While cyber crime is certainly undeniable given the almost daily news reports of a new compromise, IT staff may still face a struggle with getting the budget they need to protect their organizations. Why? A major myth that many executives believe is that “it won’t happen to us”.
Marco Gercke, Director for the Cybercrime Research Institute had an interesting suggestion for attendees of the Gartner Security and Risk Management Summit when he suggested simulating a cyber attack as a way to get management’s attention and ultimately their buy-in for proactive measures.
Gercke said the idea was inspired by a government official who was not supportive of cyber security initiatives – until his personal email was hacked. But it makes sense, especially when we look at our own security engagements. For example, we performed penetration testing for a healthcare client who was very comfortable with their security after passing a recent HIPAA audit until we were able to show them patient information that we were able to access without credentials. Or a social engineering engagement where over 30% of staff gave up their login and password to a phishing email that we created to test security awareness training. And nothing gets attention like a video of one of our staff who was able to make physical entry into a client’s “secure” data center and connect a laptop to their server(s). In every case, showing the flaws through a simulated incident has meant that the recommendations for remediation are given budget and priority.
The ultimate goal is to shift the thinking to allocate portions of the IT budget toward testing and detection as well as response and recovery. To do this, you have to go beyond a “what if” conversation and feel the stress of a compromise and the uncertainty about the recovery steps and the costs (fines, reputation, lost revenue).
Do you think a cyber attack simulation would work in your organization?