It’s time to admit we’re losing the cybersecurity war and become more accountable about the real reasons why.
That was the message from David King, CISA, CISSP, at his ISACA Conference North America session, “Governing Goliath: How We Lost the Cybersecurity War” this month. King, a founding member of the Cyber Support Alliance, said the premise that we are primarily fighting cybercriminals is misleading because many of the vulnerabilities that are exploited are mostly our own doing.
“I think we’re at war against our own use of technology,” King said. “I don’t think we’re governing our use of technology well.”
The challenge is urgent, especially when it comes to protecting small businesses. One in six small businesses closes after a cyberattack, King said, and small businesses are behind the majority of private sector jobs.
While some might presume that cybercriminals wreak havoc by leveraging sophisticated methods of attack, King said that, more often, “They’re really just downloading malware off the darknet and using it at their disposal.”
According to King, it’s critical to keep in mind that these cybercriminals are taking the path of least resistance, and the reality is that modern systems are fairly difficult to exploit, but humans are quite easy.
For organizations to better govern their technology and prepare to fight off cyber threats, King said they need to analyze each person’s role in the company that could constitute a cyber risk. He said that blanket phishing campaigns are insufficient and that it is more effective to drill down specifically into each individual’s role and how they could become the human element in a cyber breach.
“Every business, regardless of their size and regardless of which sector they’re in, has exactly two things in common – money and data always go in, money and data always go out,” King said. “So as we’re analyzing, we need to be looking at who are the people that touch the processes of money and data going in and money and data going out.”
Leveraging password managers can be a worthwhile component in lowering organizational risk but they require training to be effectively implemented, King said.