VIEWPOINT: Adopting the assumed-breach mentality on cybersecurity

The cybersecurity landscape is Constantly changing. Everyday, Stories are told of breaches, ransoms, and threat actors pushing us collectively further into uncomfortable territory. Stories like the Colonial Pipeline and Kaseya were major eye-openers for many, but they weren’t the first and they won’t be the last.  The recent report, called the State of Ransomware 2022, from […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

The cybersecurity landscape is Constantly changing. Everyday, Stories are told of breaches, ransoms, and threat actors pushing us collectively further into uncomfortable territory. Stories like the Colonial Pipeline and Kaseya were major eye-openers for many, but they weren’t the first and they won’t be the last. 

The recent report, called the State of Ransomware 2022, from Sophos News (https://news.sophos.com/en-us/2022/04/27/the-state-of-ransomware-2022/) states that 66 percent of organizations surveyed were hit with ransomware in 2021, up from 37 percent in 2020. And, the average ransom paid by organizations that had data encrypted increased nearly fivefold to $812,360. While those numbers are staggering, they aren’t exactly a surprise when you consider the almost daily reports of incidents throughout last year. If you take a moment to look at the reports from last year from a variety of vendors, they all paint the same picture. Cybercrime is on the rise, and in a big way. So, where does that leave us this year?

“Everyone has a plan until they get punched in the mouth.” Boxer Mike Tyson is credited with this quote, and it’s been used many times in recent years. Poorly laid plans go out the window once the worst happens. Applied to cybersecurity, it could probably be “no one wants to plan until they get punched in the mouth.” After an incident is when everyone wants to buy and/or implement security solutions. So how do we prepare ahead of time? 

There is a security strategy that has gained more steam in recent years called “assumed breach mentality.” What does that mean? It means that we approach our IT security from the perspective of not if, but when. This can come across as pessimistic. Does it mean we just give up and accept defeat? Hardly. If we continue the boxing example it would mean that we don’t plan and train to never get hit, but instead to expect to get hit and endure. There is no perfect solution or defense. There are strategies and tools that will limit our risk, and there are plans and policies that if put in place correctly, can help us endure when the worst happens. 

Letting go and adopting the assumed-breach mentality can be liberating and terrifying. We spend a lot of time trying to figure out how to keep threat actors out, and that is still important. Just because we train to be hit doesn’t mean we want to be hit. We limit our risk as much as we can and prepare for the worst. In shifting that mindset now, we need to start thinking like a threat actor. Look internally at your network, your policies, and investigate your weaknesses. How do we limit the movement of the bad guys in our network, how do we protect key information, and perhaps even more vitally — how do we get back to business? Here are three things we can do to make an impact with our newfound state of mind. 

First, we need to evaluate our current security posture and know what to look for. The IBM Cost of a Data Breach Report 2021 (https://www.ibm.com/security/data-breach) lists compromised credentials as the most common attack vector at 20 percent of breaches, and business-email compromise has the overall highest average cost. That gives us something to focus on right away. That means securing your email, using multi-factor authentication, and training your users regularly on phishing emails and to recognize anything suspicious. Of course that is just a start, and it is best to have an objective third party evaluate your vulnerabilities or even perform a penetration test to be more thorough in rooting out any issues present in your environment. While there is a cost to these, they can be invaluable at getting an idea of where you are with your security posture and what changes need to be made. 

The second point is basic cybersecurity hygiene. It’s important to understand that all of us are somewhere on the scale of cybersecurity journey to maturity. That’s ok. It’s more important to realize where you are and work to move forward. Where do we start? The National Institute of Standards and Technology (NIST) provides a cybersecurity framework, and many organizations look to that as the standard. Another I am fond of is provided by the Center for Internet Security (CIS). That organization has the CIS Controls (https://www.cisecurity.org/controls/implementation-groups/ig1). There are 18 controls with over 150 safeguards, but CIS has them broken into implementation groups. Group 1 is an evolving list of what is considered basic cybersecurity hygiene and a great place to start. It can provide you an excellent checklist with which to start.

Our last point is having an incident-response plan and cyber insurance. If we think back to boxing again, now that we have planned to avoid getting hit, let’s talk about what happens when we are attacked. Too many organizations realize too late that they didn’t have a plan in place, or that they did, and they had no idea what to do with it. CompTIA has an article (https://www.comptia.org/blog/security-awareness-training-incident-response-plans) that can help get you started. An important point about an incident-response plan is don’t skip the tabletop practice. Knowing what do with the plan when the worst happens is what makes it effective. A bunch of words on a page won’t do anything on their own. Additionally, cyber insurance is another important piece. Find a provider your trust and know what your coverage entails, and who your breach coach is (if your insurance plan has one, and it should). A breach coach is the individual who will help guide you through the process if the worst should happen. 

In summary, here are the key takeaways:

• Adopt the assumed-breach mentality

• Evaluate your security posture

• Start on the path toward good cybersecurity hygiene

• Design an incident-response plan and obtain cyber insurance

There are no silver bullets, or cure-all potions. It will take time and effort, but it will be worth it when you need it. I wish you the best on your cybersecurity journey.      


Nathan Hock is a virtual chief information officer (vCIO) at Usherwood Office Technology in Syracuse.

Nathan Hock: