There is no sin except stupidity…
– Oscar Wilde

Way back in 2015, New York Times columnist David Brooks was interviewed in The Washington Post about his new book, “The Road to Character.” The book explores (and seeks to inspire in readers) what Brooks terms “eulogy virtues,” such as humility, kindness, and bravery, attributes that might be mentioned during a eulogy. The book also mentions sin a number of times, a topic with which I am quite conversant. Brooks is quoted in the Post interview as espousing “identifying your core sin, keeping a journal of how it manifests itself in your life, what behavior it leads to…” I find the suggestion useful, both on a personal and professional basis. It just happens to tie in nicely with a new article by security expert Brian Contos in CSO Online titled “5 Sins Cybersecurity Executives Should Avoid.” Herewith, the five sins.

Trying to be perfect. Don’t bother trying to position yourself to cast the first stone. As Contos points out, “trying to make our networks 100 percent impenetrable is an inconceivable path forward as myriad anecdotes have shown that even the most robust and layered security networks get penetrated sooner or later.” Instead, “shifting focus from trying to deter all attacks toward a more risk management focused approach allows organizations to understand their cyberthreat profiles… Identifying, analyzing, and prioritizing threats will better position organizations to allocate material, fiscal, and personnel resources accordingly, the results of which should bolster resiliency and recovery capabilities when breaches occur.”

Betting on cyberinsurance equaling security. Gambling may not be a classic sin but there’s a definite downside. Contos notes “cyberinsurance will help organizations absorb some of the costs that may occur after a breach.” However, “in a time when surreptitious theft of sensitive and personal information is increasing, organizations will need to balance that risk mitigation investment with other investments such as those supporting continuity of operations.” In truth, a key contribution of insurance can come in the demands an insurer may make for better planning and preparation.

Thinking that cybersecurity is a one-and-done solution. Absolution is hard to come by in today’s cybersecurity world. Per Contos, “As technology continues to advance, cybersecurity tools and products develop with it enhancing organizations’ abilities to quickly identify threats, reduce their response time to them, and ensure that business operations do not suffer long periods of inoperability as a result. But buying the most sophisticated monitoring device or data loss protection solution is not a panacea to breaches, theft of sensitive information, or other forms of cybermalfeasance.” He also drops this little gem — “Considering that in 2014, there were approximately 143 million malware samples, roughly 12 million new variants a month, in addition to at least 24 previously unknown vulnerabilities for which detection would not have been possible, it’s easy to see why organizations cannot rely on the productivity of technology as their sole defense mechanism.”

Forgetting about getting employee buy in. Oh those pesky unwashed masses. Contos notes, “The weakest link in most cybersecurity apparatuses is not an unpatched or misconfigured device, but the human factor. This should come as little surprise given the fact that phishing and spearphishing attacks remain a favored tactic used by hacktivists, criminals, and cyberespionage actors alike. Most e-mail message-based attacks do not involve advanced malware, although certainly they can. What they seek to exploit most of all is the recipient – whether it’s his trust, his lackadaisical approach to security, his interest in specific topics, or any other human factor that can be manipulated.”  He goes on to point out that effective cyber defense has to involve developing a culture of cybersecurity, and that training and education has to be ongoing.

Not having enough focus on an incident response plan. Finally, we get to the sin that plagues us all, the sin of omission. If you accept that breaches will occur (and you should), then you must focus time and attention on the incident response plan. Contos sums this up by stating “As the year of some of the most prolific breaches comes to a close, how organizations that were victimized handled the breaches is a direct reflection of the plans they had in place. Breach response is more than just a reaction to an infiltration; it needs to be a legitimate course of action that an organization had developed and tested in times of crisis. Perhaps more importantly, organizations need to have confidence in the plans they have developed.” He goes on to note that “In a 2015 study conducted by the Ponemon Institute, 81 percent of respondents said their company had a breach response plan, but only 34 percent believed they were effective…a good breach response plan will include risk assessments, business impact assessments, disaster recovery and continuity of operations models, contact list of appropriate law enforcement entities, forensics companies, and a post breach communications strategy to provide transparent and updated information as necessary… Sticking your head in the sand is not a viable option in 2016 and organizations need to be prepared.”

There you have it. As 2016 opens before us, go forth and sin no more.

By Tom Davis, SDI Cyber Risk Practice
January 5, 2016