Whose Side Are You On? The Cyberwar Question
17 October 2017 | 4:32 pm
In every war there are two sides, whether we are talking about military action, a football game, or the fight against cybercrime. What all these scenarios there have in common is there are some people on defense and those who are on the offensive side of the line. You are either the predator or the prey.
Since I am not writing for the Army generals or the New England Patriots, let’s talk about cyber attacks and which side you are on.
You are probably thinking I’m on the good side, the side that is defensively protecting my network, the side that is always under attack even though I never did anything to provoke it. And I’m here to say that might only be partially true.
If you are not fully committed to doing everything possible to stop the cyber attackers, you might actually be unwittingly helping the them more than you realize.
If you are not keeping your network secure, you are inviting hackers to use your network as a playground. A place where they can find vulnerabilities and practice exploiting them. A place where they can see what works and what doesn’t, what goes undetected and what gets noticed. If you are not creating secure websites and applications, you are giving the hackers more to learn from so they can then use it against other organizations.
Once inside your network you are also giving them a place from which they can launch their next attack. If the breach goes undetected in your network, which they most often do, they can launch an attack on someone else and make it appear to investigators that you are the perpetrator, not them. And if you are connected to another organization’s network you might have just opened the doors for the attacker to gain access to them as we saw happen with the Target breach.
The attackers are fully vested in finding new ways to attack and get what they want, and if you are not equally fully vested in a security program, you are letting them win without putting up much of a fight. Just as you wouldn’t expect the US military to show up without a battle plan or for your favorite football team to show up without a game plan, it makes as little sense for a company or organization to show up without a security plan solidly in place.
If you are the CEO of an organization, you are responsible for what happens under your care. That means you are responsible for security and any breach that might occur. I’m not saying you personally have to be the one to figure out how to protect your network and the data that has been entrusted to you. You don’t personally have to monitor the network and know exactly what is happening at all times, but what I am saying is that you are responsible for ensuring you have the right people to do this, that they have the resources they need, the best strategy, and that a culture of security is in place.
Stay tuned for the next three articles in this series that will discuss culture of security, ensuring you have a security strategy, and having the right security resources.
As a 12-year veteran of the information security and compliance space, I invite you to send me an email at email@example.com or reach out via LinkedIn https://www.linkedin.com/in/smithsharonj/ to ask any questions you might have on this topic or other security topics that might (or should!) be keeping you up at night.