Unforeseen & Unforeseeable

The United States of America has taken military action against the Islamic Republic of Iran. Unforeseen or unforeseeable? In the cybersecurity context, it doesn't really matter: either you were prepared for this or you were prepared for something like this or you have the talent and bandwidth to pivot or you are a cautionary tale waiting to happen.

By "something like this" I mean the risk of cyber attacks from foreign operatives as opposed to criminals or vandals. Vandals are mostly thrill-seeking. Criminals want to get money. Operators want to either lurk or disable your systems.

Vandals are often as unsophisticated in their thinking as they are sophisticated in their hacking. It has been a long time since they were the top threat. Just keep your defenses up-to-date and your monitoring current and you should be able to keep them out.

Criminals are getting every more sophisticated in their scams and their use of stolen information. But they don't want to get caught and they don't want to draw too much attention and they certainly don't want to destroy your business because if they do, where will their money come from? Criminals are usually the top human threat (as opposed to natural disaster or system failure) but it is usually peacetime, at least in the West and during the last 50 years.

Operatives are a different story. In peacetime they usually want to avoid detection while they gather information and leave back doors and potential destruction in place until they need it. In wartime the game changes utterly: now is the time to do that damage and the other consequences be damned. Operatives do not fear getting caught, only being exposed before they are ready to be exposed. If the point is terror then the goal is exposure. If the point is data gathering then the goal is stealth.

Unlike criminals wartime operatives sometimes just want to do damage, which may include both deleting data and corrupting back ups, not to reap profit but rather to inflict pain.

Much as I dislike the analogy, it is apt here: sexually transmitted diseases (STDs). The problem is not just you, or your current partner, but all the partners of your partners. Attacking excellently-defended organizations through their supply chains or their tool chains is now the norm. If you are along the chain you are collateral damage even if you are not the primary target.

So back to how ready you are for fallout from this new conflict.

Were you prepared already? Pat yourself on the back if your Cybersecurity Risk list already had "cyber attacks by foreign operators, perhaps on a wartime footing."

Were you prepared to be prepared? Second place if your Cybersecurity Program already had the extra bandwidth and resources to do the necessary review and update of policies and procedures and redeployment of resources to handle a major geo-political shift.

Were you able to pivot? Third place if your cybersecurity team had the talent and latitude to reshuffle priorities and go on high alert just in case.

Are you adopting a wait-and-see approach? That might work. It might even be a reasonable response to your situation. But that is not the way to bet.

The unforeseen (didn't see it coming) and the unforeseeable (no one saw it coming) are either welcome confirmation that your cybersecurity program is robust or they are wake up calls that more work is needed.

Mitigating risk is hard. Setting priorities is hard. Allocating resources is hard. We can help. Ask us how.