The biggest mistake infosec leaders make is putting too many resources into regulatory compliance and preventing cyber attacks, says a Cisco Systems official.
“Most companies don’t prioritize” their work, Carey Spearman, a senior security consultant at Cisco told the Toronto Cybersecurity Conference on Tuesday.
Worse, he said, “they don’t think like a hacker. A lot of attackers, be they organized crime or nation states, are very organized, very methodical. If you research, you find they work in groups that specialize, they have all the tools you have.
“If you patch all your vulnerabilities, they will find the next vulnerability.”
He also suggested sometimes IT security teams are their own worst enemy.
“There are definitely common things in all attacks,” he said. “For example, in ransomware we see there are always a series of low or medium alerts that get ignored. Usually by the time there is a critical alert you have 15, maybe 30 minutes to take some kind of action before your systems start locking up. That’s just not enough time to react.”
What’s sad, he added, is that today there are great intrusion detection tools, but often their signals get ignored.
By failing to think like a hacker, infosec pros miss the fact that attackers tailor their work so it will trigger low level alerts, Spearman said. “We need to find ways to focus on that.”
It’s more important than ever to have that attacker mindset, he added, because the average attacker dwell time can be as short as four days.
Spearman was part of a conference panel on strategies for protecting against cyber attacks.
When the discussion turned to whether organizations should refuse to pay ransomware gangs, Lorne Oickle, senior sales engineer at backup and recovery provider Cohesity, argued those who pay aren’t confident they can restore their data from an unencrypted source.
He got support from Kevin Cole, director of technical training at Zerto, a Hewlett-Packard Enterprise cloud data management provider. Many companies think they can recover data from a backup solution, but when they have to do it, “something happens.” Data recovery procedures have to be regularly tested, he said, and IT pros also have to make sure data recovery time is as short as possible.
Organizations also have to make sure backed up data can’t be reached by attackers, he added.
What IT wants to do is minimize data loss and downtime, he said. “If you can get those two together, you have a really good shot at resuming operations with less impact than you would otherwise.”
Jade Perron, cybersecurity strategist at Mimecast, stressed the importance of security awareness training for employees. Regularly refreshing presentation content is important, he added.
He also said organizations should make better use of machine learning to help give contextual warnings to employees about potential attacks and malware.
Spearman added a somber note by saying too many executives still believe cybersecurity is strictly an IT department’s responsibility.
“I was in a [cybersecurity] meeting one time with the CEO of a company with about 200,000 employees. After about a half hour he stands up and said, ‘I don’t know why I’m here. This is why I hired all you people,’ and he walked out.”
It’s important, he said, that infosec pros show the C-suite that cybersecurity is valuable. There are lots of companies, he added, that will help prove there’s good return on investment in cybersecurity.