Everyone wants the latest and greatest to protect their systems. Vendors tout this and show features and benefits of their fantastic way to protect your data, your system, or in general, your business.
However, sometimes we should look outside our tools and resources and consider that protection (or lack of it) could be a result of the way we do business and not what we are using to protect it. What do I mean? Let me explain.
We all know to protect our systems from vulnerabilities. We scan our systems, and we constantly fix whatever is wrong. The lifecycle starts with the assumption that vulnerabilities are in the system.
Good assumption. Most of the time, they are.
However, have you considered how the vulnerabilities got there? Could we proactively change something about the way we process information that reduces exposure to vulnerabilities getting into the system in the first place?
Here’s an example: A banker sends an account and routing numbers to customers through standard email so they can transfer money into that account. If an attacker knows about this process, then they could interrupt the process and send out an email with their own account and routing numbers to transmit the money to.
We could bolt-on products and services to ensure that email is transmitted securely using strong passwords. However, if the attacker already has knowledge about the organization’s process, new preemptive emails can be sent that may not expose the actual information but will still get the receiver to follow through, sending information to the cyber attacker.
Or, if the email account is compromised, then the attacker gets to create their own messages regardless of passwords or encryption. So while security controls can mitigate this, the process itself is insecure.
Another example is a Man-in-the-Middle attack where the attacker can block a legitimate email and replace it with an alternate one. Granted, this is harder with encryption, but I’ve seen it done between existing communication lines by creating two separate tunnels on each side of the attacker’s communication link.
Today, cybersecurity professionals should be looking at their systems through threat exposure and the impact of that exposure to the business (known as risk).
Sometimes we need to change our procedures rather than add another security product or service. As businesses change, at times the processes must change as well.
If you want to connect to see what this means for your organization, you can easily set up a time with me here.