The Cyber-Security Industry Must Be More Realistic

By Rick Grinnell

The best football coaches aren’t consumed with winning. Instead, they advocate an obsessive focus on process rather than outcome. Instead of looking ahead to a national championship, they encourage their players to think only about a drill, play or moment. The coaches consider sticking to such a plan as a precondition to success.

The corporate world has not traditionally looked at cyber-security this way. A hack or data breach is an undesirable but fairly likely occurrence, but the traditional view has been to try to avoid it at all costs. 

There has been a sea change in such opinion over the past few years. Rather than focusing all energy on preventing attacks, a better use of resources is also to prepare for disasters and to run drills—the way the best coaches do—to minimize their impact.

One aspect of this approach is breach detection, a practice that assumes attacks have already occurred and aims to find ones that haven’t yet been detected. Another is post-attack incident response, which also treats a cyber-attack as a given and then focuses on what to do after the breach.

Post-Attack Incident Response Was an Unexploited Market

What exactly is post-attack incident response? If you work at a really big company, chances are the IT team has already put a plan in place to quickly diminish the technical, legal and business damage after an attack. Large companies have tech pros, lawyers and consultants to throw at such problems. Midsize companies didn’t, until fairly recently.

Now solutions designed for post-attack scenarios are on the market. Some help gird an organization for inevitable attacks by offering a canned solution. Just as many buildings keep fire hoses behind glass to break “in case of emergency,” canned solutions are based on the same idea.

Note that I said “inevitable attacks.” The chief reason post-attack incident response wasn’t considered to be a market until recently was blind optimism. That is, corporate America assumed that if you threw enough resources at potential cyber-attacks, you would keep your company safe. 

The reality, however, is that the chance of cyber-attacks increases by large percentages every year. In a 2015 report, Symantec found that malware increased 26 percent in 2014, and ransomware attacks—where hackers hold files for ransom in exchange for cash—grew 113 percent during that period.

In addition, companies often don’t know that they’ve been attacked until it’s too late. Another 2015 report, this one from FireEye’s Mandiant division, found that only 31 percent of breaches had been self-discovered in 2014. The average breach that year took 205 days to discover.

Even beyond data breaches, consider the possibility that an employee might leave an unsecured smartphone or laptop behind somewhere. Such “employee error” was the leading cause of data breaches last year, accounting for about 30 percent of such incidents, according to the Association of Corporate Counsel.

Those grim statistics have prompted different thinking about security of late. One manifestation is a new emphasis on breach detection, which assumes that attacks have happened and focuses on rooting them out.

The market is starting to come around to this idea. A few years ago, there was no post-incident response category. Now there are a few options out there.

That’s good news for some, but it’s also a statement about our losing battle with cyber-crime. The unsettling reality is that if your business hasn’t been the victim of a cyber-attack, it probably will be at some point.

The best approach is to work on building a solid defense in advance. That means toughening up and facing catastrophe so you can emerge from it more or less unscathed, if not stronger.

Rick Grinnell is a cyber-security expert and a managing partner at Glasswing Ventures.