Cybersecurity. We hear about it every day. Businesses know that cybersecurity threats from organized crime and foreign governments are a pervasive concern. It is also clear that they are constantly evolving and changing. The WannaCry ransomware attack was a 2017 worldwide cyberattack that targeted computers running Microsoft Windows and demanded ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit in older Windows systems released a few months prior to the attack.
It should be noted that all of this was preventable. Microsoft had previously released patches to prevent the use of this exploit vulnerability. WannaCry's spread was from organizations that had not applied patches, or that in some cases were using outdated Windows systems beyond their end-of-life as defined by Microsoft. The attack was stopped after a few days as Microsoft released emergency patches that prevented the further spread of the virus. Estimates vary, but the attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars.
KISS and the 80/20 Rule
KISS is an acronym for "keep it simple, stupid" as a design principle, or a general approach to solving problems. The KISS principle states that most things work best if they are kept simple rather than made complicated. Specifically, the goal should be to avoid making things harder.
It is easy to make things complicated in cybersecurity. While well intentioned, more tools do not necessarily address root causes. Let’s stop for a moment and consider a simple question: What might be the top root cause of cybersecurity issues?
The answer may be simpler and more direct than you think: Approximately 70% of successful cyberattacks exploit known vulnerabilities in systems where readily available patches have not been applied. In addition, in many organizations patching is not a priority. It becomes the extra work that the infrastructure team performs after hours, in addition to their other responsibilities. When it happens, it may be done in a haphazard way without a prioritized analysis of the ever-changing landscape for available patches.
Certainly, in many organizations patching work takes a backseat in terms of funding and prioritization until the bright light of an outage such as WannaCry occurs. We need a more proactive approach to patching. At Genesis10, we have worked with small and very large companies to build their cybersecurity and patching programs. The simplest and most effective thing to do is to apply the known patches and follow a disciplined approach to keep all systems current on patches. There is a discipline, process and an investment required from each organization to stay current. This is a cost of doing business in today’s dense and ever-evolving cyberthreat environment.
Beyond the Simple and Obvious
Beyond patching, there are other well-known and readily available options for improving the maturity of an organization’s cyber defenses. These include:
- Standards-based approaches. Perhaps the first opportunity for companies is to consider which well-thought-out options exist for implementing cybersecurity approaches or fine-tuning existing programs. One good option that applies to both government and commercial programs is the National Institute of Standards and Technology’s Risk Management Framework. Under Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity" was signed in 2013.
This executive order called for the establishment of a voluntary risk-based framework consisting of industry standards and best practices to help organizations manage cybersecurity risks. The resulting framework is the result of a collaborative effort involving both the government and the private sector. In the framework, a common terminology to manage cybersecurity risk in a cost-effective way was introduced. Notably, the framework is provided without introducing additional regulatory requirements on businesses.
- Leverage talent partners and labor arbitrage. Current projections forecast extreme shortages of talent in the cybersecurity field. As an example, demand for security analysts will grow at a 28% annual rate through 2026. Given the challenges of finding cybersecurity talent and the projected shortage of these critical skills, innovative approaches may be warranted, such as to building these skill sets from the ground up. For example, identifying promising new college hires and providing cybersecurity training through a dedicated training pipeline may be much more cost effective for organizations than paying high market rates.
Another option is to leverage demographic trends between markets to find cybersecurity resources. For organizations in markets with very limited cybersecurity talent, we have successfully identified and onboarded talent from other markets through dedicated national searches. Teams and resources focused on patch management have the resources necessary to remain current and remediate vulnerabilities. We host these teams in our SSAE-18 certified domestic delivery centers with management oversight to address the entire patching process from prioritization and scheduling of the patching work through execution. As organizations cycle through this process weekly, we drive in process optimization and automate repetitive tasks.
- Bring the A-team. Genesis10 partners with world-class cybersecurity organizations to provide detailed planning, penetration testing and threat assessment. For organizations that need these services, we believe a thoughtful approach is necessary to foster a mature security program, minimize risk and drive business value. This approach should leverage the services of proven experts.
Genesis10 has a strategic partnership with HolistiCyber, an internationally recognized cybersecurity organization with unique strengths. These include the ability to leverage the most experienced and knowledgeable cyber experts. HolistiCyber leverages a multidisciplinary and holistic approach, proprietary and advanced tools, and its unique capabilities to access the Darknet as they continuously adapt and monitor an ever-changing threat environment.
Outcomes and Next Steps
What is your organization doing about the threat today? Are you current on your patching cadences or at risk? Are you leveraging standards-based approaches and labor arbitrage? Finally, are you speaking with proven experts in the field to determine how to protect your organization?
At Genesis10, we are here to help. Let us help put your organization in a proactive position of strength in facing this threat, rather than having to wait for the inevitable hack and loss of revenue and goodwill for your organization.
Also read the Genesis10 blog, Cybersecurity and Workforce Strategy--Do You Have a Plan?
Continue the conversation on cybersecurity by subscribing to the Genesis10 blog.