What keeps you up at night?

By Tom Wojcinski, Director in Wipfli’s cybersecurity practice

That’s a question I usually ask at the start of a new engagement after we’ve discussed project objectives and the outcomes we need to achieve. It’s one of the ways I circle back and make sure we didn’t miss any major issues.

Someone recently asked what about cybersecurity keeps me up at night. For me, it’s the unknown. Or more specifically, thinking about the things we might not know for certain and considering whether we’ve done enough to be prepared. What I thought was a straightforward answer, turns out to have a lot of subtext to it.

I don’t know the zero day exploits that nation states have collected and developed exploits for. But that’s well outside my control, so I don’t lose too much sleep about that. There are other unknowns about cybersecurity effectiveness that we can control for. Those are the areas where I wonder whether we’ve anticipated enough, prepared enough to prevent, done enough to detect anomalies in a timely manner and built the response capabilities to deal with unknowns that rapidly become known during a cybersecurity incident.

Here are some of the biggest cybersecurity things keeping me up at night.

Visibility to threats inside the network

Are our endpoint detection mechanisms and security monitoring functioning as intended? Can we detect malicious activity in our network in a timely manner and invoke the right response? Smart money assumes compromises are inevitable. … Will we be able to detect it 200 seconds after it happens or 200 days? Can we catch it quick enough to prevent it from becoming a full-blown breach?

With the pace of vulnerability identification and exploit development, it’s difficult to keep defenses current and know for certain that we can thwart all attacks. That’s why it’s important to regularly test our processes and tools to make sure that we can prevent or detect of-the-moment attack techniques.

I don’t think we can put enough emphasis on the detect capability. We’ve got to assume preventive controls will fail so we need to make sure our detective processes are properly tuned and have complete visibility across all devices and network segments in order identify malicious, unauthorized activity.

Anticipating what users will do

Let’s face it, users are often the weakest link in the security chain. Hopefully, it’s not from malicious intent, but users will always work to circumvent cybersecurity policy. Have we anticipated the workflow shortcuts and digital workarounds users will implement, in effect creating rouge IT systems? Do our users have easily guessed or reused passwords? Are we able to quickly detect these deviations from policy and make sure our security posture isn’t weakened?

There’s more that users will do. They click links and they post on social media. We don’t know when our users will be targeted and fall victim to a spearphishing attack. We work hard to train our users to recognize and defend against those attacks. Even with great training, there’s a risk that users will still get tricked and inadvertently divulge credentials or install malware.

We don’t know when it will happen but need to anticipate that it will. We need to make sure our organizational cultures allow and incentivize users to be vigilant and empower them to challenge authority and slow things down when something smells phishy.

As for social media. … We don’t know what users will post on personal social media accounts that could be used to further a social engineering attack against them and our organizations. Even legitimate commercial posts to social media can divulge breadcrumbs that attackers will combine to build organizational and individual profiles to use as part of an attack. While we don’t know what they’ll post, our training programs need to extend to the social domain and make sure we’re educating users about the security risks they might be increasing.

Understanding who has our data

We’ve usually got a good handle on our key vendors and business partners. Many organizations even evaluate cybersecurity controls (through SOC reports or other security certification) at their vendors. Our business partners and service providers have their own vendors and service providers. Have we identified all of them and understand where our data goes on a second or third order hop downstream? What about their cybersecurity controls? Do they meet our expectations? If not, how long would it take for us to identify any deviations?               

This isn’t a groundbreaking technical concept, it just requires a lot of patience and effort to work through the full vendor supply chain. New industry concepts like the Department of Defense’s Cybersecurity Maturity Model Certification requirement and the AICPA’s SOC for Cybersecurity and SOC for Supply Chain are helping set standards and increase transparency throughout the ecosystem. We need to make sure we’re applying standards and practices like these to understand and limit our exposure to cybersecurity risks downstream from us – and therefore outside our direct control.

Incident response processes

A colleague of mine always uses the phrase “Practice makes proficient.” I like that a lot. Our incident response processes will never be perfect. But if we don’t practice them, we don’t know what doesn’t work right. When we think about being a resilient enterprise, it’s important that we test our incident response process.

We need to make sure we have the log data to support an investigation, we need to know that log data hasn’t been tampered, we need to know who to call for technical support, we need to know any legal response requirements, we need to know people know how to do the analysis in an emergency situation.

If we don’t know we can respond appropriately, we need to practice.

Getting back to sleep

At the end of the day, we need to make sure we’re comfortable that we’ve anticipated enough, prepared enough to prevent, done enough to detect anomalies in a timely manner and built the response capabilities to deal with cybersecurity unknowns. For me, this centers on:

  • Making sure our detective tools function as intended
  • Educating our users to (hopefully) not increase cyber risks
  • Understanding how our data is secured when managed by others
  • Practicing response process that meets our resilience objectives

By regularly assessing those areas, we can build a greater understanding of how our controls perform and how we’re managing cyber risk. Understanding those resolves the unknowns and helps me sleep better at night.