By Mark Lanterman
Last month I discussed the impact of President Biden’s recent executive order on national cybersecurity. The order comes at a particularly critical time for the United States, in light of recent data breaches affecting several critical sectors. Apart from the federal government, it is evident that standardization, awareness, and investment in new technologies are key components of keeping up with the security demands of an ever-changing landscape.
In 2020, remote work environments and the cyber threats that proliferated throughout the pandemic greatly changed business operations for many organizations. Even as many businesses resume “normal” in-person work, many adjustments made during the past year may have lasting effects. Work-from-home policies and the challenges brought about by covid-19 required many organizations to review and improve their cybersecurity postures. Even so, according to a recent study, “Nearly 80 percent of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks despite increased IT security investments made in 2020 to deal with distributed IT and work-from-home challenges.”1 This discrepancy underscores the fact that increased financial investment does not necessarily correct already-existing problems in an organization’s security culture. Nor does it automatically increase internal confidence in an organization’s security posture.
Despite the rise in cybercrime and an increasingly complex web of cyber risks, many organizations are delegating a job that rightfully belongs to dedicated security teams to technical support staff who are already busy with other work and less experienced with respect to security threats. Even though cybersecurity professionals are greatly in demand, positions are often filled for the sake of the title, and not for the successful planning, execution, and maintenance of strong cybersecurity plans. This practice often occurs in organizations that equate compliance with security—essentially it involves filling a position without providing the necessary support and resources for security initiatives. Or organizations may arbitrarily assign cybersecurity titles to existing employees within the IT department for the purpose of satisfying compliance requirements.
Dedicated security teams have several critical responsibilities, including: oversight of implementing best practices; management of projects affecting cybersecurity objectives; facilitating communication; minimizing siloes in the organization; conducting documentation; and establishing change control processes, among others. This is a mission distinct from many aspects of day-to-day operations. In the hustle and bustle of working to manage the “convenience” side of the technologies on which we rely, IT departments may not always have the resources required to manage the many demands of a healthy security posture.
A recently discovered breach illustrates the importance of oversight in maintaining strong cybersecurity. A large web host provider, DreamHost, “was left open online earlier this year, leaking names, usernames and email addresses… The data appeared to date back at least three years to 2018, though it’s unclear how long the database was openly accessible.”2 Equipped with this kind of information, spear-phishing attacks or other social engineering campaigns are easy enough to execute. Using some of the stolen information, a cybercriminal can tailor a phishing email to gain access to more data.
Though DreamHost was quick to secure the database once it was alerted, it would seem that improving oversight and communication regarding cybersecurity practices would help to mitigate the possibility of future events. In addition to government entities, attacks on key sectors and critical infrastructure may also yield catastrophic results. For all organizations, cyber risks may have an immense negative impact on business operations and may cause long-term damage that includes reputational and financial harm.
Cybersecurity is often relegated to the IT department, though cyber threats and risks are cross-organizational concerns. Dedicated teams are often instrumental in managing incident response, but they are equally essential in providing critical leadership through proactive measures and securing top-down management support for cybersecurity initiatives. Depending on the size of the organization or firm, outsourcing this work may be a beneficial alternative. From helping to ensure proper database configurations to keeping key stakeholders informed of new IT projects, cybersecurity teams can help take an organization from a laissez-faire culture to a strong and actively supported security culture that better minimizes cyber risk.
Notes
1 https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats-------what-you-need-to-know-for-2021/?sh=1ea696ba58d3
2 https://www.forbes.com/sites/thomasbrewster/2021/06/24/one-of-the-biggest-hosting-companies-in-the-world-leaks-815-million-records-of-website-data/?sh=75dad660110d
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.