Use the Inevitability of Security Breaches to Your Advantage

A company that uses technology and is connected to the internet will likely experience an incident of some magnitude over the course of its life.

Graphic image of a lock over computer screen

In an attempt to wake up companies that may not be taking security as seriously as they should, they are often told, “It’s not a matter of if, but when.”

Historically, I’ve not been the biggest fan of this saying, in that it has a certain undertone of doom and gloom. It’s a bit like one of those life insurance commercials that morbidly remind you that you will die someday and you want your loved ones to be looked after financially.

However, the reality is that, depressing as it may sound, we will all die at some point. And it is likely that a company that uses technology and is connected to the internet in some way, shape or form will experience an incident of some magnitude over the course of its life.

Being attacked or compromised by an external or internal party isn’t a black swan event that falls outside of the norm. It’s very much a part of everyday life.

Where many companies go wrong is believing they can eliminate these attacks completely. But this isn’t practical because randomness and variability are the rule, not the exception.

It’s like when you have a flight to catch: Most people will tend to leave earlier than needed to factor in unforeseen traffic or other delays. We do this because we know and understand that a journey consisting of planes, trains and automobiles will inevitably encounter some delays. So we plan for it.

Similarly, enterprises should plan for the unexpected and build it into their fabric to ensure that not only can the business remain resilient in times of adversity, but that it can also flourish.

So, what can make a company more resilient to security incidents and black swan events?

Hack Yourself

What better way to see how an attacker will fare against your systems than to subject your systems yourself to the same stresses. It’s not so much a case of proving that all your systems are unbreakable. Rater, this kind of testing gives you a level of assurance as to how long your defenses can hold up, whether you have effective means of detecting and responding, and, perhaps most importantly, what the impact on the business or customers will be.

Add Redundancies

When speaking of redundancies, we often think of business continuity planning, which many people inevitably boil down to the art of “buying two of everything.”

Companies may choose to avoid the cost associated with having redundant systems because those systems may never be used. However, never needing a redundant system is the exception, not the rule.

It’s also important to have alternative redundancies in place. For example, if a system goes down, is there a manual workaround that could be deployed? Could online transactions be diverted to call centers? If cash is unavailable, can crypto currencies be used? Or precious metals? Or cigarettes even.

Not All Risks Are Created Equal

Critical assets are the lifeblood of an organization. They are the crown jewels that help the company be profitable through sales, services or innovation. But it can become easy to miss some of the risks among the large sea of issues.

This is why it can make sense for companies to at least adopt a dual risk strategy whereby it can play it safe in some areas and take more risks in others.

Have Multiple Points of Resilience

It’s not just attacks that are on the rise. There are a number of factors such as errors, changes, or infrastructure migrations that can all lead to security incidents. Therefore, it’s important to build resilience at multiple points across the business.

Maybe it’s time to stop fearing, or thinking of, the phrase “it’s not if, but when” in a negative light. Rather, think of it as a positive opportunity–one that can allow security teams to proactively innovate to get the best outcome for themselves and their companies.

Javvad Malik is a London-based IT Security professional. He is better known as an active blogger, event speaker, industry commentator, and one of the industry’s most prolific video bloggers, with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like