This article was published on LinkedIn on March 27, 2018. You can read the original post here.
In my first LinkedIn article, I’d like to welcome you to the future. Not too far in to the future. But, it’s January 2019 and unfortunately cyber criminals are stealing your data. You’re scrambling to respond, hustling to contain, scurrying to an emergency board meeting. It’s a bad day.
You may be thinking that this isn’t going to happen to you, but many recent headlines say otherwise. So this is my humble letter that I wish I had gotten to you 10 months ago. Today.
From my chair, running IBM’s cybersecurity unit, I get to see things that don’t even make it to the news. Yesterday, we actually helped check references on a hacker for a customer wondering if they should pay bitcoin to get their servers back. This morning, my research team in Israel uncovered a new organized criminal circuit developing a new method to steal money from banks in Brazil. And just in the last 24 hours, my threat intelligence team received indicators of 30 new domains registered by hackers as command and control servers for their malware.
But here’s the thing… even though cybercrime is becoming significantly more sophisticated, there are things we can do that can make a difference. Here are my current top three:
1. Prepare Your Response
My first advice is that “response” isn’t something that should be considered after a breach is detected, but rather something that needs to be planned and rehearsed way ahead of time.
An effective response to a cyber incident requires preparation and planning — a playbook — as well as training and rehearsing, in the same way hospitals prepare for emergencies. As we’ve seen with recent cyberattacks, often a company’s response can do more damage than the breach.
Last year IBM opened the world’s first “cyber range” for the private sector — a place where clients come for rigorous training to prepare for a potential cyberattack. It’s been an eye opener for us and the 1,400-plus people who have trained there.
Our big take away is that this isn’t just a technical team problem — the response needs to span every function in your organization. An effective response plan includes not just the security team’s role in detecting and remediating a breach, but how your organization reacts to regulators, your Board of Directors, law enforcement, clients, employees, the media and other constituents.
Such training and rehearsing helps organizations develop and regularly update a highly detailed and coordinated response plan, and build “muscle memory” that can be thrown into action when a breach occurs.
Most organizations don’t have this. A study we released this week shows nearly 80 percent of organizations surveyed said they cannot remain resilient after a cyberattack due to a lack of planning. And the longer it takes to respond, the higher the costs. For example, a breach contained in less than 30 days saves an organization, on average, nearly $1 million.
2. Change the Game With AI
AI has the capability to ingest, comprehend and analyze the enormous amount of security data, in whatever forms, that are out there today, and can be deployed quickly. It will help you detect and respond to cyberattacks at speed and scale. More than that, cognitive systems make correlations that provide insight to detect potential breaches much faster than humans alone.
AI will give your security analysts much needed help in finding the needle in the haystack so they can concentrate on stopping the attack.
AI in the form of machine learning enables you to do things like determine if an employee’s identity has been compromised by deeply understanding user behavior and detecting anomalies that could indicate an insider threat. Machine learning can automatically scan new applications for vulnerabilities so developers can continue to move quickly, confident that their app is secure. And when it comes to mobile, AI can see what’s going on at the endpoint and dynamically make recommendations on policies, patches and relevant best practices to keep devices secure.
3. Master the Basics
Good security hygiene — from keeping software patches updated to scanning applications for vulnerabilities — still count, maybe more than ever. And from where I sit, not enough companies are focusing on the mundane, hard work of getting the basics right — 100 percent of the time. Any less than that will leave you open to an attack.
Think about cyber security the same way that an engineering or manufacturing company thinks about safety and quality. An auto manufacturer would never accept just a few defective parts leaving the plant. An oil company would not be satisfied losing five percent of its drilling rigs. You should not be satisfied with anything less than perfect either. Drive that into your culture.
I’m not saying these so-called basics are easy to get right. I know your teams are challenged with an enormous — and growing — amount of security data. Whether it’s the potentially 200,000 security events you see every day, or the 60,000 alert blogs your security analysts need to read each month — all of which needs to be analyzed quickly to find anomalies that may indicate a pending cyberattack. And the significant skills shortage we’re facing in cybersecurity, with an estimated 1.5 to 2 million unfilled security jobs by the end of this decade, is making it even more difficult.
But at the end of the day, this quality control is worth the effort. Mastering these basics from the outset will allow you to react more quickly in the wake of an attack — potentially saving millions of dollars, and significant losses to your reputation. Not only that, it will also help close the gaps so that you’re dealing with less of these incidents in the first place.
To wrap up, cybercrime is one of our generation’s most significant issues, equally impacting the public and private sector, as well as consumers and citizens. The basics matter, how you handle an attack makes all the difference in the world, and with AI we have a fighting chance to get ahead of the criminals.
General Manager, IBM Security