Preventing Complacency putting Enterprise Security at Risk
by Jay Chaudhry - CEO and Co-Founder of Zscaler
If you’re having a bad day, know that things could always be worse: This message
could have greeted you when you turned on your computer.
One fateful morning last November, that ransom note showed up on the screens of employees of German plastics manufacturer Kraus Maffei
. In March of this year, Arizona Beverages
workers received a similar threat. Both companies had been infected with particularly virulent strains of iEncrypt malware, and the attacks crippled systems at both companies for days.
The iEncrypt story is nightmarish: Two successful companies are brought to their knees as malware replicates inside their respective corporate networks. No company deserves what Kraus Maffei and Arizona Beverages went through, and I won’t speculate on what contributed to each company’s vulnerability. But we can learn from these attacks.
In cybersecurity industry parlance, never let a breach go to waste
Whatever You Do, Don’t Sit Still
Organizational challenges such as institutional ennui or even budget cuts can lead a company to retain outdated, insecure systems, exposing the company to a targeted attack. Especially in light of recent high-profile ransomware attacks, IT leaders must ensure they can protect digital assets and
minimize damage if breached. But, too often, companies are slow to keep security standards current to respond to the newest malware threats. Similarly, recovering from an intrusion is difficult when backup systems are untested or improperly set up (imagine trying to put out a fire with a faulty extinguisher).
When it comes to cybersecurity, complacency is toxic. An ingrained culture of “we’ve always done it this way” can obscure threats, mask vulnerabilities and reinforce an aversion to change. The "we’ve always done it this way” disease (call it WADITWay) can manifest itself in a reluctance to let go of old processes, solutions and technologies. WADITWay bias fosters groupthink, which at best can lead an enterprise down the wrong path and at worst can lead to disaster
. WADITWay impedes good decision-making, putting enterprise assets, users and resources at unnecessary risk.
Recognizing WADITWay bias is the first step to combating it. It takes many forms (all characterized by an unwillingness to let go of something):
- Attachment to topology: Does the existing network architecture design contribute to threat risk? Are there alternatives that can improve performance?
- Attachment to legacy software and hardware: Are there better solutions out there for your organization? Even technologies that might require investment in IT training?
- Vendor loyalty: Do existing supplier relationships cloud your judgment against consideration of alternative approaches?
- Nothing-happened-yesterday mindset: Does your team settle for “good enough” security? Stagnation is bad, dynamic monitoring is good: What worked yesterday may not work tomorrow.
- Stick-with-what-we-know culture: How does your organization address disconnects between current-state and ideal-future-state IT skill sets? Extant certifications are valuable only as long as the technology remains vital. Otherwise, they’re just sunk costs.
Only You Can Prevent WADITWay
As malware victims will attest, hindsight is (painfully) 20/20. Here’s what IT leaders can do now to attack complacency:
- Build an agile, dynamic cybersecurity culture: Continuous improvement is essential in DevOps and DevSecOps environments. It’s also a mandate for ensuring security best practices.
- Stay current: Regardless of which technologies you employ, ensure that your security is up to date. Proactively blocking an attack is eminently preferable to reacting to one, and that can only happen if your enterprise security can confidently repel any and all known threats.
- Get resilient: Establish recovery workflows to respond fast. If you are hit, how fast can you return to normal operations?
- Establish comprehensive backup processes: Archive data remotely. Backups should be firewalled, redundant, off-site and protected from east-west threats. The schedule should be cadenced. How often? Well, how many days’ worth of data can you afford to lose?
- Reduce the attack surface: Audit your existing network vulnerabilities and then address them.
- Establish default-deny network processes: Start by applying Forrester's Zero-Trust principles and Gartner’s CARTA roadmap as part of your network and security strategies. Gartner recommends phasing in micro-segmentation and then a software-defined perimeter.
- Inspect everything: A default-deny posture works with the dynamic monitoring of all data across the network (and cloud). Ensure your enterprise can inspect (and respond to) all data coming into and going out from your organization—this holds especially true for TLS/SSL-encrypted data.
- Build out defensive isolation capabilities: Effective sandboxing of questionable data and quarantining infected data can minimize attack damage.
- Train your people: Malware triggers are designed to take advantage of end users. Make security training an annual (or even quarterly) requirement for all employees. If you can prevent just one employee from clicking on a questionable link in an email, it will have been worth it.
Some will say believing we can block every attack is naïve—it’s not. We must put up a better fight against the bad actors who threaten us. That starts with eradicating WADITWay disease, and it ends with an enterprise cybersecurity culture that acknowledges “good enough” is never good enough.