Wouldn’t it be wonderful if there was a way to make a single investment that would protect your company so that you never needed to think about your cybersecurity exposure ever again? I wish that I could tell you that there was. I wish that I could tell you about a magic bullet that would let you forget about cybersecurity and focus on your core business. I wish that I could tell you to buy “this product” or hire “that technical position,” and all your cybersecurity concerns would disappear.
Unfortunately, recent cybersecurity news highlights how much of a pipe dream that idea is. FireEye is a company that is in the business of helping other companies detect and defend against cyber attacks. This week they fell victim to an attack perpetrated by “highly sophisticated” actors, likely sponsored by a nation-state. FireEye reported that the attack was highly customized and specifically designed to target their systems. “This attack is different from the tens of thousands of incidents we have responded to throughout the years,” said Kevin Mandia, FireEye’s chief executive.
Admittedly, FireEye has a pretty large target on their backs. They were the firm that worked with Sony after the 2014 attack perpetrated by North Korea. Equifax, the credit monitoring service that was hacked in 2017, is one of their clients. They also consulted with the government on the 2015 Russian hacker breaches of the State Department and other American government agencies.
While it is unlikely that anyone reading this blog is on the radar of Russian, Iranian, or North Korean intelligence agencies, there is still a lesson to be learned from FireEye’s misfortune. Namely, cybersecurity is an infinite battle. The criminals never sleep, literally. They are international, they are organized, and they are innovative. FireEye is in the business of cybersecurity threat detection and defense, and the criminals still managed to subvert their protections. Those criminals were highly motivated and likely highly funded, but everything is relative.
FireEye is a $3.5 billion-dollar company that invests heavily in cybersecurity. How much do you have budgeted for cybersecurity in 2021? When is the last time you completed a penetration test? What kind of vulnerability management policies do you have in place? How often are you doing cybersecurity training for your employees? You are indeed a less flashy target, but you are also a much easier target. The criminals don’t need to invent an entirely new type of attack to infiltrate your network. The tools they need already exist, and they are easily obtainable. Even worse, there are already tools to breach defenses that you haven’t even put into place yet. The criminals targeting you are much less sophisticated than those targeting FireEye, but the defenses you have in place are almost certainly much less sophisticated as well.
This constant evolution of the threat landscape is why cybersecurity professionals view cybersecurity as a journey rather than a destination. The risks are continually evolving. Companies (and individuals) need to be prepared to evolve with them. As digital transformation increasingly occurs throughout your business, security must be a vital part of that transformation. Every company must develop an adaptive and holistic cybersecurity policy that incorporates ongoing risk assessments, training, and cyber incident insurance. Because you might not be thinking about cybersecurity, but someone else is, and they are looking for a way in.
Not sure where to start in developing your cybersecurity strategy? Contact us, and our team of experts can help guide you on your cybersecurity journey.