Cybersecurity 9/11 already happened. When will we act?
If you’re still waiting for a cybersecurity 9/11 or a ransomware Pearl Harbor to punch us in the gut, wake up. The equivalent has already happened. More than one, in fact.
Maybe SolarWinds and Colonial Pipeline1 didn’t have the same devastating visuals of those other American tragedies. But make no mistake; those cyberattacks exposed deep vulnerabilities in how we run our world and live our lives, and how deeply bad actors have penetrated our society’s inner workings, with devious effect.
It’s a massive sign of weakness. We’ve allowed foes to infiltrate our infrastructure and stay there, undetected. And our response? We issue fines2. It took a pandemic for people to understand they need to stay home when they’re sick. What is enough for people to wake up to this threat?
Three Things We Must Do
Long gas lines and spent fuel tanks weren’t enough, apparently. Crippling our ability to care for medical patients3 wasn’t enough, either. What’s next? A power grid attack like the one in India?4 Do we allow someone to shut off power to the East Coast during a heat wave? People will die if you shut off the power. We can’t afford to wait.
Like 9/11 and Pearl Harbor, if we give the problem our full attention and the right level of risk management, we have the ability to mitigate the worst impacts — or stop attacks altogether. But right now, we’re so far away from doing the right thing that people can’t even wrap their minds around what they have to do next. So, where do we start?
First, this requires a World War II-level of mobilization: either you’re in the fight, or you support the fight. We can’t have the dynamic like in some recent military conflicts where a minority does all the work and the majority offers rah-rah, and little else.
Second, our critical assets like government agencies, the power grid, hospitals, banks, the defense industrial base, and other infrastructure and industries need to take stock of their situation by asking themselves these questions:
- What’s on your network? What assets are supposed to be connected?
- Who’s on your network? Is everyone working remotely supposed to be there?
- What data are you trying to protect?
For most organizations, these things are complete unknowns. Yet, these are the most basic elements of cyber hygiene — the rules and routines that help us protect the data and intellectual property that powers our modern world.
Third, we need to shift people’s mindset to solve problems with a risk based approach. Too many decision-makers stick to the way they’ve always done it. Too many institutions choose the probability of a fine over the cost of change, even though it’s much more costly to recover from an incident than prevent one.
(How costly is it? Breached companies with no security automation suffer an average of $3.58 million more in losses than if they had fully deployed security automation5. Almost $3.6 million!)
Doable, But We Need To Take Action
Achieving constant cybersecurity effectiveness, and not just compliance or maturity is eminently doable, even if it’s not the conventional way of doing it. My team is here to help guide you on that journey, which incorporates taking a risk-based approach to cybersecurity, thinking about it holistically, and gaining a much better understanding of what’s happening in your environment in real time. You must pick up new habits and ditch old ones.
However It’s done, we need to start now, because the attacks won’t stop. At worst, taking a risk-based approach mitigates the impact of cyberattacks. At best, these measures will completely prevent one. We missed our opportunities to avoid a cybersecurity 9/11 and a ransomware Pearl Harbor. Let’s not wait to take action before something worse happens.
1 https://www.cnn.com/2021/05/13/opinions/colonial-pipeline-ransomware-attack-was-stoppable-vishwanath/index.html
2 https://www.csoonline.com/article/3615489/us-sanctions-russian-government-security-firms-for-solarwinds-breach-election-interference.html
3 https://www.nbcsandiego.com/news/local/what-we-know-about-scripps-health-cyberattack/2598969/
4 https://www.businessinsider.in/tech/news/chinese-cybercriminals-are-targeting-the-indian-power-sector-according-to-a-report/articleshow/81274093.cms
5 https://www.ibm.com/security/data-breach
Practical Security Strategies to Protect Your Organization from Third-Party Vendor Cyber Threats
One of the internet’s greatest strengths in business, the ability to share information internally and externally, has turned into one of its biggest liabilities as cybercriminals around the globe relentlessly attack security vulnerabilities of third-party vendor...
Why Complacency Is Leaving the U.S. Electrical Grid at Risk
On a list of the critical necessities for our country’s modern way of life, at the very top has to be electricity. Not only does it provide light, keep our food from spoiling and maintain a comfortable temperature in our living spaces, it powers the many screens with...
The Frontline is On Your Front Porch
The battlefront of the digital world may be hidden, but it’s lurking right at our doorsteps. Cybersecurity affects each and every internet user – with more than 422 million individuals impacted by data compromises in the United States in 2022 alone. For the 16 sectors...
©2023 Conquest Cyber | Policies