Why breach prevention and response strategies are both essential.
Are breaches inevitable? That simple question is dividing the technology world today.
Depending on who you talk to within the cybersecurity industry, the answer is either a simple yes or a battle cry to fight international surrender in cyberspace. But be warned: Asking this “inevitable” question is a loaded with hidden traps. Your answer will likely affect your enterprisewide cyberdefense priorities and overall security funding strategy.
First we have a sea of scary breach headlines along with consistent problems keeping sensitive data out of enemy hands. Late last year FBI Director James Comey proclaimed that Chinese hackers have invaded every major U.S. company. Comey also said the Chinese aren’t very good at covering their tracks. “Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”
There are also well known lines from leading technology CEOs like former Cisco head John Chambers, who said, “There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked.”
One “security manifesto” lays out philosophical and technological arguments for why breaches are inevitable, including the way the Internet is built, problems with business partner connectivity, trouble with employee Web-surfing habits and even new technology deployments with vulnerabilities.
But it doesn’t stop there. In fact, the “not if, but when” champions make the case that your IT security dollars should be spent on incident response and network redesign, and not on breach prevention.
Rick Holland, a security and risk management analyst at Forrester Research, told the BBC that companies must redesign networks to respond faster to the inevitable breach. “This involves separating one part of the network from another in such a way that if hackers get onto the network, they only get access to the data in that segment and no more.”
But not everyone thinks breaches are inevitable. Invincea CEO Anup Ghosh told Washington news site DC Inno that breach prevention is possible, proclaiming “breach inevitability” is just marketing.
Ghosh mocked competitors: “You cannot stop the breach. So don’t even try. … To me that’s a self-serving message. What you’re really saying is, ‘Don’t invest in prevention because you’ll never stop the threat.’”
And those arguing for more investments in new technologies to stop breaches point to the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make their case. The framework includes five core functions: identify, protect, detect, respond and recover.
As a Harvard Law article points out, agencies must demonstrate due care: “Organizations can potentially avoid the inevitable conclusion (or parallel accusation by a plaintiff’s attorney) that they were ‘negligent’ or ‘inattentive’ to cybersecurity best practices following disclosure of a cyberbreach.”
Back in early 2013, I was one of the first cyberpros to ask: “Are data breaches inevitable?” The context was slightly different at that time, as I was clearly placing myself in the “yes” camp. My goal was to encourage improved cyberincident response capabilities.
But the debate has evolved. Proponents of the “inevitable breaches” idea are now moving to almost throw in the towel against hackers. With Ghosh, I think this is a mistake.
Why? Consider banks, which despite knowing that robberies will happen, have numerous processes and procedures in place to stop criminals. From cameras to guards to timed vaults, banks have adapted to new threats to inhibit bank robberies, as well as respond to incidents when they do happen.
No doubt the bad guys are ahead of the good guys regarding cybercrime today. But there is still hope. Some breaches, like bank robberies, may be inevitable. Nevertheless, your local branch getting robbed is not a foregone conclusion.
Bottom line: Build your security priorities around all five NIST Cybersecurity Framework functions. “All of the above” is a third option to prepare for inevitable cyberattacks.