Werner Herzog’s latest documentary venture, Lo and Behold, Reveries of the Connected World, intends to make you less comfortable in your digital habitat. And after legendary hacker Kevin Mitnick goes on to explain why no one is safe from cybercrime (regardless of how protected one thinks one might be), the film very well succeeds in that aim. According to the latest findings, cybersecurity is just as fragile as Herzog and Mitnick claim it is – in fact, 73% of organizations fail to maintain a safety protocol.
In 73% of cases, an end of term report “might have the words can do better scrawled on it in red ink”, confirms Gareth Wharton, cyber CEO at Hiscox.
With that in mind, we are taking a look at what field experts have to say to organizations about new ways to improve and sustain their cybersecurity strategies.
New Vulnerabilities for the New World Order
Cybercrime is no small threat to modern-day companies. Be they rising or already successful, they all operate within a digital sphere full of vulnerabilities that are out of these companies’ control. Some years ago, all of their worries could be shaken off with a simple firewall. In today’s world, however, one would have to be truly inventive in order to avoid the likeness of Equifax, WannaCry, or NotPetya.
In a conversation with Dan Patterson from TechRepublic, Centrify’s chief product officer Bill Mann refers to today’s cyberspace as the new world order. “When you’re at home and you’re sleeping in bed”, he explains, “you inherently trust your environment because the front door’s locked, the windows are locked, and so forth”. In Mann’s opinion, that’s the equivalent of our trust in firewalls.
“But just imagine now that the windows were open and the doors were open. How would you think about security at home?” The perpetrator, in other words, is already in, and it’s highly unlikely that you’d be able to notice him. Criminal groups have long gained access to more sophisticated tools, and our craze for IoT only helps their case. In the new world order, cyberattacks are only a matter of when.
Who Has Left the Window Opened?
While incidents continue to pile up, victimized organizations and curious experts alike are conducting a witch hunt. Instead of wondering how to prevent these attacks from happening in the future, they are trying to determine who’s to blame for leaving the window opened in the past. So far, their main culprit has been flawed technology; paradoxically, high-end tech has also been their main investment.
A handful of cybersecurity experts warn that it’s not the safety system that’s vulnerable to attacks, but the people. In Lo and Behold, Mitnick reveals the way he managed to hack FBI phones simply by sweet-talking people at Motorola. Aside from impersonation, there was little manipulation involved – one of the company’s employees gave him the codes he needed on their own, out of sheer cordiality.
Many similar examples confirm that the human factor presents the biggest flaw in companies’ cybersecurity protocols. Organizations are “failing to support their investment in security technology with a formal strategy, sufficient resourcing and training, and sound processes”, concludes the Hiscox report. If nobody’s teaching people how to operate the system, the system makes no difference at all.
Could Zero Trust Be the Answer?
That’s why Bill Mann from Centrify proposes a somewhat counterintuitive idea – to have zero trust. Such an approach is not set to reinvent the wheel, but to reinforce three simple components within any organization’s safety protocol: the user, the device, and the user’s privilege, in that particular order.
The first step to cybersecurity for the new world order is therefore to understand who’s using the system. This applies to your company’s network, established within a digital infrastructure that serves to facilitate your day-to-day operations. Though every employee has a unique passcode, it’s only through multi-factor authentication that you can truly know who’s accessed your digital environment.
The second step is understanding the device behind the user. “So if you’re using a mobile phone, let’s make sure it belongs to Bill”, as Mann jokingly insists. A vast number of attacks are being conducted through compromised personal devices that employees use in the office. Organizations need to leverage technology to gain a more accurate understanding of the devices connected to the system.
Finally, companies should learn to manage digital access and reduce user privileges. There’s really no need for all employees to have equal rights when it comes to using company-wide systems, to see everything that’s stored within the system, and log into all accounts. The key is in defining the least amount of access an employee requires for doing his or her job as quickly and efficiently as needed.
It turns out that these new ways to improve and sustain cybersecurity are not so new at all. They essentially return safety protocols to their basics – the zero trust strategy and the proper way to train people to employ it. If the human factor is the biggest flaw, then what cybersecurity really falls down to is common sense. The best safety protocol has already been written; we just haven’t learned to read.