Krebs: infosec pros need to accept everything gets hacked
Businesses and IT professionals need to start accepting the “depressing reality” that everything gets hacked so they can focus instead on recovering from an incident. That’s according to Brian Krebs, one of the world’s leading cybersecurity journalists, who gave the keynote address at the inaugural BSI Cyber Resilience Exchange at the Convention Centre Dublin.
“What do we do about the depressing reality that everything gets hacked? Accept it. If an organisation is big enough, it’s probably happening on a daily basis. It’s easy to arrive at the conclusion that everything and everyone everywhere is going to get breached. I argue it’s something we all need to accept professionally and personally in order to get to the next level. Technically, a breach doesn’t mean the bad guys got access to the data or the crown jewels, just that they had the opportunity,” he told the 250-strong audience.
Taking his cue from the conference title, Krebs defined resilience as “the ability of an organisation to rapidly respond to and recover from breach events”. He said companies need to work on detecting incidents faster and rehearsing their response procedures for when that happens.
“Getting breached is ok; I hope the stigma is coming off. It’s not ok if you don’t detect it in a short period of time which is when the problem starts… How we get to [resilience] is only with practice, to stop a cut from metastasizing to an infection of the entire body,” he said.
Krebs said many organisations have historically focused on technical defences to prevent attacks or attempted breaches. “I would argue we have overinvested in the protection and underinvested in the prevention side,” he said. Security professionals are the most important part of any system, yet probably also the most expensive part, and hardest to recruit, he added. “It’s really hard to do the reactive stuff if you don’t have the right people.”
Also speaking at the conference, WorkHuman CTO Jonathan Hyland said his company has worked on achieving information resilience through a continuous improvement cycle that involves routinely re-evaluating risks to the business and checking whether its security controls and processes are fit for purpose. He also said it was important to test these procedures regularly. “Act on the plan – a paper exercise is no good,” he said.
Siân John MBE, Microsoft’s EMEA chief security advisor, echoed the point about the importance of practicing response plans. She pointed to the example of Norsk Hydro, the aluminium producer that suffered a ransomware attack in March but implemented a recovery plan. This enabled the company to avoid paying the ransom and to give regular public updates about its operations during the incident.
Michael Bailey, BSI’s EMEA director of professional services, said that achieving information resilience involves a combination of cybersecurity, information management and privacy, security training and meeting compliance requirements.
Dr Jessica Barker, co-founder of the security awareness consultancy Cygenta, urged companies to ensure they focus on the people factor of security as well as on technical defences. “The cybersecurity industry is very focused on technical measures to defend against cybercrime, so the attackers have moved of course to targeting the human element because this is what we haven’t really concentrated on,” she warned.