Who does Cybersecurity affect?
First 6 Laws of Cyber Karma
It seems the world is abuzz with greater levels of concern over where, how, and when the next movie-inspired attack is likely to impact our businesses, our homes, and our lives. Some might even consider it some form of “virtual karma” for our collective efforts to automate practically every aspect of our lives.
I recently researched “Karma” to see how this often-misunderstood word trends, where it comes from, and whether there might be a tie between what it represents and efforts relating to cybersecurity. I was surprised at how easily the parallels fell into place…
The word “Karma” has a 3,500-year-old history, in what is now India. The word represents “the sum of a person’s actions in this and all previous existences” and is aligned with the outcome (“consequence”) of an action.
Conversely, karma is not about blending “Fate” or “Chance” with a dash of “Intent” and waiting for the outcome. It’s the energy that results from a series of actions, rather than a roll of the dice or some form of quid-pro-quo.
“Why is Cybersecurity important?”
In a recent “Cybersecurity Crime Study” report, the Ponemon Institute noted a 26-percent net increase in cost for cybersecurity investments over budgets from the previous year. A couple of important lessons learned from the international assessment of more than 300 companies (and 561 individual interviews) include three important takeaways for business owners:
- Exploits are expensive.
With a range of between $1.3 million and $58 million per event, the cost of cybercrime continues to be a point of Board-level interest (and budgeting concern).Cybercrime Magazine reported that cybercrime damages are predicted to inflict somewhere around $10.5 trillion globally by 2025.
- Exploits are expensive.
- Persistence Equals Success.
The average number of cyber-attack organizations experienced 122 successful attacks each week! (Interesting study that might sound alarming, but in a discussion with a former CISO of a major port city on the West Coast, he saw an average of more than a million attacks per day mostly from foreign states), with the most common form of intrusion coming from phishing efforts.
- Persistence Equals Success.
- Same Security Problems, Different Decade.
Back in the late 1990s-early 2000s we saw the birth of a whole family of attack types, including Denial of Service (“Distributed” or otherwise), as well as the propagation of new levels of malicious insider-based attacks, malware and web-based attacks, with Ransomware now the favorite format for state-funded hackers and independent agents as well.
- Same Security Problems, Different Decade.
So, looking at karma through the lens of cybersecurity, risk management, and infrastructure security, we might apply the same near-Eastern tenets to how we look at defending the grids, the banks, the records—the Homeland in general. And as more of the workforce is shifting to working from home, cybersecurity karma may become far more personal as we consider the risks in the living rooms equal to those in the boardrooms.
With “Karma,” there are 12 laws defined, but in an era in which we have reduced our reality into 30-second Tok-tok clips, here is Guidacent’s “First 6 Laws of Cyber Karma” (with the other six to follow)
1. The Great Law (of Cyber)
“Whatever [gadgets/controls/policies] we put into the universe [read: “System”], will come back to us.”
Simply stated: organizations have to invest in the proper security tools if they are going to see a result in reducing the risk of a compromise, and those controls must be governed by processes that maintain an even course for understanding, identifying, responding to, and remediating risks.
2. The Law of Creation
“Life does not happen by itself. We need to make it happen.”
Surrounding our infrastructure with the appropriate balance of tools, processes, and controls means understanding our operational risks as we pursue our business objectives. Creating a defensive posture is an end-result of thinking about the risks we face and preparing on three fronts: keeping our staff informed, following consistent processes, and managing the systems we have in place (including keeping them updated).
The debate should not be over “which cybersecurity framework to use,” but rather, “do we recognize a cybersecurity framework at all?” And the answer is—pick something and do it quickly!
3. The Law of Humility
“One must accept something in order to change it.”
The ancient philosopher Heraclitus noted, “Change is the only constant in life.” Modern-day IT managers and system engineers would say that a business infrastructure (along with its threat surface), is somewhat fluid by design as well, which means not remaining static or stationary where Risk Management is concerned. Remaining adaptable and responsive in a constantly shifting operational landscape requires organizations (and its leaders), to always be looking under the covers and over their shoulders, answering another important question: “Am I doing enough to protect my business?”
It’s okay to ask for help. We go to health care providers when we aren’t well, general contractors when it’s time to build something, and mechanics when our automobiles need servicing. It might be a good idea to let those who spend their time focusing on cybersecurity problem-solving to help us address the issue: “We don’t know what we don’t know.”
4. The Law of Growth
“When we change ourselves, our lives follow suit and change as well.”
Another one of those social science axioms: “we’re either growing or we’re dying.” To grow something often requires three basic ingredients: a compatible environment, proper nutrients, and time. And while business infrastructures may not require a lot in the way of nutrition, they do require review, timely updates, revisions, and continuous monitoring to ensure they function (and grow) with the businesses for which they are designed.
Unfortunately, the Law of Growth also works in the case of a cybersecurity event: If you discover something in the system that doesn’t seem to be functioning as expected, that behavior may result in a negative impact on your system (referred to as an Indicator of Compromise), and it remains unattended, ignored, or overlooked, it is likely to grow into something unmanageable with long-term consequences (“hello, Solar Winds?”).
5. The Law of Responsibility
“We must take responsibility for the environments and circumstances in which we find ourselves.”
When at sea and a storm comes up, there’s something every sailor learns very quickly: it doesn’t matter which end of the boat the hole is in—the consequences will affect everyone.
Same thing applies when asking the question regarding cybersecurity, “Who owns the problem?” The simple answer: Everybody in the organization. And while most businesses equate better cybersecurity with a tool, an application, or some addition to their system configuration, establishing a comprehensive understanding of what cybersecurity issues are and how they may impact an organization, and the processes needed to address and prevent them, is mission-critical to the lifecycle of any business.
Since most cybersecurity incidents originate through human error, establishing sound cybersecurity processes, policies and guidelines can mean the difference in keeping your business operations floating despite any type of storm (or leak!).
6. The Law of Connection Connectivity
“The past, present and future are all connected.”
The idea that humans can unlearn something is not a reasonable approach to corrective behavior. The same applies in cybersecurity: If an organization “has always done it this way,” the chances of it falling prey to a cyberattack become elevated. Why? Because “the way we have always done it” tends to demonstrate a course of action that becomes predictable (and easy to assess, identify vulnerability, and exploit).
Also, if the organization is mindful of where its systems are connected and with whom it does business, also being mindful of how it looks at matters of access control, network segmentation and ongoing network monitoring will help reduce the risk of a compromise and possible loss of business from such dangerous issues like denial of service, ransomware, and phishing.
Key Takeaways
In cybersecurity, three key issues comprise the “Security Mantra”: People, Processes, and Controls. These three elements are essential elements when establishing a cybersecurity posture. Good cybersecurity karma comes as a result of constant consideration of risk, and what it takes to make sure everyone is kept informed, prepared, and aware of what has to be done when bad things happen.
Our Cybersecurity Services range from Cybersecurity Assessment Services, or if your business needs advisory services, we offer Cybersecurity Professional Services with consulting on-demand.