Helping Clients with Security Issues They Don’t Even Know They Have
By Frederick Johnson, Vice President - Cybersecurity & Digital Forensics
In my role as a trusted cybersecurity advisor and leader of Marcum Technology’s Cybersecurity & Digital Forensics practice, one of the most common questions I get from Marcum partners is, “how can I help my clients work through cybersecurity issues they don’t even know they have?”
Well, it’s true, many clients are not aware or do not fully understand or appreciate the risks they carry in their internal and outsourced IT systems. Despite years of security awareness training conducted by earnest security practitioners across hundreds of industries and the constant media barrage of bad news data breach bingo, most companies are still unsure, unclear, and/or unwilling to make big changes or investments in cybersecurity protections.
Your Cybersecurity Risk Posture
That said, in my own experience as a practitioner in this space for the past 21 years, I have been encouraged by the tremendous increase in the number of companies that have made significant improvements to their overall cybersecurity risk posture. Unfortunately, those companies are still very much the exception, not the rule, particularly among small and mid-market organizations. And even among the companies that have made improvements, often those improvements do not go far enough to address major weaknesses that often lead to catastrophes.
So where’s the problem, you ask? Why don’t more organizations make the investments necessary to better protect themselves? Why are organizations still experiencing major breaches after all of this time? Must be the fault of leadership. Not asking the right questions. Not forward-thinking enough, right?
Well, not so fast. I believe that the leadership teams of the vast majority of these organizations are very aware of potential threats. They hear about breaches and the big fines, terrible publicity, and damage these disasters caused, including jobs lost, stock price drops, vanishing clients and, in many cases, companies shuttered completely.
I have had the opportunity to speak with many business leaders after a major breach, and I have never heard one say they were surprised it happened. They don’t say, “we did everything we could,” but rather, “it was only a matter of time” and “we were playing the odds against it happening to us, and lost.”
In my career I have assisted, managed, and advised on a number of breaches, small and large, including a breach at one of the largest defense contractors in the United States, which occurred over a period of more than 10 years. During that time, this company experienced stolen classified data and intellectual property; email, internal phone systems and all network assets fully owned by perpetrators; and internal technical controls that failed to detect or prevent any of these attacks. Perpetrators gained full access to the personal financial and email accounts of the most senior leaders in the organization. They even managed to get their own people placed and working as employees at this company’s physical plants. For more than a decade, the attacks were completely undetected.
As you might imagine, the road to recovery for this organization was long and expensive, and its clients were not very tolerant about the pace of progress in remediation.
What does a company that has been fully and completely breached for more than 10 years do when this happens? First, stop the breach. This is no simple task, particularly when it’s a long–term, comprehensive breach. Second, make sure that all avenues of communication are fully secure (and that the bad guys don’t get wind of your plans). And third, perhaps mostly importantly, rebuild so it won’t happen again (at least not in the way it happened before).
The rebuilding process is much like building out an entirely new security program. Only this time, the company knows it has to do a much better job of it.
So how do you do that? Start with choosing the level of security you want, rather than inheriting bad choices, old technical debt, and laissez-faire policies around security investments. Some concrete steps include the following:
- Establish your risk appetite and tolerance.
- Assess your security and privacy protections.
- Inventory your data, continuously.
- Model the threats to your environment.
- Understand what attackers really want from your company.
- Fund the efforts appropriate to the risk level you can tolerate.
- Bring in the right expertise, on-staff and outside.
- Control access carefully.
- Monitor key systems.
- Learn how to react to threats in a planned and predictable fashion.
- Train your people, not once, but regularly.
- Regulate the security behaviors of your key vendors.
And perhaps mostly important, particularly from a strategic perspective, make sure your organization has learned how to fail safely. In other words, if one or more of your defenses fails, make sure that the bad guys don’t suddenly get access to everything.
It’s a lot to absorb for clients that have not traditionally put a lot of organizational willpower behind security protections. Many clients think it’s too expensive, too hard, and that it will take too long to enact meaningful changes. And that’s just not true.
Risk Exposure Roadmap
Marcum Technology has a new service called CyberINSPECT. At its core, CyberINSPECT provides an interview-based, high-level cybersecurity risk assessment to help clients understand the nature of the risks they are carrying in their internal and outsourced IT systems.
The security services come in three levels. At higher levels of service, searches of the Dark Web are performed to find usernames, passwords, and email address that appear to belong to that client. Scans are also performed against the client’s external websites to determine how susceptible to attack they might be. Access to our library of security policies and security training awareness materials is also provided.
This service is particularly effective for companies that have not traditionally invested in cybersecurity and are wondering what their exposure might be. We have seen companies with $1B in annual revenue with one IT person on staff. They outsource all of their key functions — such as HR, accounting and IT — to various providers and mistakenly believe they are not carrying any cybersecurity risks. These are prime candidates for breaches, and as a result, prime candidates for CyberINSPECT. With this service, companies will have receive a report containing the major cybersecurity risks we identify, ranked by severity, that can be used to build a remediation roadmap that can help them make meaningful and lasting improvements to their overall risk posture.
So, my answer the question at the top is, yes, you can work through security issues you don’t even know you have, by assessing the risks you carry and then formulating a plan to address them.
Contact me with questions anytime. I’d love to hear from you.