Big Lessons for the Board: Cybersecurity Still Lacks the Big Picture

2017 was another banner year for cybersecurity – we’ll leave it to the analysts and pundits to fight over what they think is the one seminal event or trend – from our perspective there’s no competition: 2017 was the year when boards were clobbered on the head with one key message: your businesses still lack a comprehensive picture of cybersecurity risk.

Which isn’t to say Boards have been sitting around playing Parcheesi – heck, businesses have been slowly and continually re-tooling themselves since MafiaBoy to ensure they could point to some proper data security. The industry got a further kick into high-gear with the advent of the Target and Sony attacks in 2013 and 2014, respectively, that solidified the concept that cybersecurity wasn’t just an IT problem but an enterprise-wide risk management problem. Ok, great.

And it’s not like Corporate Boards weren’t giving it the attention it deserved – back in January, Risk.net cited Cybersecurity as the top operational risk for the second year in a row – and no prizes for guessing where it’ll be on 2018’s list.

And does anyone remember back in January when the National Association of Corporate Directors released the Director’s Handbook on Cyber-Risk Oversight? Board briefings on cybersecurity were up, there were predictions that the CIO would soon be reporting to the CISO, it was looking as if business was taking cybersecurity… well, seriously enough.

Then 2017 happened.

While there was enough high-profile security events this year to choke a horse, three events in particular brought the state of cybersecurity, circa 2017, into stark relief, each significant enough to shift the general tone and feeling about how we relate to the industry. They can each be understood by a single word: Russia, Equifax, and Deloitte.

Information Breach Level: Nation-state

The widely-assumed Russian interference in the 2016 US Presidential election set the stage for 2017 as the depth, the pervasiveness, of the attack flowed underneath all following security events for the year, a gently murmuring new assumption that the most powerful nation on the Earth had their national narrative hijacked and subverted for the cost of some Facebook ads and the payroll of a troll farm in Saint Petersburg. Information integrity was complex, multi-dimensional and – if the most powerful government on Earth could be a victim of it – easy to subvert. While not a data breach in a strict business sense, 2017 was ushered in on a wave of deep digital insecurity.

A Data Firm Falls…

Later, while we all reeled from the latest developments of the Shadow Brokers, WannaCry and NotPetya, what really made the industry sit up in its seat was the Equifax hack. A vulnerability that resulted in the loss of some 145.5 million private records was shocking not because of the breadth of the compromised data (well, ok, also because of the breadth… I mean, come on) but where it had come from: secure data was kinda Equifax’s thing. If there was any massive US enterprise that should have had a solid cybersecurity program in place – ‘i’s dotted, ‘t’s crossed and what-not – it should have been a company that makes money from selling the private data – credit history, for pete’s sake – of citizens. Equifax wasn’t a company with data, Equifax was a data company. And they still got pwned, proximally down to poor patching, although distally due to poor management and awareness.

…and then an Auditing Firm

Poor Management and Awareness? At this point, you might imagine the conversations around the Board Rooms of the Corporate West – clearly if a massive data company like Equifax could be breached then perhaps we should take another look at our own cybersecurity policies. We need a briefing, stat! Perhaps we should bring in auditors to –

Blammo – Deloitte catches one square in the gob as well. By September, it’s revealed that the firm – the company that your company might have called to assess your security – was the victim of a breach of its email servers involving, in fact, more than a “very few” of their clients (and although not quite as badly as Equifax, they also managed to botch the reporting and response).

And just so – nestled among the veritable smorgasbord of insecure S3 bucketsnation-state-linked APTs, shocking iOS bugs (take your pick I suppose, but this one is a dandy) and infrastructure attacks was the 2017 pwnage trifecta: nation-state, data company, and Big Four auditing firm. If all these entities could be the victim of attack, then it suggested that some significant board-level navel-gazing may be required.

The Year that Was

Cybersecurity wasn’t a risk un-acted on, and businesses didn’t sleep walk into current territory. But despite the efforts, despite growth of business solutions, 2017 left businesses feeling exposed, feeling insecure about their cybersecurity. At Cyber Observer, the complaint that we hear more than any other is that – despite effort, money spent, resources hired, software deployed both cumbersome and light – businesses still aren’t confident that they have a good, or even basic, understanding of the state of their organizational cybersecurity or how to advance it.

Perversely, there’s a light of optimism to all this: cybersecurity remains, at the end of the day, a human endeavor: all the budget in the world for the fanciest AI and vendor tools won’t guarantee protection of your data, but good management – and good managers – will.

Now for the Plug

This is where the rubber hits the road – if you don’t know what’s going on in your network, you can’t manage it. Cyber Observer’s goal is to be the solution for providing organizational managers with the comprehensive cybersecurity awareness that many businesses are currently lacking. We’re not an endpoint solution, vulnerability manager, SIEM, or Firewall – but we integrate with all those tools, and dozens more besides, to ensure managers get a comprehensive, real-time understanding of their enterprise cybersecurity. The Big Picture. The complete view, from 35,000 feet.

While there’s plenty of operational tools for front-line analysts and IT technicians, Cyber Observer understands that without a solid management tool for senior managers that can deliver high-level awareness and comprehensive understanding about overall cybersecurity, businesses will never be able to effectively manage cyber-risk and put their 2018 outlooks on a higher trajectory.