By Joseph F. Norton
I recently had the opportunity to speak with the cybersecurity leadership of a very large multi-national organization. My lead-off statement concerning the state of the cybersecurity today was:
“Cyberattacks are a hyper-growth industry!”
Until we, the cybersecurity practitioners, and the organizations we strive to protect, change the economic returns for bad actors, the cyberattack industry will continue to accelerate its hyper-growth trajectory.
Our entire professional world has been turned upside down. The tools of the trade of cyberattacks have become so widespread, so easy to acquire, and so easy to use that we are faced every day with a relentless onslaught of attacks from bad actors who encounter no barriers to enter the cyberattack marketplace.
It is all about easy money.
“The professional cyberattack industry is only in it for the MONEY!”
You do not have to turn to the trade press and security reports to learn about who has been attacked and compromised. We are bombarded, it seems, every day in the public press and our smart phone news feeds by reports of attacks and compromises.
There is so much attention being paid to news of the easy money ransomware attacks and data breaches that it is easy to lose site of the rest of the traditional cyberattack industry. Hacktivists, financial fraud, industrial espionage and nation state attacks continue their relentless pressure also.
“We no longer have a perimeter to protect!”
It is long past the time to look to change our cybersecurity mindsets and strategies. We no longer have a network security perimeter which we can protect. The beginning of the end of security perimeters to protect began with the advent of the “Internet-of-Things”(IOT). As IOT has proliferated we have lost any physical sense of a security fence line we could protect. Our network perimeters of internet connections are like a screen door on a submarine. They are constantly leaking and impossible to contain 100% and guarantee that no unauthorized access will occur. The Yin and Yang of our Internet and IOT enabled businesses and societies is that every advantage also present a disadvantage.
“It is only a matter of time until you will be compromised.”
The most forward-thinking cybersecurity mindsets and strategies I now encounter adopt an “it is only a matter of time until we will be compromised” approach. This realization does not mean that we should abandon all hope. It is just a realization that cybersecurity compromise is now a part of our “new normal,” a fact of business life. This is a core cybersecurity mindset which embraces all aspects of our professional skills and capabilities while elevating and prioritizing the protection of our organization’s data.
“Remove bad actor economic profit from their cyberattacks.”
When we remove the easy economic profits which today’s bad actors receive from their cyberattacks via the selling of your data, intellectual property, and competitive information these rampant cyberattacks will recede. Bad actor attacks will stop when the easy money flow stops.
Protect your data!
You and I already know how to protect the 20 percent of your data in your databases. Eighty percent of your data is unstructured data. This is a broadly known fact in business and information technology. Secret sauce recipes are unstructured data in a document. Your merger and acquisition plans and negotiations are unstructured data in a document. Your sales forecasts are communicated as unstructured data in a document. Your business proposals you provide to your customers are unstructured data in a document. The most intimate aspects of your business operations are found in your unstructured data and shared widely in documents. Your manufacturing and supply chain forecasts are found in unstructured data and shared as documents. Your invoices are unstructured data and transmitted to your customers as documents.
When your data does become compromised, if the bad actor who exfiltrates your data cannot read it, there will be no economic profit to be found in the theft of your data. If other bad actors cannot read your data and benefit from its theft, they will not buy it.
“The next frontier in cybersecurity.”
The next frontier in cybersecurity is file level encryption of your unstructured data and documents. Individual encryption applied to every file in your organization is no longer a dream. File level encryption which is persistent and follows the document regardless of where or how the document is transmitted or stored, within your organization or outside of your organization to third or fourth or more parties is a capability which exists today. It includes your total control and implementation of your data policies and classifications, as well as who has rights to access your encrypted documents. Track and trace of encrypted documents, use access, forensic as well as regulatory compliance reporting are all part of a “protect your data” strategy as well.
“Protect your unstructured data to defeat Cyber Criminals and Cyberattacks.”
Joseph F. Norton is a Board Member and Chief Security Officer of APF Technologies LLC. During his career he has also served as the Chief Security Officer, ATOS; CTO, Koninklijke Philips N.V.; CTO, Novartis; and CTO, McDonald’s. Joe is also certified by the Digital Directors Network as a Qualified Technology Executive (QTE).