If we are to continue improving our response to cyber risk, we must accept that breaches will happen.
When they do, we must detect, respond and – most importantly – learn from them, writes Michiel Jonker, director: IT advisory at BDO South Africa.
While technology and skills remain key to mitigating cyber threats for modern organisations, one threat to cyber security is a uniquely human factor – it is hubris, the arrogance and pride that human beings sometimes fall prey to.
Arrogance can be our downfall in so many areas, and it is no different in the cyber-security space, where specialists can come to believe that they are in full control of their organisation’s information ecosystem. In fact, we are seldom in control.
This idea is perhaps best explained through an analogy with city traffic. Traffic infrastructure, technology and rules of the road can help us manage the road behaviour and interactions of millions of people, but people are unpredictable. Even concrete road barriers are not guaranteed to prevent “spill overs” to the other side of the highway.
When the preventive barriers fail, all one can do is clean up the mess – despatch emergency services and the traffic officers to get traffic moving again as best they can.
Cyber security is a similarly complex system – attempting to map, manage and predict the behaviour of billions of people online, and to mitigate threats they may present, is a tall order When managing these systems, instead of imagining that we control them, it is useful to use the principles of emergence.
An example of emergence in a complex system is the approach adopted in managing emergencies after the 9/11 attacks. After the attack, an attempt was made to plan for the grounding of thousands of passenger aeroplanes in the case of a similar future attack. It soon became clear that there were too many complex, human interactions to be able to precisely predict how to manage such a moment.
It is possible to put general rules in place – similar to the rules of the road – but ultimately, the ideal solution for some situations only emerge when the event occurs.
The idea of emergence makes people nervous, because we like to plan. We like to have control. But the fact is, we cannot fully control all situations. We can put controls in place, but at times those controls will fail, or they will be subverted.
This is where humility becomes a useful tool. In managing these systems, we have controls, but we are not “in control”. We accept that contingency plans may be necessary.
We cannot reliably predict the behaviour of people – and the internet is a network of billions of people.
We can certainly monitor the internet, though. Many companies are in the business of monitoring the dark web for mentions of particular company names. These are preventive controls – the equivalent of the road barriers we use to manage traffic. They are certainly of use, but they can fail.
We are getting better at minimising these failures, though. A survey by Fire Eye has found that average dwell time – the number of days between an intrusion and its identification by an internal team – decreased to 50.5 days in 2018, from 57.5 days the year before.
Fire Eye attributes this to organisations getting better at discovering breaches, but also to a rise in immediately visible, financially motivated compromises (e.g. ransomware attacks).
Nevertheless, prevention fails, and it is going to fail more often, as more people get onto the internet, and social/political/religious/job polarisation continues.
Today, the buzzword in cyber security is awareness creation – to train staff to identify malicious emails, to think twice before connecting USBs to their computers, etc. This is certainly useful, but it has limitations. We cannot be so arrogant as to think that such interventions will fix everything.
With awareness creation and training, there is an assumption that we can outsmart criminals. Unfortunately, criminals will always be a few steps ahead of us.
We should not fool ourselves. Trying to “architect” cyber-security on the basis of success, is what makes us arrogant. We must architect on the basis of failure.
When we take this humble approach and we accept that we are sometimes going to fail, we can implement controls that help us to detect breaches sooner, and learn from our mistakes.
We cannot control everything, but we can develop a mode of detection and correction that drives consistent, self-refining improvement, to become ever better at protecting the information that underpins modern business.