Have you ever received the following in your email in box?
Subject: Request Investment Assistance
Dear Sir, I request assistance to invest in companies like yours. I would like to do a careful and comprehensive analysis of your company. Without wasting your valuable time, let me introduce myself. I am Juliet Raphael and I am heir to a large sum of money… ”
How many of these “phishing” attacks do we receive each day? A cursory look into one’s junk mailbox will likely find dozens of emails like the above. This introduction will help me explain just how vulnerable most companies are to the inevitable cyber attack…
Cyber attacks—one click can bring your system down
While most cyber attacks are ineffective, it only takes one careless click to make an entire network domain vulnerable. If your company has 3,000 employees, each individual represents a potential point-of-failure in your cyber security scheme. So, if it takes only one careless click from one employee, your firewall means nothing.
Cyber crime—everyone is doing it
What’s worse are the low barriers of entry to the cybercrime world. Organized criminals, state-sponsored hackers, terrorists—you name it, they likely have a cyber-group mounting daily attacks.
We worry about large players like North Korea and China, but hackers are everywhere. Want to get a feel of what this looks like in real-time? Take a look at Norse’s live cyber-attack map and see for yourself.
So, if it only takes one click and cyber attackers are everywhere, how can your company be protected?
How to Combat Cyber Attacks in 3 Steps.
1. Train in the domain
Realize that all companies should invest in preparing for the inevitable successful cyber-attack. As we move deeper into the 21st Century, we need more sophisticated methods to train and prepare in this new domain of open warfare.
Rob Sloan, is a cyber-thought leader and Head of Cyber Content and Data at Dow Jones Risk and Compliance. He says, “The day of the ball is not the time to learn how to dance, organizations must be prepared for incidents before they happen.”
All companies should invest in preparing for the inevitable successful cyber-attack. In his article, Cyber Attack Incident Response Readiness, he lays out useful steps every company should take to prepare, which includes user training and exercising using simulated attacks.
2. Train your users because we are in the new Cold War
In the old days of Spy vs. Spy, an agent would groom a prospective spy by exploiting the skeletons in the closet of the potential spy. Issues like bankruptcy, gambling, and adultery could all be fodder leveraged to turn the candidate into a spy. Background screening programs were designed to find these skeletons and prevent espionage.
In the paper-based office of the past, information security programs focused on document controls such as classification schemes, compartmentalization, access, and methodical destruction procedures to control potential information leaks. To be a spy, you had to somehow transport these documents out of the container. Not anymore. Today, even the most morally upright employee is a potential “spy.”
How many of us have had the experience of a dog or cat rushing the door in order to get outside? Cyber breaches are much like that. An errant click, by an upstanding employee, who has been socially engineered to ‘click’ opens a crack in the door that exposes the domain to the hacker. The key to cracking the door, is the hacker knows just enough personal information about the target to make the ‘click’ believable.
To improve employee awareness, a company should have a robust and ongoing information assurance training program. Employees should be constantly trained in the latest schemes of social engineering and learn to differentiate a threat from a legitimate communication.
3. Realize that computer-aided simulations are your best defense against cyber attacks
a. You can build in all your risk factors.
Most company cyber strategies are overly focused on building higher walls. This strategy is based on the success of a virus or a worm that somehow scales the wall and penetrates the network of its own volition. While these types of attacks continue, they do not represent the entire risk picture. But in the game-like environment of a computer-aided simulation you can build in your network and all of its associated risk factors.
b. Simulations are comprehensive, easily repeatable, and inexpensive.
Cyber departments should build composite risk pictures of their organizations. A composite risk picture takes into account information retention policies, information system’s architectural soundness, personnel individual cyber-competence, and others. Then the risk can be overlaid on systems that have cyber-dependencies, to identify gaps based on attack scenarios. Because the system is built in a virtual environment, the scenarios can be run frequently, inexpensively, and in a venue designed for teams to fail safely.
c. Simulations effectively represent your entire network.
According to Justin Lyon, CEO of a simulations company based in the UK, an organization’s network can be effectively built within a simulated environment. Then systems dynamics, agent based modeling, and discrete event modeling can be combined with data from behavioral monitoring and other system anomaly detection schemes to test the client’s system in the virtual environment. There is a significant effort to set up and verify the performance of the virtual system. Ultimately, learning and retention is enhanced because the simulation can be run over-and-over providing nearly unlimited test combinations and situations.
Want to learn how to combat cyber attacks? Realize It’s time to Game Up!
In former posts I discussed the vitality of play in establishing collaborative learning environments. Computer-aided simulations effectively create a play environment where practitioners can respond to scenarios and formulate strategies to effectively combat cyber-attacks.
Rarely has a defensive campaign been successful without some form of preparation where complexities of the problem are unfolded. Whether improving the judgement of individuals to prevent phishing, or understanding the ways the risks will combine in novel ways, computer-aided simulations offer a safe place to play, and possibly to best way to protect your organization from the pervasive cyber-threat.
Latest posts by James Rollins (see all)
- Worried About a Cyber Incident? Here’s How to Prepare - October 8, 2017
- Training Pipelines: 7 Ways to get your training investment to stick - February 12, 2017
- Dialing 911: 5 Things You Should Know About Cyber Attacks - January 19, 2017