Through the lens of cybersecurity, 2019 was another year of breaches, hacks, and a comedy of digital errors. But there may be a silver lining to all of this.
My colleague Perry Carpenter often says, "Just because I'm aware, it doesn't mean that I care." What he means by this is that security awareness campaigns alone are often not enough. It's like when I drive my car, I am aware of the speed limit, there are plenty of signs on the road, but does that actually mean that I care?
The Transtheoretical Model (also called the Stages of Change Model) was developed in the 1970's by Prochaska and DiClemente in which they examined how people changed behavior to quit smoking. Precontemplation was the first stage, where people are not aware of an issue, followed by contemplation in which people recognize the need to change, but it's largely a plan with no action. It's only until they reach the determination phase that they are ready to take action.
2019 may well be the year that many companies make the move from contemplation into determination and begin to take active steps to defend themselves in 2020 and beyond. Why am I confident about this? Well, let's examine some of the common themes that have occurred through the year.
Ransomware, supply chain compromise, BEC, insecure cloud databases, and nation-state actors have dominated many of the breaches. On the surface these all represent very different attacks, with different motives, and objectives, but a little scratching beneath the surface tells a different story.
One of the big learnings from most of these breaches, possibly with the exception of nation-state actors (we can debate that another time) is the fact that human factor played a major role in it. A publicly exposed AWS S3 bucket that should have been private? Human error. Ransomware getting into the organization - many times it's a human clicking on a phishing link. Supply chain compromise relies on tricking people into thinking the communication came from your trusted supplier.
And business email compromise. Yes, you guessed it, relies on humans to fall victim to an email claiming to be from their CEO or similar person in authority demanding they make an urgent payment.
In fact, when we look across all types of attacks over the year, the vast majority can be linked through to some form of human error or social engineering technique that caused it to be successful.
When companies are breached, or other companies in their sector are being breached, two of the most common questions execs will pose to their teams is, "How did this happen?" and "How do we prevent this from happening to us (again)?"
If an honest answer is being sought, it will come down to embedding a security-aware culture throughout the organization. That doesn't necessarily mean it will prevent every breach, nothing is 100% effective, so some technical controls, particularly monitoring and threat detection is a crucial part of the strategy to be able to quickly spot where malicious activity is occurring within the organization.
With each breach, the awareness increases that the protection of companies does not lie within a new product or box with blinky lights. The answer lies in an overall security culture that is underpinned by effective training and raising awareness among staff. Each step moves companies away from simply contemplating, to taking action, 2019 may be the year that we stopped simply being aware, and began to care.