Your cybersecurity plan may be doing more harm than good

Companies are spending more to prevent cyberattacks, but not getting results. Why, and what can you do better?

According to a recent World Economic Forum report, cyberattacks are the third-highest risk to businesses based on likelihood — behind extreme weather and natural disasters. Yet, Gartner, a global research and advisory firm, predicts business spending on information security and cybersecurity tools and services to rise another 8.7 percent to a total of $124 billion in 2019.

How is it that we’re not seeing a decrease in cyberattack likelihood when businesses and organizations are spending more than ever to combat them? Christopher Gerg, vice president of risk management at Madison-based Gillware, a data recovery and risk management firm, says it’s all in our approach. “When you are really concerned about your organization’s cybersecurity, it’s easy to get in the habit of following the trendiest, latest products in hopes of alleviating that worry. But, what happens is businesses implement the latest and greatest tools without covering some very basic fundamentals. It’s like installing a premium sound system in your car but forgetting to put air in the tires.”

So, what are the best ways for businesses to spend time and money protecting themselves?

Except for rare cases where someone has it out for a company and wants to see them specifically damaged, or if a business is a bank or payment processor and has money to be stolen, the greatest information security threat to a business is malware, notes Gerg. Specifically, ransomware. “The reason is simple. The attacker is after money.”

Ransomware is a specialized evolution of viruses, worms, and trojans. The malicious software enters the environment through vulnerable computers attached to untrusted networks — think of coffee shop Wi-Fi networks or the public internet — or because someone clicks a link or opens a file in a malicious email from an attacker, tricking the recipient into thinking it was legitimate. The software then encrypts the important data on the system and attempts to infect other computers on the same network. A message may appear on the computer saying that your machine’s data is locked away and demands a ransom be paid using cryptocurrency like bitcoin, which is commonly untraceable. The requested ransom amounts have increased significantly in the past years, says Gerg, as the cybercriminals’ ability to interrupt the business of entire companies before being noticed has improved.

We live in confusing times

Unfortunately, the solutions put in place to mitigate these cyber risks are often just muddying the waters.

“First, and with the best of intent, governments and organizations have created laws, certifications, and requirements to protect payments, personal data, privacy, and communication,” explains Gerg. These regulations are typically a hodgepodge of letters and numbers that mean little to the average observer — things like PCI-DSS, PCI-DSS, PCI-3DS, PA-DSS, P2PE, AICPA Trust Services Criteria, FedRAMP, GLBA, Sarbanes-Oxley, FISMA, FERPA, GDPR, PIPEDA, CCPA, HIPAA, SSAE-16, SAS-70, SOC2 Type x, and more.

“Very often these laws and requirements do not account for the real-world technical challenges, edge conditions, interpretation, and applicability,” Gerg says. “Add on top of that a myriad of best practice frameworks, each written differently, written to fit a specific law or requirement, written to address the needs of a particular industry, or written to try to address every possible organization or situation.”

Further adding to the confusion are the multitude of businesses selling solutions claiming to remedy a company’s vulnerabilities, when most only address the tip of the iceberg, if anything at all. “Gap analysis, risk scores, audit readiness, monitoring tools, management tools, antivirus, antimalware, anti-spam, encryption, authentication and authorization tools, the cloud — each of them expounding on how they are built on proven technologies, or that they are better because they are new and disruptive,” says Gerg. “What results is what we call the ‘whack-a-mole’ scenario: multiple point solutions that each cost money, take time to manage, and provide questionable benefit when taking the complexity — and IT department’s limited availability — into account. 

“And did I mention that there’s a shortage of qualified information security experts, despite many [people] claiming that they are experts?”



Fixing cybersecurity mistakes

Despite these sometimes misplaced efforts, Gerg says there are still fundamentals all organizations should pursue to improve the maturity of their information security program first. “It does not make sense to implement a solution that is specialized or bleeding edge if you aren’t taking care of the basics,” he notes. “Houses have a foundation, so does an information security program.”

Gerg says because of Gillware’s incident response works, he’s seen countless real-world examples of what went wrong, and how the incident started, progressed, and was discovered. Some of these compromised organizations had existing information security programs, and others had very low maturity in their information security practices, but in nearly every case the story was similar. 

“Consistently, compromises occur because of an unpatched system or service, or someone doing something they shouldn’t, or a combination of the two,” says Gerg. “The old saying about the weakest link in a chain has never been more applicable. It only takes a single system or service to not be up to date, or a single person clicking on a link in an unsolicited email. Things get worse in almost every case when networks are not segregated, and traffic progresses to systems that are not necessary. It also gets worse when attackers use internal user accounts to log into more services and accounts.

“It takes longer to notice that something happened when monitoring and alerting configurations are not effective,” Gerg continues. “Recovery is more difficult when backups are not effective. These consistencies we see day in and day out set pretty clear objectives: prevent compromises from happening, keep them from spreading, and notice it if they happen as quickly as possible.”

The absolute basics, according to Gerg:

  • Patching and updating ALL systems and services as soon as possible (this involves having a complete inventory of all workstations, servers, and other devices on your network).
  • Two-factor authentication (for AT LEAST administrative-level users, if not everyone in the organization).
  • Strong, modern anti-malware software that will notice signs of attempted attack installed on ALL systems. (Something more than just an antivirus — good anti-spam filtering, and a solution like Carbon Black, FireEye, and CrowdStrike).

Only once the absolute basics are addressed should companies consider spending money on more elaborate solutions. Know what you have, keep it updated, know that your users are actually your users, and stop known methods of attack, advises Gerg.

“The worry with building a list like the one above is that it may lead us down the path that creates the ‘whack-a-mole’ problem in the first place,” cautions Gerg. “We need to look at the big picture to accomplish our tasks of reducing complexity and cost. Is there a single solution or strategy that might accomplish not only the fundamental things in the list, but also make the IT department’s job easier and the business flourish while reducing the chances of a business interruption?”

Gerg offers the following advice, regardless of business size and complexity:

  • Look for tools and services that accomplish more than one thing. Replace several of your point solutions with a mechanism that addresses multiple needs and makes IT’s job easier, or makes the business more successful.
  • Select tools and services that are automated (or manual work is outsourced to a qualified provider). This will address your needs while not adding to workload.
  • Do not let information security and risk management be a speed bump or bottleneck. Your information security team should have a strong, collaborative relationship with your IT team and should also be at the table with senior leadership of the organization.
  • If you don’t have a qualified information security expert on staff, find a trusted third-party advisor to help you evaluate your organization and develop an appropriate strategy.

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.