Robert Wortmann, Head of Strategic Security Consulting, Proact Germany
Life, besides all the wonderful things that it brings with it, always has its dark side. That means we’ll all have to deal with setbacks and bereavements. In order to cope better with the various stages of mourning, psychiatrist, Elisabeth Kübler-Ross (1926 – 2004), developed a five phase model.
But why am I using this topic for an IT-related blog? Well over the last few years I’ve been fortunate enough to advise and assist many companies to help them achieve a secure IT strategy. In doing so, I’ve noticed that a lot of the terminology we use is very similar to the five phase model.
Denial – “No hacker is interested in our data”
Several years ago, this sentence could still be heard in cyber security discussions. In particular, non IT decision-makers often held the opinion that their enterprise wasn’t interesting enough for hackers to approach or to be the focus of a malicious attack. Their opinion was that if you don’t have direct customer contact, there’s no interest for cyber criminals.
I don’t want to spend too much time talking about the denial phase because in most instances this is no longer the case. As a result of the huge number of attacks that have happened over recent years, at companies of every size and industry, most have at the very least have basic protection. Nevertheless I’d like to emphasise once again that every company has an attack surface.
According to the Verizon Data Breach Report, in 2017, 76% of recorded attacks were financially motivated. In very few cases, as tragic and funny it might sound, have attackers highlighted your business because they want to see you suffer harm. It’s all about earning as much money as possible with as little effort as possible. That’s why ransomware continues to be by far the most widely used attack vector for small and medium-sized businesses.
And let’s be honest, if you have basic protection such as a good and well-maintained malware scanner, a decent backup and restore process as well as decent employee cyber security awareness, you will probably be able to protect against 90% of attacks.
Anger – “How could this happen?”
After accepting that basic protection is essential, some businesses feel way safer than they should. So if something happens despite even though they’ve taken these protective measures, their pain and anger is often worse.
Over the last few years I’ve been rattled out of bed at night and asked why, even though an organisation has firewall, malware scanner and e-mail protection, all computers are still being encrypted by ransomware. First and foremost, it’s important to keep remind yourself that there’s no such thing as 100% protection.
Every scanner in the world can be tricked and every solid concept will be scrutinised by a real-world situation. That’s why it’s so important for us to be prepared for the worst case scenario. This preparation needs to consist of factors like a timely, tested, correct and documented backup / restore process.
Good staff and a relationship with a trusted IT security and infrastructure partner can also play a key part. And, of course, it’s always extremely important to keep track of why a particular event has happened. But this research shouldn’t be done until the problem is resolved. From my personal experience, most mistakes in these stressful situations are caused by hasty actions. Stay as calm as possible and follow, hopefully, existing documentation.
Bargaining – “We really have a lot to do”
If I’m really annoyed by one thing in IT security, it’s the widespread blind activism after a security incident. This isn’t just a problem for end-users, but an industry issue described in this great blog.
I’ve seen a lot of situations with customers where after an attack they’re completely blind to what cyber security products they’re purchasing. As we learned in the previous phase, an incident must be investigated and analysed first before we can take clean counter-measures. And as great as many security products sound, we need to configure, operate and maintain them correctly (but I’ll talk more about that in the next phase).
Interestingly, I know a few companies that in retrospect, were somewhat happy about being the subject of a minor attack with minor damage. After the attack happened, they were able to take a reasonable look at their security. They were able to make sure that the right measures were taken. Even better, none of these decisions were made hastily.
Depression – “Cyber security is getting more expensive and more complicated. Does it ever end?”
In one of my previous blogs, I’ve already indirectly talked about the phase of depression by discussing SIEM projects. Because of security incidents or regular requirements, many companies have decided to adopt this type of technology. However, many of these projects have failed because companies had completely false expectations, staff shortages, or couldn’t handle the sheer complexity of the operation.
Of course, it’s also a big problem that many companies within the industry are producing solutions that offer false promises. That’s why it’s so important that that time is taken to choose the right solution and that you have a trusted partner by your side. You should also reverse the rigid belief that you can create cyber security on your own. At the end of the day IT security is a complex, 24/7 mission.
Acceptance – “We can’t and don’t want to protect ourselves against everything”
I think we all know that we can’t protect ourselves against everything. That said, we should also be aware that we often don’t want to protect ourselves against everything. By that I mean the acceptance that IT security is always a trade-off between security and comfort.
Of course we could search our users every morning for banned devices or use eight different tokens for logins. In theory, we shouldn’t even let someone take a notebook home anymore and should cut off the network cables at the switch. All that would probably be safer in theory – but we don’t want that.
Every business has to think about how much IT security they actually want to have. If you prefer comfort, you should be aware of the risks. Those who prefer more security should be aware of the ramifications and need to be talking to other departments.
There’s no blueprint for cyber security and I think that’s a great thing.
In summary, I think we all agree that cyber security is a complex topic that’s very much centric to what the situation is. For the most part, IT security is about finding the fine line. But this is only possible if each individual employee (especially decision-makers) is aware of the importance of IT security. However this importance should never end in rash acts because these often end up making us more vulnerable.