Curiosity, fear, and urgency are what these actors use to prey on their targets, so in addition to technological steps, make sure your employees and leadership at trained to spot things that look off.

All these solutions, working in tandem, are what will keep you safest in cyberspace.

May 23, 2017

See George’s previous post: How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?