The cybersecurity world faces a unique conundrum
On one hand, cybersecurity is becoming ever more present in our daily lives. Rarely does a week go by when we don’t hear that a major business or government agency has been breached. Today, it’s no longer a matter of if, but when, a breach will occur. Cybersecurity even had its first dedicated segment during the first presidential debate.
On the other hand, many businesses are still not taking the fundamental steps to secure themselves from these breaches. (And no, spending more money is not Step #1.)
I had the chance to speak about this topic – including why these problems persist, and what we can do about them – with some fellow industry leaders at the U.S Chamber of Commerce’s 5th Annual Cybersecurity Summit. As I mentioned on the panel, we cannot spend our way out of this issue. Businesses can have a much larger impact by improving their basic cyber hygiene. We discussed what exactly this means in a recent blog: in short, cyber hygiene is knowing who and what is on your network at all times.
Cybersecurity as a one-time action
We’ve found that many organizations view cybersecurity as a one-time action. Their mindset is: they get breached, a response team swoops in, and then the issue is done. But then, months later, the external response team find themselves back at the same organization, because the organization didn’t make the improvements the responders suggested. Businesses need to, at all times, understand who and what is on their network, across every endpoint, and take the basic steps to continuously improve their security, like making sure their software is patched and up to date.
Both the cloud and the Internet of Things (IoT), which came up on the panel, present businesses an opportunity to improve their security—or worsen it, if they adopt these technologies in the wrong way. Businesses are moving toward the cloud primarily for economic reasons, but in doing so, they have a great opportunity to rethink their business processes and how they’re storing data—with security in mind.
Similarly, Internet-connected devices, though they can significantly improve convenience, also give hackers exponentially more endpoints to break into a network. These devices need to be designed and manufactured with security built in, so that they can be patched on the fly, and so that they are detectable by security systems. In moving toward both the cloud and Internet-connected devices, businesses need to know which questions to ask their vendors, and be confident they are not sacrificing their security. During the panel discussion it was noted that NIST and DHS are engaging with private sector to establish best practices for IoT. Heed the guidance when it is published, and where possible, lend your voice through public comment periods and working groups.
But technology alone will not fix all our problems. One of the biggest deterrents to widespread improvements in cybersecurity is education. Cybersecurity professionals need to help CEOs and board members better understand the risk that breaches present, and the pragmatic steps they can take to reduce those risks. At the same time, we need to improve our cybersecurity workforce, both in quantity and quality. This combination – basic security hygiene, correctly using new technology, and educating both our workforce and CEOs – are three keys to improving our cybersecurity.
About the Author: Chris Hallenbeck is a Director with Tanium’s Endpoint Detection and Response (EDR) Team. He joined Tanium after almost seven years of government service at the U.S. Computer Emergency Readiness Team (US-CERT). At US-CERT, he was responsible for having designed and built their incident response capabilities while restructuring their current focus on strategic mitigation guidance. Over countless IR engagements both with government and private sector critical infrastructure victims, he has seen a common theme: a lack of emphasis on IT operations and IT security fundamentals. Prior to joining US-CERT, Chris worked for RSA Security and EMC as a security engineer and with AOL/Time Warner on their global incident response team. He started his career as a Unix sysadmin at Binghamton University. When not chasing electrons, Chris much prefers to be someplace tropical 50-100 feet under the water.