Topics of much debate in the cyber security world are the questions of responsibility and response. Who is responsible for safer cyber commerce? Companies themselves? Federal agencies? Software developers? And should an incident occur, what response should an organization take? Let the federal government decide? Retaliate?
Some companies choose not to even report cyber incidents, and to stockpile bitcoin to pay in the event of a digital ransom.
What’s the best course of action in this era of imminent cyber security threats?
Strategies for Cyber Security Breaches
The three major strategies businesses seem to take in the face of cyber security threats could be called by three animal names: the ostrich, the frog, and the jaguar. Lessons can be learned from each approach.
The ostrich buries his head in the sand. Sure, we’ve known for years that nearly a million new malware threats are released every day, but it “won’t happen to us.” Sure, millions of people fall for phishing scams, but my employees are “smarter than that.” Okay, so big companies probably get victimized by ransomware, but no one would want to hijack our data.
The ostrich has a false sense of security: when that head is buried the body is exposed. Similarly, an over-reliance on tools like a firewall and anti-virus software neglects the more likely sorts of cyber security breaches. Worse yet, the ostrich doesn’t even want to know what he is missing.
The frog is an adaptable creature: beginning life in the water, and eventually living on land. Frogs are incredibly varied: some can change colors or genders, others have translucent skin or are poisonous.
Similarly, a business can approach cyber security like a frog: continually adapt and evolve with the cyber landscape.
A frog approach has had perimeter support for decades, and no longer relies exclusively on such protection. An adaptable company keeps up with common security mistakes and seeks to continually improve to avoid a complex variety of cyber security breaches.
Not comfortable with merely adapting to the landscape, another approach to the increase in cyber attacks has gained traction: the aggressive approach of the jaguar. The jaguar both hunts prey and retaliates for wrongs.
Large tech-savvy companies have taken on the jaguar approach:
- To aggressively seek out breaches, bug bounty programs provide an incentive for white hat hacking. The theory is that by doing so, companies can find bugs and fix them, gaining a head start on potential vulnerabilities.
- To gain freedom to retaliate for wrongs, in the political arena “hack back” bills have been proposed. (The latest from a congressman from Georgia). Currently, if a company suffers a data breach, the incident can be reported and potentially prosecuted, but it’s out of the hands of the victims.
Jaguars, in general, are not satisfied to “wait and see.”
Learn from the Animal Kingdom
Humans can learn much from the animal kingdom: adaptability, survival, community living.
When it comes to the distinctly human world of the digital kingdom, those lessons still apply: do what makes sense for your environment’s survival.
“Hacking back” involves tracing data backward to the source of an infiltration, possibly even breaching another’s network to search for stolen data. Few companies would even have the resources to retaliate in such a way.
A better approach is to focus on securing industry-specific insight and best practices to protect your company from a cyber security incident and mitigate threats.
Unless, of course, you code internally. Then you might want to consider a bug bounty program. You be that jaguar.