With 2020 behind us, now is the time to look back on an agitated year and learn how we can make 2021 the year of IT Security! We have some insights we'd like to share with you in a blog post.
"Gouverner, c'est prévoir ; et ne rien prévoir, c'est courir à sa perte"
(To govern is to plan; and to plan nothing is to run to one's ruin).
Emile de Girardin in La politique universelle (1852)
Highlights of 2020
Goodbye 2020, hello 2021!
The word "virus" has probably been said and heard more than we would have wished for this year. Curiously enough, these past 12 months have also been virus intensive from a cybersecurity point of view.
Our CISO-as-a-Service and user-centric approaches took off, and I am glad to see that customer evangelization and especially the end user awareness have gone one level up. Truth be told, we are still lagging behind Luxembourg, but the IT-landscape is different over there.
While many of our customers have decided to invest in threat protection, we are also glad to see that the "protection" mindset is now smoothly giving way to the "detection and response" posture.
Some improvement points
So, all is right with the world? Well, that's not entirely true. Many customers have invested in security because they "had to"; not because they were convinced it would mean an interesting ROI (return on investment), nor because they could engage such a discussion at board level.
Truth be told, they were caught by surprise! They got cryptolocked, phished or both.
Feedback is always interesting
Interviewing customers after a crisis, is the perfect way to gather honest and shareable insights. Here you'll find the most commons (to name but a few):
- We merely relied on an untested back-up policy,
- We could not - once again - demand extra funding at board level,
- We have "no data at risk". Well, that's what we thought...,
- We are "not a financial institution",
- We thought we were not interesting for a hacker. Actually, we are and our partners and customers are too.
- We knew we were not bulletproof, but we never thought we were that exposed,
- We blocked internal traffic coming from Russia. Ain't that enough?
- We thought everything was well protected, and we were not prepared to face an attack,
- We envisaged getting organized, but forgot about some printouts,
- We had good solutions in place but had no visibility when the attack would happen,
- We spent a lot of money on buying software licenses but forgot to install/renew them,
- We never had an incident before, so we thought we were safe - we were wrong,
- We are not pioneers when it comes to installing the latest features of a hard- or software, but we have End of Support in production...
- Security is cheap compared to the breach we had.
A hacker's job is to infiltrate a target network and wait patiently to deploy their ransomware at the most strategic moment (dwell time) — meaning the most disadvantageous moment for victims.
- Advantage for the hackers: it is easier to force victims to pay.
- Advantage for the defenders: it gives them - a bit of - time to detect and neutralize network threats before the hackers push the button.
Let's not dwell too much on New Year's resolutions, but if you are looking for one, I'll be happy to share my best tip with you:
Add Cybersecurity to the Board agenda with this question: "What do we do if we cannot access our digital data?"
You will see some question and exclamation marks popping up around the table (or on you visio screen).
Let's not forget that nothing is due to fate or bad luck here: companies can still protect themselves in fundamental ways.
This will not only make it more difficult for attackers to find vulnerable targets in the first place; it will also make it less likely that victims will actually have to pay a ransom to restore their services if they do get hit. And when you talk about money well spent to your board of directors, they are certainly going to listen to you!
In the past, companies could often get away with having somewhat weak security, but not anymore! They'll have to pay the price literally and figuratively.” So, don't be the next one!
Note to myself for 2021
Continue to staff the Incident Responders during what we used to call "calmer periods", like between Christmas & New Year, when everyone is going back to school, etc.