If you ask any CSO or risk officer in today's global companies about the threats that keep them awake at night, almost without fail each of them would rate the cyber attacks on the top list. Even other C-suite leaders and board members would certainly classify the threats posed by cybercriminals as one of the biggest risks to their businesses, given the almost weekly headlines everyone reads about the latest ransomware infection and other schemes designed to scam businesses and consumers. Your hard earned money.
But despite all the service that corporate leaders provide to cybersecurity today, very few companies have taken threats seriously. To demonstrate how far corporations should go today to protect their networks and employees against various attacks, Dave Tyson, the current Senior Vice President of Apollo Information Systems and former CISO of SC Johnson, spoke during an educational session at GSX 2019 in Chicago on Tuesday on the steps that one of your company's billionaire clients had to take to reduce their risk exposure.
"People play Russian roulette with their business decisions all day," says Tyson, who was also president of ASIS International. "Cybercrime is more profitable than drug trafficking."
In fact, statistics show that a company is the victim of a ransomware attack approximately once every 40 seconds and these attacks, according to Tyson, have begun to move to more vulnerable end users, such as small and medium businesses, hospitals and local government agencies. and state companies that do not have the resources to defend to a large extent.
"It's the ideal place if you want to be a bad guy and it costs almost nothing to make money," he says. “If you think of all those tools that people are putting in their buildings, be it a robot or something else that is connected to the network, these things are being attacked. The old days of being able to get out of a $ 50,000 malware attack have disappeared. It has become significantly more expensive. "
An example of the real world
Although he was unable to disclose specific details about the company, Tyson used the example of a large global corporation that recently sought the services of his company to show how inadequate is the cybersecurity of the position of many of today's organizations. Among the critical findings that Tyson and his company discovered included the fact that an IT device that connected the company's building to the Internet was misconfigured and exploitable in several ways, which also, in turn, exposed the automation system of the building (BAS) and internal data network system. In addition, it was also discovered that the BAS was vulnerable to understand to the point that it would have allowed a hacker to gain complete control of all construction systems so that they were not available at will or to demand a ransom payment.
Tyson says that one of the biggest factors that contribute to the vulnerabilities found in this company and others goes back to the concept of mutual trust. In physical access control, for example, the fact that someone has access to a door does not mean that they should have access to each door. The same should also be true in the IT world, according to Tyson, in the sense that the fact that someone has access to this system or database does not mean that they should have access to all of them, but unfortunately, often that It is not the case.
"Imagine that someone enters your building and walks through the halls all day and nobody knows that they are not supposed to be there," says Tyson. "People say," Well, IT knows what is happening. "Not necessarily, if you don't have quality tools and you don't know what to look for, you will often not even know they are there. If the system we are talking about is your system of camera, access control system or duress alarm system, those things are important and you want to know that they will be working when you need it. "
According to Tyson, one of the problems in commercial buildings today is that there are too many alarms and people don't know where to focus their security efforts. "We begin to not have enough people and too much information for them to consume and it becomes noise, in many cases, and we deliver it to IT or a third party to manage it, but the question is: them?" Asks Tyson.
And although physical security professionals have recently been consumed with the way to stop and / or mitigate incidents of active shooters given the amount of recent mass shootings, Tyson says that cybersecurity has not discovered exactly how to approach a "hacker. active".
"If someone approaches and punches a hole in the front door of their house and can go through it and open the door, they probably won't leave that hole there. At least, you're going to put a patch on it or something. Well , that simplistic view is what does not happen in you, "adds Tyson.
Address the problem
According to Tyson, organizations need to assess their "real" risks and not just the things that the mainstream media tend to focus on when it comes to cybersecurity.
“You must understand what your real risk position is, not the scary things you see on television or in the movies or in the Wall Street Journal, which is often what your board members will react to, but you must understand how he sees that real risk and he does it by looking, testing and asking questions, "Tyson explains."
In addition, Tyson says companies have to develop clarity about their risk tolerance for cyber attacks. And, most importantly, if a risk is discovered, do not leave it to someone else to fix it.
"Don't assume someone else will take care of it," says Tyson. “This is a perfect example in which you had three or four different groups of parties that everyone thought someone else was doing. We could have implemented ransomware and removed the entire network of a $ 4 billion corporation from the face of the world. There is nothing that could have been done. By the way, they didn't have really good backups. They had good backups, but it would probably have been a month before they worked again. ”
About the Author:
Joel Griffin is the editor of SecurityInfoWatch.com and a veteran security journalist. You can contact him at firstname.lastname@example.org.