You may not have the resources to employ an army of white-hat hackers to stress test your security infrastructure; most organizations don’t. However, you want to make sure that the resources you do have are used in the most effective way.
It’s smart to invest in security products and spend time developing your capabilities. Cybercrime is more prevalent than ever, and modern attackers have no shortage of methods to choose from. Too often, though, organizations spend heavily on security systems that can detect and prevent the most sophisticated attacks but fail to address basic security best practices. That mistake can prove costly.
How much so?
Consider the story of Roman Seleznev. As one of the most prolific credit card data thieves in history, Seleznev defrauded thousands of financial institutions, to the tune of nearly $170 million. He didn’t do it with the most advanced cyber weapons ever created. He simply chose easy, lucrative targets; he took the path of least resistance.
If you put your hacker mindset hat on, you might see some surprising basic vulnerabilities as well.
The Allure of Low-Hanging Fruit
It’s often said that software engineers and developers are lazy: They build programs to accomplish tasks that they’d rather not do manually. In the same sense, most professional hackers don’t want to work hard to steal data. They’d rather go after the most vulnerable targets.
Rather than focusing on the advanced security capabilities you don’t have, think about how most hackers will actually try to access your network. Sophisticated software and hardware solutions are nice, but if your password security is loose, or your employees don’t utilize VPNs when traveling or don’t follow other straightforward security best practices, those solutions can’t protect you.
Likewise, you may invest in the most expensive security product on the market, but if you don’t go through the process of configuring and maintaining that environment, or you don’t follow the correct protocol for keeping it up-to-date, you make yourself vulnerable.
Modern security professionals love discussing the complexities of advanced persistent threats, but there’s a reason hackers still favor tried-and-true tactics like SQL injection and email phishing. Oftentimes, cybercriminals will notice an apparent crack in an organization’s security and simply see where it takes them. Usually, they’ll discover a dead end, but sometimes they’ll stumble upon something valuable.
CISOs and other security leaders should start with the basics when evaluating their own security posture in order to ensure that would-be hackers have to work hard to steal data.
1. Start with a strategy. Most organizations rely on cloud-based network solutions and view cloud security as a sort of monolithic concept. The reality is that there are nuances in the way infrastructure-as-a-service, software-as-a-service, and platform-as-a-service solutions operate and each requires a distinct way of thinking about security. Someone within your organization should own your security strategy, and that strategy should be based on the cloud model(s) you’re using.
2. Know what your data is worth. Each of the various systems you use captures different kinds of data. It’s up to you to accurately assess the value of all that data and to develop a clear, objective data-governance plan. This plan should account for everything from compliance requirements to shareholder obligations and should identify where information is stored, who has access to it, and how. Data inventory and classification is often a major undertaking, but if you don’t know what you have, you don’t know what you have to lose.
3. Implement and evolve. Security is more than a checklist or a one-time implementation. Cyber threats are constantly evolving, and your security posture should be evolving, too. Know who your users are among your workforce and how their needs may change, and articulate responsibilities in terms that they understand based on the systems and tools they have access to.
When you talk with your team about security, share or create examples that evoke visceral responses from users. Threat modeling should typically revolve around the most common and plausible use cases. Show examples of how hackers have accessed data in the past (there are plenty to choose from), so that employees more aware of their current habits, and how those might be putting the organization at risk. If you have a team of people who constantly think like hackers, you’ll have a network that most hackers will avoid targeting.