Summer is over and as fall starts to settle in, football season starts again. It was while reviewing my son’s upcoming schedule that he pointed out that some of the earlier games in the season are against teams with more skilled players. However, he quickly pointed out that those games are at home and that this would be a big advantage to him and his teammates. This got me thinking about how those of us tasked with defending our organization’s information assets prepare to tackle our adversaries.

There have been recent headlines about attacks that nobody would blame any CISO for, which makes us think that criminals had all the advantages on their side, guaranteeing a win. Those articles give us a constant stream of news highlighting recent security breaches in organizations, warnings about Advanced Persistent Threats (APTs), how attackers are easily circumventing security solutions and how users continue to compromise systems by clicking on links or attachments.

How CISOs Need to Play to Their Strenghts

It was then that I thought that if a kids’ football team can look at how to play to their strengths to defeat their more skilled opponents, then CISOs should look to do the same. The biggest advantage a football team and a CISO has is that they always have home-field advantage.

Playing at home gives you many advantages over the opposition — you know where every bump and hollow is on the pitch. You know which end of the pitch is more favorable depending on the weather or which way the wind blows. You also have local resources to help support you.

We should look to those same advantages when defending our networks. The attacker has to learn how your network is connected together, where the valuable targets are in that network and how to avoid being detected by your security controls.

So if home-field advantage is such a plus, why are we reading about so many breaches? Are the attackers we face so highly skilled and sophisticated that we don’t stand a chance in competing against them?

It’s Often the Simple Mistakes That Allow Attackers to Breach Defenses

This is not the case. Yes, we do read many stories about sophisticated attacks and major breaches, but these tend to be rare items. If we look into the details of these attacks, we find that it is often simple mistakes that enabled the attackers to breach the defenses, resulting in any home field advantage being undermined. Just as in sports, if your team is not operating as a well-oiled machine, then your security program will similarly fail if it is not operating properly.

The IBM Security Services 2014 Cyber Security Intelligence Index (Index) highlights a number of examples where the home team lost by not focusing on the advantages they had over the attackers. The Index analyses the data from attacks and security incidents from IBM’s worldwide security operations and provides great insight into how the threats face all organizations.

For me, the key takeaway from the report is that 95% of all incidents involved some form of “human error” as a contributing factor to the incident. In other words, if humans had not been involved, 95% of attacks would not have been successful. So what type of “human errors” contributed to these incidents? They range from;

  • Users double clicking on links in emails or unsafe URLs
  • The use of poor passwords
  • The use of default user names and passwords
  • Lost laptops or mobile devices
  • Poor patch management
  • Misconfiguration of systems

The report also highlights how many companies are struggling to deal with the sheer volume of alerts their systems generate each day, if indeed they are monitoring those alerts in the first place.

Where Should a CISO Focus?

So it appears that instead of playing the home-field advantage and using all our resources to protect our systems, many organizations are not focusing on the contest at all.

Given the rising number of attacks, greater connectivity and integration of systems and our businesses dependency of secure and reliable systems, we need to properly focus on what we are trying to achieve and take better advantage and utilization of the resources we have in hand.

To do this, we need to better engage the business and senior management into accepting that information security risks are not just risks to the IT systems but indeed are risks to the business. These risks need to be treated and managed the same as any other business risk. We also need to look at how to reduce the “human error” factor. This will involve the CISO engaging with the users and providing effective security awareness programs. These programs should not just focus on the end-user, but those responsible for developing, implementing, managing and supporting our systems. This group needs to be made more aware of the risks against those systems and how they can better secure them.

As CISOs we will never fully reduce the “human error” factor, so we need to review how well we monitor our systems and whether or not we are monitoring the right systems, for the right events, at the right time. In addition, to do this, we need to ensure we get timely, actionable and effective alerts so that any attacks are detected and dealt with quickly and efficiently.

Playing at home is a major advantage, let’s make sure it’s not undermined by neglecting to ensure we’ve taken the proper preparations before we take the field.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…