18 May 2017

Keep Calm and Get on the Offensive

Anne-Marie Chun

Business lessons learned from recent security events

The world seems to be getting thrashed about by a hurricane of cyber attacks. With claims of Russian hacking in the recent French elections, new leaks of critical and sensitive tools from the NSA, and a world-wide ransomware attack by “WannaCry” this past weekend – there are clearly many pieces that have made up the storm. Unfortunately, this cyber storm may not be over, but picking up speed and covering more ground. The same stolen NSA tools are being used by the “Adylkuzz” campaign, which is thought to be even more wide-hitting than the WannaCry attack and affecting hundreds of thousands of devices around the world. As different groups use the same leaked tools to drive separate campaigns with unique attack strategies and as groups such as “Shadow Brokers” threaten to release new tools for cyber attacks, we are reminded that we are all vulnerable.

But there is no need to panic. In fact, there are some powerful learnings from the past weeks that business executives can use to button up their security programs and get on the offensive. Here are our top takeaways:

  1. Security hygiene is like personal hygiene – You have to maintain it every day. This means patching immediately and continuously testing for vulnerabilities. As an industry, we need to move beyond a compliance-driven mindset and begin to think about security pragmatically. Point-in-time security assessments will only give you a static snapshot of your security – unfortunately, the adversary is dynamic and always adapting. It only takes one unknown vulnerability, or in the case of WannaCry, one known vulnerability, to lose money or create downtime.
  2. Adopt an adversarial mindset – It is now common knowledge that it is a matter of “when” not “if” businesses will be attacked. We should all learn from now-President Macron’s proactive approach to countering the attack against his campaign and thinking one step ahead. By understanding what the adversary was doing, Macron’s campaign was able to work with the attackers’ tactics, lure them in, and then subvert their efforts with false information to discredit them. To beat a hacker, you have to think like a hacker, beyond just security compliance.
  3. Executive accountability is critical for change – With attacks on the rise, “plausible deniability” is no longer a viable option, as we saw from the recent Yahoo case. In spite of ongoing political debates in the United States, one thing on which most experts agree is that President Trump’s Executive Order for Cybersecurity was a step in the right direction, especially when it came to making agency heads accountable for their organizations’ security risk. All executives should become intimately familiar with their security programs, work closely with their security teams to develop a clear plan to defend against attacks, and remain up-to-date on their attacker resistance.

New regulation coming online, ranging from the EU General Data Protection Regulation (GDPR) to outputs of the Trump Executive Order, will only continue to escalate awareness of and responsibility for security risk. Recent security events are an excellent reminder of the threat we face. A concerted effort across the public and private sectors can help strengthen our attacker resistance to be #p0wnednomore.