What’s the riskiest thing you saw a company do over the past year as it relates to security?
October is here, which means Halloween isn’t far away. But it also marks the 15th anniversary of National Cybersecurity Awareness Month, a collaborative effort between government and industry to raise awareness about the importance of digital diligence. For the past few years, the theme has revolved around “Our Shared Responsibility,” highlighting how everyone—from large enterprises and governments to individual consumers—has a role in tackling the cybersecurity issues of today. The theme of the 2019 campaign is “Own IT. Secure IT. Protect IT,” a slogan that applies to Halloween candy as much as it does to security practitioners who need to stay focused on accountability and proactive behavior—or else!
Zooming in on the world of cybersecurity forces us to focus on individuals, which can produce some pretty shocking results. Far from the fun of bobbing for apples, the irresponsible behavior of experts who should know better can be pretty upsetting. All of this means October is the perfect month to think about our own security awareness and the potential for serious nightmares down the line. Here at ZeroNorth, we asked our most prominent security experts, along with experts outside our company, What’s the riskiest thing you saw a company do over the past year as it relates to security? Not only were the answers based on data-driven information, but they offered a lot more scares than a good old-fashioned horror movie…
The big, bad world of technology…
Every spooky flick has a hero, a villain and the need for serious protection from danger. Things are not so different in the business world, where all organizations must drive sustainable growth with smart solutions—but like the victim who continually falls while running through the woods, many businesses don’t understand how to achieve the level of security they need. ZeroNorth Chief Technology Officer, John Steven, confirms, “When companies expand to meet customer demand, they grow quickly and take on a lot of customer data. When this happens, the riskiest behavior I’ve seen is that they fail to keep up with the evolution of their security programs. By the time a series B round of funding and real growth comes on, security debt is too much to catch up with.” Planning ahead is key for survival in both fictional and realistic situations.
Companies typically utilize solutions that will help them scale resources, but this plan can also create security and compliance challenges. When you bring in third-party systems, their vulnerabilities become part of your risk profile—kind of like when you have to protect other people (as well as yourself) from the bad guy. And as your ecosystem (and responsibility) grows, it becomes harder to understand your security posture at any given moment. Rear Admiral, United States Navy (Retired) Mike Brown, a ZeroNorth security advisor and president of Spinnaker Security LLC, agrees. “The scariest thing I’ve seen isn’t tied to one company but seems to be repeated often. When companies ‘outsource’ security to an outside organization, they tend to assume there is no risk to their business and forget to maintain security oversight,” he says. “Specifically, if a company doesn’t maintain an aggressive and proactive engagement strategy with their security provider, they are at as much risk as the outside provider who doesn’t have the visibility into the priorities and processes of the business itself.”
It’s coming from inside the house…
In this classic urban legend, an unsuspecting babysitter receives creepy phone calls from a stalker and rings the police. But when the cops trace the call, they tell her the calls are coming from inside the house. This basic storyline—that what you fear most could be much closer than you think—has been played out in endless films and memes, but what about in cybersecurity? Turns out the riskiest things we face in the digital realm also hit close to home.
A look at the numbers from the 2019 Verizon Data Breach Investigations Report shows that 34% of data breaches involved internal actors, while 29% were connected to the use of stolen credentials—and 32% related to phishing attacks, preying on the state of human vulnerability.
ZeroNorth founder and chairman, Ernesto DiGiambattista, confirms, the riskiest behaviors he’s seen are “when things happen, like the discovery of data breach, and the company chooses to do nothing and sweep it under the rug.”
Tony Velleca, CEO of CyberProof, a UST Global company, agrees, “The organizations most at risk are those where security leaders simply do not want to know about the potential or actual threats in their organizations, since knowing creates a potential liability. CISOs hope that being compliant with industry standards is enough to keep them safe, but our experience shows that preparation for a breach and having incident response processes in place is more important.”
The banality of evil…
While explanations of the phrase “the banality of evil” remain controversial, the expression is still used in everyday conversation to describe the many thoughtless and mundane atrocities people commit without reflection. The scariest security stories we heard were those about companies and people making decisions without pausing to think about their consequences—or equally as disturbing, the people and lives they may negatively affect.
Barry Walker, a ZeroNorth security engineer, explains, “The majority of the security risks I see companies taking are due to the fact that doing it correctly takes too much time—or would be too difficult to re-work. I see companies make the wrong decisions about storing sensitive data due to time pressure, and I’ve seen other cloud data made public simply because it was too hard to configure with the proper permissions.” His colleague, David Ford, another ZeroNorth security engineer, also notes that he’s seen “admin-level database passcodes that are easily decipherable often left on insecure computers and devices.”
Sometimes the digital fear comes from sheer ennui. Andrei Bezdedeanu, ZeroNorth’s vice president of Engineering, cites “the lack of basic security hygiene or strategy” as something that keeps him up at night, while ZeroNorth product security lead Mario DiNatale says, “The riskiest thing I saw this year was a state government entity decide they weren’t going to do cyber anymore after an audit. Their internal security team and has been dismantled and reassigned to network operations.”
Whatever you do, don’t fall asleep…
Take the classic horror flick, Nightmare on Elm Street—children resort to keeping themselves awake through all available means to avoid meeting the murderous villain in their dreams. Cybersecurity efforts can feel a bit like that sometimes, as experts lose sleep trying to outmaneuver the invisible bad guy. And like the unfortunate kids who fall asleep in the movie and pay the price, the industry is aware of the magnitude of their mistakes when a certain approach to battling digital demons doesn’t work.
Securing data, applications and systems is challenging under the best conditions, but as the pace of business increases, organizations have to fundamentally change the way they think about and manage software and infrastructure security. The goal here is to beat Freddy Kruger at his own game, while not falling victim to your own fatigue. It’s no longer about the individual components of your security framework; we must focus on how those pieces are orchestrated to build up our defenses against the monsters in the cybersecurity world.