PLAIN TALK CYBER: Control Failures and Gaps

Understanding the core reasons behind all cyber incidents is crucial. Regardless of the complexity of the methods used, or the ease with which some criminals achieve their goals, any cyber incident can be attributed to either a control failure or the lack of a control. Recognizing this can empower leaders to take proactive steps in fortifying their organization's defenses.

These questions are crucial for any organizational leader, whether in business or a non-profit, to ensure robust cybersecurity measures are in place.

1. What are our assets?

2. What vulnerabilities do we have?

3. What controls are in place to protect us?

What "Controls"?

Let's clarify what we mean by "controls." In cybersecurity, controls are measures put in place to prevent, detect, and respond to threats. These measures can be technical solutions like firewalls and antivirus software, processes like regular security audits, or policies like mandatory password changes. Essentially, controls are the barriers that protect your organization from cyber threats.

Control Failures: The Breaches in the Wall

When a cyber incident occurs, it always stems from a control failure. If there was a control (measure) in place, it means that the existing control did not function as intended.

Given that the expression "my home is my fortress" is a pretty well-known metaphor most people can relate to, imagine your organization as a medieval fortress with a sturdy wall designed to keep invaders out. If a section of that wall collapses due to poor construction or lack of maintenance, the entire fortress becomes vulnerable. Similarly, in cybersecurity, a firewall that isn’t properly configured or a software patch that isn’t applied in time can create openings for attackers.

One notable example (of many) is the Capital One breach in 2019. A misconfigured web application firewall allowed an attacker to exploit a vulnerability and access the personal data of over 100 million customers. This control failure highlighted the importance of proper configuration and regular auditing of security measures. Capital One faced regulatory scrutiny, incurred hefty fines, and suffered damage to its reputation.

Lack of Controls: The Undefended Fortress

Even more perilous than a control failure is the total absence of a control altogether. Yes, this happens, too!

This scenario is akin to leaving entire sections of your fortress undefended. In the digital landscape, this could mean lacking multifactor authentication, not encrypting sensitive data, or failing to conduct regular security training for employees. Without these essential safeguards, your organization is exposed to myriad threats.

In the case of Equifax in 2017, where the credit reporting agency suffered one of the largest data breaches in history, the criminals exploited a known vulnerability in a web application framework, which Equifax had failed to patch. Patching is the control Equifax didn't apply. This allowed the criminals to access sensitive information about over 147 million customers. The fallout included massive regulatory fines, legal battles, and a tarnished reputation. Small and medium-size businesses aren't immune to these types of attacks. No one is.

The Business Imperative

For business leaders, the lesson here is clear: robust controls are not just a technical necessity; they are a business imperative. The financial implications of a cyber incident can be staggering, including direct costs like fines and remediation expenses, and indirect costs such as lost business and reputational harm. Therefore, investing in the development of a comprehensive cybersecurity strategy is essential.