Mitigating the Risk of Cyberattacks: 5 Key Insights from Dr. Eric Cole
Implementing measures to prevent cyberattacks is undeniably important for organizations of all sizes. But assuming that your security investments have made your business completely impervious to modern threats is a risky (and incorrect) outlook.
In a recent webinar, Dr. Eric Cole, a virtual CISO and now Founder and CEO of Secure Anchor, shared his perspective on the threat landscape and discussed some of the common cybersecurity mistakes companies make. The entire webinar is full of amazing insight, but if you’re short on time, we’ve collected some of the highlights here.
It’s a Matter of “When”, Not “If”
“If you haven’t detected an attack in the last 12 months, it’s not because you are secure or invincible. It’s because you aren’t looking in the right places.” —Dr. Eric Cole
No organization is 100% secure. And if a business leader claims their company has not received an attack in multiple months or even multiple weeks, it just means that the organization simply hasn’t detected any of the dozens (or hundreds) of attacks it has unquestionably experienced.
According to Dr. Cole, the only way for a business to completely eliminate any risk of a data breach or other security incident is to remove every piece of technology from its operations. Since this is obviously not a legitimate option for any modern enterprise, Dr. Cole recommends approaching cybersecurity the same way we approach our own health.
“Our goal in living is not to say we're never going to get sick,” he said. “Our goal is to minimize the frequency with which we get sick and the impact it has on our lives.” Similarly, “Cybersecurity is not about preventing all attacks. Cybersecurity is all about timely detection and minimizing damage.”
Prevention is Ideal, but Detection is a Must
“I'm not saying give up on your prevention. But most companies have prevention as their main focus… And when prevention fails, you have nothing left.” —Dr. Eric Cole
After an organization has embraced the idea that being targeted by cyberattacks is an inevitability, the next steps are to enhance detection and mitigation efforts. While all successful attacks lead to some level of loss, there’s an enormous gap between the damage caused by an attack that is quickly detected and stopped and a breach that flies under the radar for months. That time to detection is a key piece of the puzzle and cannot be understated.
If a company experiences a security incident but the threat actor only steals 10 records before the attack is detected and stopped, it’s an inconvenience. But if the attacker is able to avoid detection for an extended period of time and steal thousands or even millions of records? That’s catastrophic.
“Detection is the key to controlling and minimizing damage,” said Dr. Cole. “When we're looking at the differences between attacks, it's all about the amount of data that was compromised, which is tied directly to timely detection.”
Making Data-driven Decisions is Essential for Reducing Risk
“I often hear people say, ‘Cybersecurity is a zero-sum game. No matter what you do, no matter what you put in place, you're gonna lose.’ I strongly disagree with that statement.” —Dr. Eric Cole
While being targeted by a cyberattack is unavoidable, organizations must still take steps to lower their risks. After all, if effectively managing risk levels was genuinely impossible, insurance companies wouldn’t exist.
However, whereas insurance providers base their risk assessment on historical and comparative data, the factors influencing cybersecurity decisions are often more subjective and/or based on assumptions—which is why many enterprises still struggle with defending against cyberattacks.
Dr. Cole recommends that when an organization is building or refreshing its cybersecurity strategy, it should ask the following questions:
Do you understand which types of threats your business has faced in the past and/or currently faces?
Do you understand which threats are impacting your industry as a whole?
Do you utilize those two data points in order to drive and make decisions?
With this information, your security team can identify the organization’s specific vulnerabilities, build a risk profile, and then objectively determine the best strategies and technology to utilize.
Security Leaders and Executives Must Be on the Same Page
“If the executives have one target and you have a different one, can you see how there can be misalignment? We need to make sure that we're properly aligned and communicating with executives on what cybersecurity is and where we should be spending.” —Dr. Eric Cole
Once a company understands its unique risk profile, it can make informed decisions about how much of the budget to allocate to maintaining confidentiality, how much to protecting integrity, and how much to preserving the availability of its critical data. Dr. Cole explained that while this model—referred to as the CIA triad—should act as a guide when building an organization’s cybersecurity budget, the other crucial element of effective cybersecurity spending is communication and alignment between security leaders and executives.
In his experience, the executive team often has a significantly different understanding of the enterprise’s vulnerabilities and where the business should prioritize spending. And when budget decisions are made based on incorrect assumptions, it increases the company’s risk exposure unnecessarily. In discussions about cybersecurity spending, it’s the responsibility of security leaders to ensure executives are aware of specific vulnerabilities and the responsibility of the executives to understand and accept the risks associated with where they choose to allocate budget.
Modern Attackers Focus on the Easiest Targets
“Attackers are hacking an operating system that is very hard to patch, very hard to secure, and has a ton of vulnerabilities—the human operating system.” —Dr. Eric Cole
Most modern attackers aren’t launching massive, complex campaigns aimed at compromising entire networks in one fell swoop. Instead, they focus on compromising individual employees by crafting convincing emails that trick the target into granting them access. And because not every company has adopted zero trust security or properly segmented its networks, attackers can easily move through the company’s internal systems, wreaking havoc as they go.
“It's crazy to think that the entry point for million-dollar attacks, for multimillion-dollar attacks, for a hundred million records stolen, is a user making a bad decision,” said Dr. Cole. “A user getting an email and clicking on the link or opening the attachment. That is the biggest threat.”
Understanding Your Risk and Protecting Your Organization
So what can security leaders do about these risks? As Dr. Cole stated in his keynote, the first step to mitigating the risks of cyberattacks is to understand your organization’s vulnerabilities. Most cybersecurity vendors should be able to provide you with a no-cost risk assessment that reveals the types of attacks that are infiltrating your system—and Abnormal is no exception.
Our free risk assessment works in minutes, can be initiated with only three clicks, and requires no disruption to your MX records or mail flow. It allows you to see for yourself how many email attacks are bypassing your current security tools, plus which risky configurations may be present in your environment. And whether or not you decide to officially partner with Abnormal, you’ll be armed with the knowledge of your risk profile, so you can determine where email security fits in your list of cybersecurity priorities.
For more advice and insights from Dr. Eric Cole and to learn why blocking these threats before users can engage is essential, watch the on-demand recording of his webinar.