How can companies regain control when the opposition is getting smarter and their defenses are compromised by force majeure? We are compelled to go back to basics. Identify what is important to the business and then focus security controls to optimize energy and effort from that position of clarity. This means Security by Design and a risk-based strategy. We must be exhaustive in the identification of different assets and embed security in the DNA of a new project. An internal audit to classify all assets is a good place to start.
In the Art of War, the Chinese general Sun Tzu wrote: “Know thy self, know thy enemy. A thousand battles, a thousand victories”. This advice still stands 2,500 years later. What type of servers, network components, hardware or software do you have within the information system? What are your weak points? How would you attack yourself, if you were the enemy?
If an organization doesn’t have full visibility of their entire security environment, or if they are unable to focus remediation on their most exposed vulnerabilities, then they may fall victim to attack. Security assessments and mitigation policies are both critical steps, whether you are a bank, retailer or manufacturer that’s engineering embedded systems for connected cars.
The ex-FBI director Robert Mueller once noted that there only two kinds of company: those that have been hacked and those that will be. If attacks are inevitable, then we must focus on time of detection and time of response. Our capacity to limit the window of opportunity for hackers is a competitive advantage. If it’s three days, that’s manageable. If it’s three years, then it could prove terminal.
Think of cybersecurity as a game of chess. However well you play, you have to expect to lose a few pieces along the way. It’s how you respond that matters – as close as possible to the moment of attack. The right reaction plan, backed by automation, will kick in to mediate the damage. By staying two moves ahead of the aggressor, you can quickly shore up your defenses.
There’s no good time to be hacked, but right now, when the need for business continuity, brand trust and fiscal stability are potentially make or break, companies must prioritize cybersecurity. Under-investment is simply asking for trouble.