How to Reduce 90% of Cyber Attacks

Pete noticed the young, attractive figure in a relatively short skirt and top that looked like it could pop off at any minute, frustratedly trying to gain access to the turnstile.  She would scan her badge over the reader, but nothing would happen. Not once did he look at the badge she carried. He said follow me, scanned his badge, and both passed through the turnstile. Pete pointed her towards the corridor where security could address the access badge issue, and then he walked away.  She ended up sitting at a ‘hotel desk’ and while appearing to be working like any other employee, began the cyber attack form within the network

Larry, head of cybersecurity, approached Pete, saying, “Pete, who is the hotty?” He, too, overlooks the tailgating infraction at the employee entrance and the bag full of technology hacking tools she discreetly carried within her laptop bag now inside the building. Had she tried to enter through the primary entrance, security would have scanned her bag and detected it.

During the forensics of the intrusion, we discovered Pete and Larry both overlooking this somewhat innoxious activity. When confronted, they realize that they are both the problem!

In a previous article, Critical Testing: Exposing Your Company’s Security Gaps, a similar event exposed how easy it is to access a company's treasures. Until we start admitting that each of us contributes to the challenge and make changes, we all are at risk.

Cyber Security vs. Cyber Resilience

Too often, people think that cyber events happen through a computer or some other technology-initiated activity. Though the core thought is not wrong, access to valuable data starts through many rather simplistic ways.  It is essential to understand the difference between cyber security and cyber resilience to begin building an understanding of what you and your company need to do to thrive (not just survive) during an attack.

“Cybersecurity is protecting systems, networks, and programs from digital attacks. It involves preventing, detecting, and responding to attacks.”

These “security nerds” tend to sit in front of computer screens in dark rooms and share nothing with the average employee about what they do and the threats they have blocked. This veil of secrecy is for various reasons, from protecting the company's reputation to ensuring vulnerabilities are not publicly known. The cyber security technician works on the frontline, setting up the protection of assets, detecting threats, and managing incidents.

“Cyber resilience is the ability of an organization to enable business acceleration (enterprise resiliency) by preparing for, responding to, and recovering from cyber threats. A cyber-resilient organization can adapt to known and unknown crises, threats, adversities, and challenges.

The ultimate goal of cyber resiliency is to help an organization thrive in the face of adverse conditions (crisis, pandemic, financial volatility, etc.).”

So, cybersecurity is the activity that identifies, protects, and responds to cyber threats. At the same time, Cyber Resilience ensures the enterprise can prevent incidents, minimize impacts, maintain productivity, and expedite recovery.

Peter and Larry, you are the problem, and so is everyone else who proceeds through their day, giving no thought to the ulterior motives of those around us.

What makes up an effective cyber-resilient program?

Proofpoint, a leader in proven cyber solutions, claims, “Social engineering is an illegal activity that accounts for 98% of cyber-attacks.” Even if this number is slightly high, most sources estimate that 80-95% of cyber-attacks result from humans. Yes, the problem begins between the keyboard and the seat. You are the problem!!! Much of what a successful cyber resiliency program focuses upon is you and your activities.  

While studying to obtain my Certified Cyber Resilience Professional (CCRP) certification from the Disaster Recovery Institute International (DRII), one of many higher-level certificates I hold, there was much focus on the understanding and limitations of cyber security and how a cyber resiliency program can effectively reduce cyber risks by as much as 90%.  A mature program focuses on understanding the risk(identification), preparation(plans) and execution(incident response), and restoration/recovery(response).

It may sound simple, but if you are the problem, how does a cyber resilience program mitigate the risk?

Cyber Resilience and Business Continuity

Business continuity and cybersecurity used to be siloed processes, but the evolving cyber threat landscape and what it takes to address it through a program, aligns to the same risks and process of business continuity. Cyber resilience works to eliminate this gap and utilize the PLAN-DO-CHECK-ACT  continuous improvement lifecycle. Therefore, effective cyber resilience programs partner with and are often an extension of the corporate business continuity program.

Such programs strive to not only identify the risks, build plans, and master incident response but also focus on the root cause of the problem – YOU! After all, if you cause 98% of the problems, then if the program did not focus on the problem, it would be 100% reactive and minimally effective. Consider this: would you invite a known thief into your home knowing they will take everything and there is nothing you can do because you invited them?

It only makes sense to partner or build out within a risk-focused program that already exists, has proven methods, and continuously reduces your company's risk exposure, which is the business continuity program.

You’re fired!

The catchphrase on the popular show The Apprentice was when Donald Trump would say, “You’re Fired!”  however, if companies fired everyone who was a threat, the available workforce free of any cyber infractions would be maybe 20-30% of what it is today. This is how serious the problem is, so when I say, ‘you are the problem,’ you are! Honestly, I, too, could be the problem. It is unrealistic to think that corporate America would fire so many. Companies are exploring the use of AI to avoid the human error factor. Yet, AI is just programmed actions that can learn and improve artificial knowledge. Though AI has some benefits, but it is only as good as the program, and since it is a program, it is susceptible to cyber-attacks, too!

During the interviews, I played the footage from the security camera back to both Pete and Larry, and both seemed somewhat embarrassed. They had been distracted by the young lady and did not think about the immediate risk of allowing her to tailgate at the entrance.  Both Pete, Larry and the other employees entering were responsible for stopping the tailgater. If anyone had spoken up, it could have prevented the cyberattack launched from inside the company network.

At the end of the forensic investigation, Pete and Larry were relieved of their positions. Pete allowed someone to tailgate his entry into the secured company entrance, which violated company policy. Larry did so for the same reasons but also because, as the head of cybersecurity, he is actively involved in the development of ‘defense in depth’; he had not only witnessed a violation but allowed it to continue. 

Know that if you do not uphold corporate policies and it is discovered that your actions have led to a loss, especially of a significant and serious nature, you could and should be fired.

What comes next?

I will present future articles discussing elements of building a cyber resilience program to inspire a practical program where you work and ensure that employees actively embrace these cultural changes. This will protect your company and those who implement changes in their behaviors.

James Knox is a resiliency expert with an innovative spirit who thrives when building meaningful solutions to various daily problems in the corporate world. He is an avid outdoorsman and loves extreme rock crawling, fishing, and hunting. As a survivalist, James has learned from necessity how to prepare for life’s bumps and thrive with practical and sensible solutions, supporting his family's self-sustaining lifestyle.