Originally posted here on March 5
By far the largest culture that exists in our society today is that of the internet. In fact, it’s likely that every single person who reads this will be reading it off their phone or computer – you are part of this internet culture. In fact, by mid-2019 over 4.4 billion people were online, that’s 58% of the world’s population. The staggering increase in people coming online means more risk and exposure to cybercrime. We need to prioritise helping people and organisations to understand the risks they face and the constantly changing threat landscape.
To put it straight to the point here are 5 rules to live by (thanks to Nick Espinosa for sharing this).
1. If there is a vulnerability, it will be exploited
The hardest part about this rule is that most of the time vulnerabilities will be unbeknownst to us until they’ve been discovered in an unfortunate way. From the first bank that was created to the first release of a software program, without a doubt there was someone thinking of a way to bend the frameworks of these new systems. Naturally we have people across every society who will try to hack anything within their capability, be it for good or bad motives. You can trust that someone will be curious or motivated enough to test the vulnerability of what you put out there.
As an organisation with little appetite for risk and its potential impact on your brand and assets, you would need to prioritise risk assessment throughout your system. Penetration tests are an effective way to test your system and expose vulnerabilities. You should work with experienced professionals, such as cybersecurity service providers, to conduct annual penetration tests at the very least. These tests will give you a clear view of your risk exposure as it relates to your overall technology environment and is the first step to addressing vulnerabilities.
2. Everything is vulnerable in some way
Once you have a security policy in place, you can’t assume the immediate safety of your system. The amount of good it will do will be related to how closely you follow and review it. Even the largest companies who spend millions on their security systems will find themselves getting breached. Security paradigms are continuously shifting, so policies will be updated, processes will be improved, and controls will be updated.
Organisations who are mature in their practice of cybersecurity tend to conduct frequent reviews and health checks of their systems, controls, and architecture. This ensures it is optimised to handle current day threats. They also spend time critically analysing methods by which malicious actors could use to breach their organisation – this is commonly referred to as Red Teaming.
3. Humans can trust when they shouldn’t
Trust is a big part of our lives, everything we do involves a certain degree of trust for it to work. Needless to say, this gets in the way of our security sometimes, especially the trust we put into our technology; making it the greatest vulnerability in cybersecurity. You have to question everything you use and the people you interact with online. Even if it feels strange to question our trust in some situations, we need to stay vigilant in a time when hacking is relentless and indefatigable.
For example, organisations working with multiple vendors should put in place a policy to always ask vendors if they are applying the best in class technologies and methodologies in the market. Additionally, organisations utilising a big stack of technology software tools should be checking if they are up to date and have the latest patches in place.
4. With innovation comes opportunity for exploitation
The evolution of our tools and practices have given us technology that has made the world a whole lot smaller and connected. These interconnections increase the surface area for exploitations to occur. The IoT (internet of things) is probably the greatest example of this, with over 20 billion devices expected to be connected this year. In large part these devices still don’t have secure mechanisms in place, and due to economic incentives we probably won’t see much development until a considerable amount of damage has been done. There are countless examples of IoT exploitations already, here are some interesting ones.
Ultimately, when we strive to make new, innovative products for the sake of improving our lives, we need to have security embedded in the DNA of the project. Organisations reap the rewards of innovation when their leadership recognizes cybersecurity as a key business pillar and gives it the attention it deserves throughout the growth of the organisation.
5. When in doubt, see number 1
Cybersecurity stems from vulnerabilities, so this rule cannot be ignored. Ignoring or forgetting this can come at a large and regrettable cost. As Nick Espinosa eloquently summarised, “our ability to properly defend ourselves comes from understanding that human nature itself makes these laws immutable.”
Assessing vulnerabilities should become second nature to you and your organisation. Every opportunity, improvement, or even just a slight change to your system should ignite a serious consideration on what security threats you could be exposing.