You are currently viewing Cyberattacks – What you can’t see can hurt you.

Cyberattacks – What you can’t see can hurt you.

Why is Technology GRC so difficult?

“There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”

I am sure you have heard some variation of this quote variously attributed to John Chambers (former CEO of CISCO) or to Dmitri Alperovitch (formerly of McAfee)

So, why is it so difficult for an organization to secure its technology assets – its servers, devices, and ultimately, its data?

Security is complicated! Es muy complicado!

It is complicated because of many things. Like,

  • A constantly and rapidly evolving landscape of emerging threats;
  • New techniques of compromising security;
  • Emerging rules and regulations in different jurisdictions; and
  • An always changing technology infrastructure for the organization in question.

All this makes securing its digital assets very difficult.

It is like trying to secure a moving train that is constantly changing shape, size and course and one that susceptible to attacks by unknown actors using invisible weapons, the nature of which is not known. To make it worse, you will know you have been attacked only after the attack has taken place and whatever is of value has been stolen.

So how does one secure a shape shifting asset from invisible weapons from unknown actors?

Understand the nature of the threat

The answer is probably in trying to understand the nature of the threat, breaking it down into its elements and then formulating a comprehensive response strategy that addresses all the aspects of this threat.

In trying to understand this, we talked to senior executives, operational managers and supervisors who were responsible for ensuring the safety and security of technology assets of their respective organizations.

We learnt from our own experience too. For over 15 years we deployed and hosted solutions in the Healthcare and Financial Service sectors. These solutions contain sensitive PII and PHI data. As a result, we have been subject to GRC Audits conducted by our customers and by Auditors examining us for compliance with standards like SOC, ISO, and HIPAA.

This is what we learnt…

We found that there are multiple factors that have a direct impact on how organizations can and should secure their digital assets. These can be divided broadly into four categories – Environmental, Strategic, Operational and Human. If an organization can get its arms around these 4 categories of factors, it would go a long way in securing its digital assets.

The 4 factors

The 4 types of factors are Environmental, Strategic, Operational, and Human. I will talk about all these factors in the coming days but let me briefly describe what these are.  

  • Environmental factors that impact are things like constantly evolving technologies that organizations use; the way these technologies are used, and the techniques that are used, to carry out attacks; and most importantly, the regulations that define technology governance and risk management in different jurisdictions.
  • While the Environmental factors are to do with the markets that the organizations serve, Strategic factors are a function of what kind of an organization it is, how it is governed, the jurisdictions it is subject to, the outlook and the commitment of the management team, leadership support towards these types of activities that have no direct ROI, but a huge potential downside.
  • The Operational factors encompass aspects like how the organization is run, how are the strategies implemented, how are processes defined, how integrated are its operations. Essentially how tightly is the ship run?
  • Finally, last but not the least, it’s the Human factor that is the last defense against such attacks. Historically, many of these attacks have not been high tech attacks at all. They have been very ‘low tech’ attacks. The Data Breaches investigation report from Verizon points to an overwhelming number of such breaches being a result of some form of Social Engineering. Various reports put Human factors related data breaches to anywhere between 70% and 90%. Hackers impersonate people, capture email accounts and do similar things using social engineering techniques to extract crucial passwords and get access to and compromise critical systems.

Last but not the least

It’s an obvious conclusion that the people working in organizations must know very clearly what they must do, and what not. They should not get ‘fooled’ into inadvertently giving crucial information away.

What are all these factors and how do you design something so that you can address all this? All this in posts to follow…

Tags: , , , , ,

Leave a Reply