Why You Should Have a Cyber Defense Plan
If you’re not aware of and addressing blind spots in your cybersecurity, you can’t prevent or mitigate the damage from a cyber attack. A large part of creating a cyber defense strategy is being aware of the risks.
See Risk Review Helps Discover Weaknesses with Ralph Russo for a complete transcript of the Easy Prey podcast episode.
Ralph Russo works at Tulane University’s School of Professional Advancement. He is the chair and program director for Information Technology Programs. His interest in cybersecurity stretches back to the 1990s, when he became interested in technology and programming. Combining that fascination with his other interest, criminal justice, led him to cybersecurity.
Cybersecurity as a Growing Field
There’s an old saying that the appetite comes with eating. Ralph thinks this is very true when it comes to cybersecurity. As more people come to rely on technological systems, those systems become more and more valuable. And as soon as something is valuable, there’s going to be someone trying to steal it. Since technology keeps growing, the need for cyber defense will also grow.
As more people become dependent on systems, those systems become more valuable. As soon as you have valuables, there are going to be some people looking to remove them from you.Ralph Russo
Cybersecurity is growing and will continue to grow. Cyber attacks have increased over 50% since 2020 and cost the world $6 trillion annually. The US Bureau of Labor Statistics predicts jobs in cybersecurity will grow by 31% by 2029 – seven times faster than the average US job.
Teaching the Fundamentals of Cyber Defense
Ralph taught the first cybersecurity course at Tulane in 2010. He often sees a lightbulb moment when he relates cyber defense to traditional security defenses. You could spend hours talking about layered security, but it’s not a new idea. Think about medieval castles: You didn’t just climb over one wall and land in the king’s lap. There were multiple defenses you would have to breach before you get to the most important people.
When it comes to cyber defense, fortifying a single door is never the answer. Ralph has seen a ram-proof steel door set in a wall made of drywall and two-by-fours. If you spend all your energy fortifying that one door, people are going to figure out ways to climb through the windows or break down the walls. You need multiple layers of defense.
You may want a big door, but you’re going to also want some other hurdles.Ralph Russo
Ralph views cybersecurity on a continuum of maturity, from doing everything with pen and paper to believing no one would hack them all the way to processes, systems, and cyber defense informed by best practices. It’s a long continuum. Businesses should be working their way along with it, growing increasingly more secure as time goes on.
The Three Perspectives of Cybersecurity
Ralph doesn’t just teach red team vs. blue team perspective. He teaches his students to look at cybersecurity and cyber defense from three perspectives. First is the technical perspective – understanding and using the technology involved. Second is the leadership perspective – understanding the relevance to business leaders and how to communicate the problems to C-suite executives and stakeholders. And the third is governance – knowing and using best practices and creating repeatable success.
Ralph frames everything through those three perspectives because all three are essential to cyber defense. They give students the ability to step back and not get bogged down in the details, but also to pay attention to those details when looking at the big picture.
Plan for Cyber Defense
Many people have a misconception that only large or extremely profitable companies are targeted by cyber attacks. But any business could be a target. If you have money or data coming through your business, there’s something a criminal could get from you. You could just be a stepping stone towards targeting someone else. Or you could be targeted by an opportunistic criminal who will go after anyone they can. Whether or not you are a target, you should assume you are and prepare your cyber defense accordingly.
Even if you’re a small business or a midsize business, you may be a target and you should consider yourself a target.Ralph Russo
It’s essential to plan for it. Being targeted by a cyberattack can be more expensive than you anticipated. Some people think that because everything is encrypted, if their information gets held for ransom, they’ll just pay to get it back. But how much will you have to pay? How much will you have to pay to restore your systems? How much to restore your brand? What if you need to hire lawyers? It can get very expensive very fast.
Other people get cyber insurance and think that’s enough. Cyber insurance is a great part of a cyber defense and preparedness strategy. But as more people get it, insurance companies are requiring certain cybersecurity measures. If you don’t already have some cyber defense strategies in place, you probably won’t be able to get that insurance. If you do, you’ll have a minimum of responsibility to maintain for that insurance to be effective.
Cybersecurity Blind Spots
For a long time, cyber defense and cybersecurity just weren’t priorities. C-suite executives and boards of directors were thinking about finance, profit, and sales, and cyber defense didn’t seem relevant. But people are finally starting to realize that cybersecurity is about money. You can’t be the CEO of any modern company and ignore anything technical.
Cybersecurity is money … at the end of the day, it’s money, it’s brand, it’s all the other things.Ralph Russo
Breaches and hacks don’t just lose you money, they lose your reputation. Ralph thinks that if a major bank was hacked and it cause an interruption to people’s relationship with that bank, it would be almost impossible for the bank to recover. If you’re a CPA and you get hacked during tax season, you might lose your business. The old joke used to be that CIO stood for Career Is Over because they were the first to get blamed if something went wrong. Now cyber defense is an all-hands-on-deck situation.
Many small and mid-sized businesses are attempting to increase their cyber defense by offloading it into the cloud. If they can’t secure what they have, they assume Google, Microsoft, Amazon, or whatever cloud service they use will secure it. But “in the cloud” doesn’t automatically mean secure. It just means someone else manages the physical hardware for you. And physical infrastructure can be targeted. You still have a responsibility to secure your business’s data.
Plan Your Risk Mitigation Strategy
You should assume that your systems will be compromised and work from that perspective. Cyber defense is not just preventing attacks – it’s also minimizing damage. If someone gets into one system, how are you going to prevent them from getting to other essential systems? How will you stop them from adding viruses and malware?
You should assume you’re going to be hacked. If they want to bad enough, they probably can.Ralph Russo
There are ways to mitigate the damage. Start by segregating your systems. Does your billing clerk need access to the database that stores customer credit card information? Probably not. Keep your backups as offline as possible, in different physical spaces and different networks that your main systems.
This is where governance comes in handy. It helps you improve your cyber defense by reviewing all risks, from things you should see coming to the most outlandish. What if there’s a tornado? A hurricane? Someone plants a bomb? If you lose the various systems, where would you be? You might find it worthwhile to spend $10,000 on a cyber defense strategy that prevents a $100,000 loss.
Hope for the Future of Cyber Defense
Over the next few years, Ralph predicts the development of more cyber defense frameworks, maturity models, and best practices. Experts are fleshing out the guidelines, and it’s going to bring the level of security up. Cyber insurance will also force companies of all sizes to meet cybersecurity standards.
Ralph sees cyber defense as an arms race. Malicious actors will use quantum computing to crack encryption. Cybersecurity, analysis, and cyber defense will all improve with the help of artificial intelligence and augmented intelligence. Cyber attacks will get better, and cyber defense will get better.
I see cybersecurity being an arms race … I don’t think I’m the first to say that.Ralph Russo
Individuals are also improving at cybersecurity. Ralph has a friend who wanted to place an online bet. The betting site asked for his Social Security Number. This friend asked Ralph if he should really be putting that information into a website. We’re starting to think twice about disclosing personal information online.
Governments, though, have a lot of catching up to do – especially local governments. They are particularly targeted, have huge stores of data, and often don’t have the budget for cyber defense. A school system may have the personal information of thousands of students, making it a great target for anyone wanting to commit child identity theft. Everyone, including governments, will need to think more about cyber defense going forward.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
All security is personal. The first step towards better personal security is better security awareness. But in…[Read More]
With so many people working from home now, one big question employees have started asking is: Can…[Read More]