Fifteen Shades of Cybersecurity Grey

By Bill Mew

Cybersecurity is all too often seen in black and white terms. There are black hats (malicious hackers) and white hats (ethical ones). And there are some vendors that are seen as either safe and on the whitelist, or seen as unsafe and on the blacklist (most Chinese vendors were blacklisted by the last US administration). In reality, it is far better to view cybersecurity in terms of risk, which comes in shades of grey.

Don’t view cybersecurity in black and white terms. Think of it as risk, which comes in shades of grey.

It is also unhelpful to think of those that have not been hacked as safe and those that have been hacked as unsafe. Instead, everyone is vulnerable – some more than others. It is just that some have already been hacked while others have yet to be hacked or simply aren’t yet aware that it has already happened. In the recent Solarwinds incident thousands of large organizations, including the NSA, were compromised for 6-9 months before it was discovered.

Everyone is vulnerable – some more than others. There are those that have already been hacked and those have yet to be hacked or simply aren’t yet aware it’s happened.

Modern societies have never been so reliant on technology or so interconnected. Consequently, we have never been so vulnerable to cyber threats. With the Solarwinds attack, cybercriminals created backdoors to let them spy on targets at will. About 18,000 clients were compromised including the US military, the Pentagon, the White House and even the NSA, making it the largest hack in history.

With up to four malware strains used by the Solarwinds hackers to compromise their victims, these organisations are in full disaster recovery mode – having to rebuild their systems from the ground up using backups that it is hoped were not also compromised.

There are a number of lessons that we need to learn from this.

– Fifteen Shades of Cybersecurity Grey:

1. 1. Don’t expect to be 100% secure – nothing ever is

If even hit NSA, the most highly funded security agency in the world, can be compromised then any organizations can. While everything needs to be done to prevent and detect cyber attacks, you also need to be prepared to respond to a cyber incident as well.

2. Don’t expect your budget to be enough, be smart with what you have

It wouldn’t be financially viable to spend as much on cybersecurity as the NSA does, and while there is no upper limit to what could be spent, your focus needs to be on matching your budget to your risk appetite and making the most of what resources you have.

3. Don’t expect users to follow the rules if it isn’t easy to do

Training staff and applying sensible cyber hygiene policies like multifactor authentication are essential, but if you make it too difficult for staff to follow the rules, they simply won’t. 

4. Don’t expect to be GDPR compliant if you don’t know exactly where your data is

With data volume growth expected to accelerate with IoT and 5G and with data stored on remote devices by staff working from home, effective enterprise-wide data management has never been so hard. Focusing on business continuity and improved data governance is essential to eliminate security blind spots and ensure compliance.

5. Don’t expect to be able to manage complexity without adequate security controls

Increases in data volumes, changes in business needs (such as in response to the pandemic) and ongoing operational complexity are making it ever more difficult to apply Zero Trust controls effectively and universally. An actionable dashboard with a single pane of glass to manage security controls can make this less of a challenge.

6. Don’t assume that they’re just trying to steal your data

While much of the focus is on ransomware (now the biggest threat) or data theft, in future you will also need to be able to detect attempts to manipulate your data, or with increasing use of AI, attempts to game or influence your systems.

7. Don’t expect to survive a ransomware attack if you don’t have effective backups

If you pay a ransom, there is no guarantee that you will get access to your data, and because your whole environment is likely to be infected, even your DR site, you’ll need somewhere else to recover it all to. It is essential to have effective backups systems and a cloud disaster recovery plan. Remember, if you pay criminal groups you’re more likely to be targeted in the future, and the only way to avoid paying a ransom is to be sure your disaster recovery systems are up to the job.

8. Don’t expect the backups to be uncorrupted – they’ll be targeted too

If hackers compromise your security and gain access to your systems, they will also seek to compromise your backups as well – as this will make a ransom payment more likely. One way  to avoid this is to use a virtual air gap to prevent them accessing your backups.

9. Don’t expect your cyber insurance policy to cover you 

There simply is not enough money to keep the current system of cybersecurity insurance afloat in the event of a major attack. Insurers have included so many exclusions that policies are almost worthless, They have frequently refused to pay out at all, and even when they do pay out it is normally just for the technical fix, not for the damage to your business and its reputation.

10. Don’t expect your IT team to always admit that there’s a problem until it’s too late

The peak time for calling for expert support is on a Friday afternoon. This is because some in house teams will often do all they can to fix a problem before finally admitting to their superiors that they are out of their depth. By this time the impact and exposure will have magnified significantly.

11. Don’t expect to be able to find the right support in a last minute rush

You will need the very best technical expertise to fix and recover from a major cyber incident, specialist legal expertise to define a legally defensible narrative, expert reputational support to protect your brand and trusted voices with real credibility to counter misinformation and social hysteria. Finding the right experts in all these areas takes time, and cannot be done in a hurry. It is best to develop relationships with them in advance so that they understand your business well.

12. Don’t expect standard crisis management plans to work with a cyber incident

The standard crisis management approach involves responding to an incident by showing empathy on the assumption that as a victim you will gain sympathy. It normally works well, but not with cyber incidents. When you are hacked, you may be the victim of a crime, but you will be held to blame by the press and public for not preventing it from happening. A totally different approach is required.

13. Don’t expect untested backups, disaster recovery and incident response to work

“Regularly testing, assessing and evaluating the effectiveness of technical and organizational cybersecurity measures” is actually mandated under GDPR. You need to test your backups as well as your crisis response plan as realistically as possible – with immersive simulation exercises. There’s a reason that the UK driving test involves a practical as well as a theory test. You need to practice on real roads to gain road sense – the same is true with disaster planning.

14. Don’t expect any rehearsal to be of any use without senior management

And if participation in such simulation exercises is delegated to junior managers, then when the real thing happens and the senior management take to the stage – they won’t know their lines. Crisis rehearsals need to involve the senior staff that will be expected to act when a real incident occurs. 

15. Don’t expect to survive litigation without a legally defensible narrative

As we have seen with a recent wave of class action suits, data privacy litigation is rapidly surpassing the cost of any ransom, technical fix and regulatory fine combined. The biggest impact, aside from reputational damage, could be the one you face in court, so devising a legally defensible narrative has to be an absolute priority. The survival of your business may well depend on it and the narrative will need to address all the points above.

As you consider your risk appetite – and your own shade of grey for each of these issues – think about how you might defend your decisions and actions in court, because one day you may need to do so. And legal action isn’t only being taken against organizations, decision makers and board members are being held individually liable too.

For those at the NSA and other major victims in the Solarwinds incident, these tips will come as cold comfort, as they face the enormous cost and challenge of rebuilding their systems from the ground up. However, if you want the best chance of avoiding their fate then take note, and remember not to think of cybersecurity in black and white terms. No network is ever fully secure. We are all at risk and risk comes in shades of grey.