I remember talking to security specialists about 20 years ago about what it would take to create a wholly secured computer. They talked about a computer, totally unplugged and plunge into liquid concreted. Let dry, and then it’s considered secure. Don’t forget to mention that it is also unusable.
So back to the question, do you believe that keeping an older security architecture protects you from modern threats? Good luck, you’re in for a ride.
The old myths
The old myth persists; if you have an imposing firewall solution, then your environment is secured. The perimeter is secured model died when ransomware and zero-day attacks became prevalent. That model is now a more significant threat than protection, as it provides a false sense of security.
To add insult to perjury, do you think that if all your data is on-site within that said perimeter, that it is secured? Here’s a bit of bad news, it’s one click away from being stolen.
Furthermore, the older your systems are internally, the more security flaws have been published. If they are not kept up to date, they are more and more at risk as time passes by.
And, if you know how your internal IT works, you also know that those old concepts don’t stop there. We are looking at an exhaustive laundry list of older paradigm and techniques that are no longer relevant, from proxy to VPN to legacy antivirus. The list keeps on growing.
You can’t kill my network with one click!
Do you remember when I said earlier that your data was one click away from being stolen? Here’s how it would work:
1. A regular employee receives an email that looks legit but is actually a phishing attack
- This situation can be prevented, but it requires a combination of newer technologies, including ML infused policies that will feed your email filters (preventing the mail from getting through, security provides that will also let your filters know what is happening with other customers, and an EDR client on your workstation, that would stop execution in its track, if all else failed. And should it go through, the proper sensing and filtering from your cybersecurity network tools would prevent it from calling home, reducing it to a local threat. In this very case, it takes a village to stop ransomware.
2. He clicks on the link or downloads a PDF that is full of scripting code
- The only way to prevent the click is through education. Cybersecurity initiation to your entire staff also becomes a necessary training, as much as ethics and terms of use.
3. The code executes some low-level commands, and goes on stealth mode for a few days
- Then with each reboot, it deploys more and more malware on the machine, calls home to a network of cybercriminals, who take their time to inspect your environment, to steal credentials from Chrome or IE, from remembered sessions right and left, until they find some that are important. They are also studying to know what makes your company tick. They want to find out what is the most important data in your network
4. Then, they take a copy of this high value data to the dark web, to be held hostage if you choose not to pay the ransom
5. Once they validated the value, they launch their payload and start encrypting your entire network, and no, it’s not one machine at a time.
6. Then they send you their ask, this is the ransom letter, and suddenly, your entire organization is shut down.
- That is when you realize that without access to all those critical systems and data, you do not have a company anymore, and no, you cannot go back to pen and paper.
7. You may be lucky and have access to experts who can get you back up and running, but it will cost you probably more than transforming
8. But if they choose to publish this most critical data and it becomes available to the dark web, for the highest offer, will your reputation ever recover?
- How do you feel your customer would feel if their private information is in the hands of criminals?
This is what we call, the worst-case scenario. But the point we are making, is that it started with just a click, inside that perimeter which you believe to be solid.
We just helped a company recover from such problem, they had all the right technology, but had minimized the investments in configuration and architecture. Result: one full month of downtime and close to half a million in losses.
Now here is another question, what would happen if this was a major utility, say an electricity provider, a nuclear plant, or the organization responsible for printing the check that people depend on for a living?
But there is good news
We can also look at it on the bright side, with companies investing, innovating and looking for solution, such as
- Microsoft who decided to invest massively into cybersecurity (MS announced a 20 Bn USD investment in cybersecurity last week), and that now has an end-to-end security center, that includes everything from cybersecurity analysts to lawyers to ensure that they can hit cybercriminal organization technically but also legally.
- Palo Alto, who’s also investing massively to shift the cybersecurity paradigm to analyze, in real-time, all that is happening on the devices that are part of your enterprise, allowing to catch those threats before they are released and start damaging your ecosystem. With technologies like always-on VPN and preventative scans to protect the users and data-loss, they are bridging the gap, and I find that encouraging.
Just two examples, but the more important idea, it’s not only about technology.
Modernization is about killing multiple birds with one stone.
When you choose to start considering a blueprint to modernize your IT, you have to consider multiple facets:
- Your data and systems, will have been classified, allowing for the creation of security enclaves, making it harder and harder for cybercriminals to get to the very important information.
- Integrated new security model, new surveillance, which includes build-in AI and machine learning
- Integrated new networks and security consoles, allowing for a unified view and harmonized interface to react when such a situation comes.
- Transforming all your older servers, so they can take advantage of newer platforms, latest development, perhaps even, transform some of them into software-as-a-service, lowering the workload on your teams’ shoulders
- Your teams will have been trained in more focused areas, providing them with deeper expertise
And I know… money doesn’t grow on trees, but what if it stopped coming, altogether?
From my CEO point of view, you can’t afford not to. You can’t wish Cybersecurity into existence; you have to work at it.
If you fall victim to a cyberattack, all the money you should have invested now to modernize will have to come into existence, or you will no longer have a company. And if you get your company back, you still won’t be modernized, you will still be at risk.
Modern IT is your foundation, you can’t start building your security practice until you know what needs protecting, and what is critical.
And no, the answer to that question is not everything. You can’t afford a diamond studded security that works 7-24 on 100% of your digital assets. Furthermore, it would not make sense. Why would you want to restore an intern’s playlist with the same priority as your email or payroll systems?
Transforming is like house reno, you must plan it
I was first introduced to architecture by my grandfather when I was 6. They were renovating the family home, and for the first time, I saw that creativity and science could produce something tangible in the real world.
Ever since, I wanted to be an architect, that dream was transformed when my son came into this world, I was 15.
All this to say, that I turned to information technology, and within 3 years, there I was, making drawings, using my creativity to imagine solutions. Fixing business problems with technology.
From that standpoint, I am a true believer that projects, especially of that magnitude, must be architected, must be thought through, and must involve the key players.
Another thing I found out, no two companies work the same. No matter what the glossy brochure says, an engineering, R&D aerospace company, can turn out to be a mighty procurement and logistics company when you take the time to look at it from within.
Never underestimate the power of an external point of view.
Conclusion
In concluding this week’s article, I recommend that you take the time to have a hard look at all those systems your company depends on to exist. Take a look at where your data sits, and realize if any of it is secured.
I would also invite you, C-level executives and IT deciders, to consider, how much money would 30 days without technology cost your company? Would you recover? Would it survive?
The current studies show that 75% of companies that are attacked by ransomware would not survive. That is the ultimate reason why this model of attack is so thriving. When you are faced with a choice of extinction or payment, most companies choose payment. Even though they are encouraging a cyber-terrorist model.
Ask yourself, wouldn’t this money be best invested in your own systems and its security?
Have a great week!