Want to Defend Against Data Breaches? Assume You’re Already Compromised


defense“Doing security right has a lot less to do with having the right security tools in place… and a lot more to do with having the right culture,” says cybersecurity journalist Brian Krebs in a recent interview with The Doyle Report. “The best way to be secure is to assume you’re already compromised.”

Krebs, the reporter who broke the story on Target’s massive data breach, writes the investigative blog KrebsonSecurity. And during his work, he tells Doyle, he often discovers companies have been hacked before they do – or, at least, before they acknowledge the data loss in public. How? By trolling the Dark Web, where stolen data is put up for sale by cybercriminals.

So, Krebs is aghast at the number of organizations in denial about their susceptibility to data breaches. The key to a great defense against cyber attacks, he believes, is first accepting your network’s vulnerabilities and then nurturing a company culture that embraces “prevention, cure and openness,” with a heavy emphasis on education and training for staff members. Because study after study demonstrates that humans -- not technology -- failures are responsible for most breaches.

Speaking at a recent cybersecurity conference, Krebs offered seven points for business leaders seeking to fortify their organizations:

  1. Assume you are compromised
  2. Think beyond compliance to achieve true security
  3. Know your employees even if it means monitoring their behavior
  4. Invest in two-factor authentication for partners and employees, especially on VPNs
  5. Hire and foster more cybersecurity talent
    (Bloggers Note: This should apply inside and outside the boundaries of your firm – i.e., retain the support of a skilled Managed Services Provider.)
  6. Have regular fire drills to test your technology and, moreover, your business processes
  7. When compromised, secure what you have instead of reflexively adding more of everything, which will increase your attack surface

Inspired by Krebs’ counsel, we searched for more tips on establishing a cybersecure culture. We found an article by Baseline magazine proclaiming five “deadly sins” that increase the risk of a data breach. Here’s a digest:

  1. Apathy – Poor password practices erode cyber-defenses. Baseline shares the results of a recent survey of IT professionals that highlights the worst password practices:
    • Sharing passwords with colleagues
    • Failing to change default passwords on mobile devices
    • Setting weak passwords – e.g., “12345”
  2. Greed -- The IT pros surveyed believe allowing users to act as administrators of their own machines is the biggest threat, followed by the company not regulating applications on users' machines. Both issues can be addressed by a sound cybersecurity policy.
  3. Pride – To Krebs’ point, assuming your systems are unbreakable is delusional in today’s digital environment. Better to take a humble posture and perform every little software patch to every single device as soon as available.
  4. Ignorance – Audit systems and software as often as possible. Cybercrooks move at internet speed.
  5. Envy – Rushing into the cloud because the competition already is there? Pause and consider: