600 words, Estimated reading time: about 4 minutes, 15 seconds
It is such a horrible way to start out with such a morbid title that includes the word “death”, but you may remember in our previous article, we covered the unfortunate murder of 27 year old Colombian footballer, Andres Escobar, for inadvertently aiming at the wrong goal in the 1994 FIFA World Cup and how your organisation is aiming at the wrong goal when it pursues cyber security.
Fortunately, for most organisations the price to be paid for aiming at cyber security is not death, but in a few cases the death of an organisation has occurred. One well known occurrence in Australia, was the rather sad incident involving Distribute.IT, a web services provider that sustained two targeted attacks in close proximity and ceased trading in June 2011, putting around 4,800 of Distribute.IT’s clients, many of which were small businesses that depended on having a web presence, out of operation virtually overnight. For the owners of Distribute.IT and its impacted clients, this was a truly shocking moment – to be thriving one day, and extinct the next. For medium to large businesses, the penalty is not likely to be so terminal, but operational, reputational and financial impacts could have a severe blow on both last year’s revenue and future revenue.
Furthermore, it is also demoralising to be aiming for the wrong goal. If the outcome can never be achieved, it will create a feeling of self-defeat and drive a lack of motivation to expend any effort on a problem that is gargantuan and unsolvable. Ultimately, this affects staff turnover.
So, it’s time to stop aiming for cyber security, but what should be the goal that your organisation should be chasing?
The goal is cyber resilience. Whilst this may seem more a nuance than a fundamental shift in thinking, it has a profound impact on the way an organisation manages cybercrime.
Resilience is the ability for an ecosystem to either not deviate from its current desirable state; or in circumstances where it has deviated from its current desirable state due to an undesirable event, it is the ability to quickly return to a desirable state. This is often dismissed as many to be business continuity, disaster recovery or crisis management, but that is just a small part of cyber resilience.
Since there are four focus areas on which cyber criminals rely upon to achieve success, this gives us four focus areas for cyber resilience:
- Vulnerabilities – can we prevent all vulnerabilities? No. If we waited for all vulnerabilities to be prevented, we still would not have seen the first piece of software released, nor would we exist. Humans are full of vulnerabilities!
- Threats – again, we can not prevent every threat, but we can be resilient to these by having strong controls in place to deter and prevent cyber criminals. Consider a non IT example such as influenza. To prevent it you would need to wipe out every strain of influenza in existence, but being resilient to it most likely means a balanced diet, exercise and regulated sleep.
- Attacks – like threats, we can not prevent every attack, but being able to quickly detect and respond to attacks is achieved through resilience
- Breaches – like threats, and attacks, we can not prevent every breach, but the ability to quickly confirm a breach has taken place and recover from it is a sign of resilience.
Cyber resilience is reducing the impact that vulnerabilities, threats, attacks, and breaches have on the information upon which your organisation relies and is an attainable goal, unlike cyber security which is predicated on prevention and is continually, and increasingly, failing us.
580 words, Estimated reading time: about 4 minutes
If you are a soccer fan you may recognise who is featured in the above photo and the tragic story that followed. Let me explain for those who do not know what happened next.
The Colombian footballer, who played defence, pictured is Andres Escobar. Up against the United States on June 22, in Colombia’s second match at the 1994 FIFA World Cup, Escobar stretched to prevent a pass from American midfielder John Harkes. His timing was off which resulted in shock to the crowd, Escobar accidentally deflecting the ball into Colombia’s net.
The United States won the game 2–1. The news swept the world with headlines shaming Escobar. He was devastated; Colombia was devastated, but what was truly devastating was what happened next. In low spirits, Escobar returned to Colombia rather than visiting his relatives in Nevada, and on July 1, Escobar joined friends at a bar, liquor store and eventually a nightclub. Shortly after parting ways at around 3am on the morning of July 2, three men approached Escobar whilst he was in his car at the nightclub car park and shot him six times. After each shot, “Gol”, the Spanish word for “goal” was shouted. Escobar died 45 minutes later.
Escobar paid a hefty price for a failed attempt at prevention of his opponent’s goal, which resulted in him inadvertently placing the ball in the wrong goal.
Almost every organisation is “inadvertently placing the ball in the wrong goal” when it comes to thwarting cybercriminals. So what is the wrong goal?
Have you ever met a woman who is half pregnant? You may have met a woman who did not know she was pregnant, but clearly there are two states: pregnant or not pregnant. This is a binary state. Most organisations are chasing a goal of “cybersecurity”, but security is also a binary state. An organisation is either secure or it is not. We associate security with stopping or preventing breaches of confidentiality, integrity, or availability. To be secure means every breach must be stopped. I’ll give you two analogies to let the idea of security being associated with prevention sink in. Would you say that a bank vault is secure after it had been broken into? Would you say that a prison was secure if it was broken out of? The moment prevention fails just once, even though it may have been successful millions of times prior, the concept of security is lost, and you can be sure that prevention will fail in your organisation if it hasn’t already failed at least once already.
Chasing cyber security is the wrong goal. Let’s consider, hypothetically, if you wanted to achieve cybersecurity, what your organisation would need to do:
- The organisation would need to be disconnected from the Internet
- All employees would need to be fired
- All customers would need to go elsewhere to consume whatever goods or services you offer
- All physical and electronic information would need to be destroyed; and
- The memories of anyone who had access to any information about your organisation would need to be erased
Each of those is harsh, and not a business enabling task, but if you are hell-bent on cybersecurity, I really do wish you good luck with the last one!
Security is clearly the wrong goal, but stay tuned. In the next post we will explain what goal your organisation should be aiming for if it wants to put up a good fight against cybercriminals