When large organizations fall victim to cyberattacks, they are viewed harshly by the general public. Can this damage be mitigated?
There have been three major breaches in recent months targeted at companies that no one would describe as being small: Uber, Rockstar and Optus.
When the public sees news of data breaches in such firms, they typically jump to the conclusion: “These companies must have been reckless in some way to have had this kind of breach. They must be doing something wrong that doesn’t reflect their responsibility to protect customer data.”
While the notion is logical, it may not really reflect the cybersecurity challenge in 2022.
Understanding the cyber risk landscape
If we look at other kinds of things that we try to defend from—physical breaches such as someone breaking into a building, for example—there are well-understood, set ways of breaking into the premises of a business. Therefore, the risk is static and can be managed as such: we can focus on locking up the windows and doors, patrol the compounds hourly… and nothing changes once the security guards and comprehensive surveillance measures are in place.
However, with cybersecurity and technology, there is constant change. Every day we are using new systems, new technologies, and leveraging more and more third parties to handle data. At the same time, the tactics and techniques that attackers are using to target businesses are changing and evolving every single day.
When you are the size of Optus trying to defend your organization, you may be faced with a logical conundrum. To defend a business, defenders are obliged to defend every single aspect of the business. But these defenses can be static, while the tactics available to attacker are changing almost daily; and there is then a requirement to figure out how to defend against those tactics as quickly as possible, and subsequently implement relevant defenses.
So defenders of large organizations face a difficult time because they must understand everything that is going on; they must understand emerging vulnerabilities; they must understand emerging threats, and they must then be able to defend against all of these things comprehensively.
All it takes is one successful hit
While 99,999 out of 100,000 attack attempts may fail, all it takes is just one successful attempt for an attacker to gain a foothold in their victims’ network.
It does not necessarily mean that their victims (in particular, large organizations) are negligent or that they are not doing all the things a business of their size should do to defend themselves.
It could mean that one attacker was just persistent enough over a sustained period of time to furtively and evasively find the one tactic or crack in the armor.
This is the challenge with cybersecurity now. Adversaries are trying new techniques every single day, and somehow their victim organizations are expected to be able to keep up with these rapid evolutions or changes.
Regardless of the reality of how difficult this is for businesses like Optus or Uber or Rockstar or any other large organization), regulators and the court of public opinion will not be forgiving. The headlines are simple: a big company has lost its sensitive data to cybercriminals.
Often, the perceived severity of the breach is compounded because we often do not have that much information about how the breach had occurred. If we look at the other high profile breaches—taking Uber as an example—the suggestion is that the tactics and techniques used to execute the breach were relatively simple. This is an easy punching bag for the public to whack: “the organization is large, the tactics and techniques are supposedly simple: unequivocally, we know Uber must have dropped the ball, and they should have been able to prevent this breach.”
Yet, going back to my previous analogy, it is very likely that Uber had the 99 other types of attacker tactic and techniques covered. They were fully defended. And someone was just very lucky, and persistent enough, to have found the one gap that Uber had missed.
Where did the victims go wrong?
I think the question that we as an industry should be asking is not what did the victimized organizations did wrong, but introspective queries such as:
- How do we help organizations understand what the latest tactics and techniques adversaries are using to break into their organizations, so they can get ahead of that exploitation and prevent future breaches?
- How do we, as a cybersecurity industry, enable organizations to use data to defend themselves?
- How do we use technology to give companies like Optus a deep insight into the latest tactics and techniques to preemptively and continually stand guard against cyber infiltration?
Cybersecurity solution providers can address these responsibilities by building technology to give organizations a real-time view of how adversaries look at their organization, to then understand how they would launch attacks with a certain approach.
By leveraging global threat intelligence to continuously help organizations understand how the latest attacker tactics and techniques, the industry can inform and enable actionable defense to ease the challenges that organizations of all sizes face in keeping up with ever-evolving and emerging cyber threats.