The recent hack of a large political organization in Washington DC has set in motion more mayhem and vitriol than most hacks have in the aggregate. Without focusing at all on politics or affiliations, let concentrate on lessons learned, I.e. what can your company or organization learn from the Cybersecurity fact pattern that is coming out in the press as I type? Anyone can focus on the bad, but if history repeats itself once again (it always seems to), there are 3 very fundamental lessons that we can learn from the DNC hack:
1. Use peacetime wisely:Â A very astute man taught me this phrase along time ago (almost 10 years ago during a crisis). What does the phrase mean? It means doing your homework before class. It means planning ahead for a potential crisis well before that crisis ever occurs. It means being proactive, and not reactive. How do we apply this rule? Well, today, if your organization has any sort of high value information (e.g. The plans to a new high-powered quantum computer chip), your organization will likely be (or is already) the subject of a cyber attack. How are you planning for this certainty? How are you protecting your data? Do you have an incident response plan? Do you have an business continuity plan? Do you have a crisis communications plan? These are just the basics, but are uniquely important for Cybersecurity. In short, using peace time wisely is like the Boy Scout motto, “Be Prepared.” Because stuff happens.
2. Conduct Cybersecurity Risk Assessments:Â What does this mean? As explained in this article,Â there is a logical way to assess your Cybersecurity risk using a method designed by my friends at the National Institute of Standards and Technology. In summary, the process is pretty simple (I am heavily summarizing): 1) what are my cyber threats and vulnerabilities? (Well, there is people, employees, vendors, nation-state actors, aging computer hardware and software, and hackers for hire, for starters) 2) what am I doing about those threats and vulnerabilities? Am I training my employees not to click on the link? Am I patching my software packages in a timely fashion? Am I following a “least privileged user” policy? Is my Cybersecurity hardware state of the art, or as old as I am?, 3) how likely is it that I might be attacked via a threat or vulnerability, and 4) how bad will the damage be if I am attacked?
Have this discussion internally on these four points. Add numerical values to the risks, threats, likelihood and impact. Do the math.Â Â And then focus your efforts on your high value risks and vulnerabilities where the impact is greatest.Â Â Maybe you can change your risk profile by adjusting your Cybersecurity posture immediately to fit the identified risks?Â Â Most organizations simply don’t spend enough time on Cybersecurity.Â Â The time to spend what time you have is before the hack occurs.Â Â Not after.
3. It’s Time to Conduct Vulnerability and Compromise Assessments (and listen to the results):Â Finally, time to call in reinforcements, meaning your Cybersecurity consultants. Have them perform both a “vulnerability” and a “compromise” assessment. Without being highly technical, a vulnerability assessment is very much like a cyber risk assessment, except that a highly trained and skilled cyber ninja (hired by you of course) tests your systems and your people looking for weaknesses and vulnerabilities that could be exploited. If there are any weaknesses, work with your cyber consultant, prioritize those risks, and start working from the top down as soon as you can. Anything you can do to lower your risk is a positive. And undoubtedly there will be some simple things (like spear phishing training) that can be done for very little cost which could help dramatically lower your risk. Listen. And learn. Stuff happens.
Also, a compromise assessment is very, very valuable. It is something which will tell you whether or not you have already been hacked. This one is so important. The sooner you know if you’ve already been hacked, the quicker you can react and try and kick the attacker off your network. The sooner you know, you can hopefully lessen the damage of the attack. And hopefully act and react before the FBI or an investigative cyber journalist comes knocking at your door with very bad news.
Use Peactime Wisely.Â Â Stuff Happens.Â