Recently, the San Francisco Municipal Transportation Authority (SFMTA) was attacked by cybercriminals that held their computerized systems for ransom. These “ransomware” attacks are quick, efficient, and financially lucrative for the attackers. SFMTA recovered, using their backups and implementation of their incident response plan, but not before providing a weekend of “free rides”. SFMTA could not process payment, used significant resources to respond, and felt a financial impact that far exceeded the original ransom amount.
After the attack, forensic analysis indicated that systems holding financial data had not been compromised, and that SFMTA was, at the time of the attack, compliant in protecting that data. Researching cybersecurity breaches, stories similar to this are common. Expensive and damaging breaches occur, followed by an investigation that finds that the organization is compliant with all relevant regulations (or at least had been to the point of the attack).
It’s easy to resolve this cognitive dissonance of being compliant, yet painfully vulnerable, if you think about the purpose of being compliant. Regulations and compliance are meant to protect your clients and business-to-business partners, not your own assets and continuity of business.
Compliance does not cover the unique elements of your business that are critical to you continuing operations (to say nothing of being profitable). You may fully meet regulations and compliance requirements, yet be unable to process orders or provide service. You may be compliant and unable to compete due to the theft of your intellectual property. You may be compliant all the way out of business.
Security must go beyond compliance and regulation, towards a posture that protects the entirety of the organization. While it is tempting, with limited resources, to stop at the bare minimum of compliance, limiting the scope of security testing and defense is doomed to being dangerously incomplete. Real attackers will find vulnerabilities and conduct attacks on the entirety of your network. Security testing must involve offense-oriented testing of the entire scope of your network to be successful.
Falling victim in the coming year will be much more expensive than it has been in the past. In future columns, I’ll dive into more detail on these trends. Until then, implement comprehensive testing to prevent you and your business from being the “compliant” victim.
» Dr. Wesley McGrew is the Director of Cyber Operations at HORNE Cyber. Understanding that businesses are under constant cyberattack, and simultaneously held ultimately responsible for their own victimization, Wes stepped away from academic research in order to develop talent and services that help organizations improve their resilience. He has made a career out of studying attacker techniques and applying them in offense-oriented services like penetration testing that identify vulnerabilities before they are successfully exploited by real criminals.
BEFORE YOU GO…
… we’d like to ask for your support. More people are reading the Mississippi Business Journal than ever before, but advertising revenues for all conventional media are falling fast. Unlike many, we do not use a pay wall, because we want to continue providing Mississippi’s most comprehensive business news each and every day. But that takes time, money and hard work. We do it because it is important to us … and equally important to you, if you value the flow of trustworthy news and information which have always kept America strong and free for more than 200 years.
If those who read our content will help fund it, we can continue to bring you the very best in news and information. Please consider joining us as a valued member, or if you prefer, make a one-time contribution.Click for more info