Why cyber-security is not effectively lived (in European) companies and organizations

Most European companies have not taken cyber-security seriously in recent years and now get a wake-up call from the EU, which is not without reason: 4% as a penalty of global sales are finally something to think about.

I understand this as a long necessary “shot in front of the bow”, because whatever market investigation I look at, it concludes that around 60% of the companies are underperforming. The question is why?

• In the case of SMEs, security must not cost anything; skilled staff can either not be obtained or simply go beyond the usual salary range.
• Large companies are too slow to establish an effective cyber security strategy due to too long decision-making.
• Multinationals (corporations) tend to outsource cybersecurity to at least maintain the status quo and pass on responsibilities (and the blame).

Please understand me correctly, I know pretty much all the arguments and these are quite acceptable from the commercial point of view. Your only problem is, the attacker gets a wet rub against your problems. He can change his strategy at lightning speed, use new attack vectors while you still trying to convince the management or procurement. Therefor:

• SMEs need to invest and recruit and / or train the right people, or hand over security to professional providers in the right price range.
• Being slow, no matter what company size plays the attackers positively in the cards, the agility of the IT security department (whether in-house or external) should be the focus.
• Outsourcing of security can also have a negative impact on larger companies, especially if IT services have already been outsourced. In most cases, one service provider does not trust the other, which often leads to unnecessary friction and delays in helping to clarify and remediate incidents.

But how can you act faster, at least with the least possible delay to counteract the attacker? The solution is quite simple: you have to dynamize your previous static defence.

How does it work ?

• If you hold the position of CISO, CSO, the person who is responsible for IT-Security or you are a Chief Executive Officer, I would like to change your position to Defense Minister for the time being:
  • You are in the cyber war (this is a fact)
  • Your defence concept is static (perimeter security aka state borders, radar surveillance aka SIEM, an executive security manager with limited rights, a security department that can not operate without restriction, since they can not engage in reconnaissance).
  • Your attackers act asymmetrically and dynamically. That You have a relatively large and costly apparatus that puts all activity into the analysis and defence, but just by the amount of the security events your defence fails, or must fail, because every uninteresting scan on the external Perimeter (eg by a 14-year-old to-be hacker in Asia) binds resources.
• A note on asymmetric warfare. The highly equipped armies of this world were completely surprised that with all their logistics, weapons, fighters, and centuries of experience, they had to surrender in part to a few agressive, highly motivated extremists and faced the loss of people.
• In this misery you are; Although you will not have to suffer a loss of life, but the loss of digital assets (information, production processes, patents, customer data, etc. or even the paralysis of your operational capability by Rasomware, sabotage software, etc.)
  • Your attacker or an external organisation, on the other hand, can either act with the least amount of resources (the Darknet offers the right tools – with support and function guarantee, for less than 100 €), or can use endless governmental backed resources. External organisations – mostly initiated and promoted by government agencies – have a wealth of attacking methods that make James Bond look pale.
  • That means You must fundamentally change your defence strategy from symmetric / static to asymmetric / dynamic.

I will bring this change to you in one of my next blog post. It’s easier than you think, saves money and is highly effective. Since there is a lot of “shadow” in the case of a lot of “light”, it is your task, first and foremost, to fundamentally change the way the security department thinks.

Let me take the following example at the end of this blog entry:

Presumably you own property in the form of a house. This is – typically in Germany – fenced and with at least one Entrance in the fence provided. In your house is a safe with your company shares and your wife’s jewelry and identity papers. According to your security strategy (implemented in your company here transformed to your house):

• Question people who pass by your property and enter this into a list (log file)
• All cameras are directed to the external perimeter • Consider your policies possibly miss that a person dressed in yellow may enter the property during the light hours of the day, dark persons, especially in small groups at night, constitute an anomaly.
• The 3m ladder next to the garage is locked with a bike lock locked for € 8.89. (Analogy: Social Networks – but more on that later)
• Internal perimeters do not exist, i. E. there are only a few doors to the vault that are not locked (as they are inside the house) anyway.

How would you better protect your home? Think about the strategy “Defense in Depth”, which by definition increases the protective mechanisms the closer I get to the crown jewels (safe) and align my monitoring mechanisms internally.