Cybersecurity: Can Your Organization Pass the 60 Minutes Test?
Cybersecurity is at the forefront of many people’s minds right now — and for good reason.
In May, a ransomware attack on Colonial Pipeline interrupted the flow of fuel through 5,500 miles of pipeline responsible for distributing 2.5 million gallons of gasoline to the East Coast of the United States. As a result, the threat spurred thousands of headlines and soaring gas prices as consumers flocked to the pumps, anticipating a shortage.
Microsoft also recently announced that hackers targeted 3,000 email accounts across 150 government agencies, think tanks and other organizations. Several days later, a separate ransomware attack caused JBS Foods, the world’s largest meat packing company, to close down all of its US beef plants – affecting at least 20% of US beef production.
In light of these recent and increasingly sophisticated threats, let’s explore today’s cybersecurity landscape and a conceptual model that can help strengthen your cyber risk management strategy: the “60 Minutes Test.”
The Current State of Cybersecurity
If you feel like the number of cyberattacks like the Colonial Pipeline ransomware reported on the nightly news has gone up in recent years, you’re not wrong. According to Statista, the annual number of data breaches over the last decade has grown from a mere 662 in 2010 to over a thousand by 2020.
According to Gartner, cyber vulnerabilities are especially acute this year due to the rapid organizational changes needed to protect employees and serve customers amid a pandemic. Despite increased cybersecurity spending, though, only 24% of organizations routinely follow cybersecurity best practices.
For the public, these metrics are worrisome. For those in IT, they can seem like a display of the inevitable. The truth is that 87% of organizations have had an existing, known vulnerability on their systems tested by hackers.
With the average breach costing $3.86 million, cybersecurity is a critical part of organizational stability, risk management and digital optimization.
“It comes down to not thinking about cybersecurity as a separate entity, but as part of your overall business risk management” explains Alan Hendricks, Senior Director of Cybersecurity Practice at DMI. “Planning is key.”
Cybersecurity & Digital Optimization
Digital optimization is the practice of honing, modernizing and evolving an enterprise’s current IT investments to strengthen its business model. Optimizing refines your overall digital business strategy to embrace existing solutions, modernize those that need improvements, and replace others that no longer meet the business’s needs.
Cybersecurity is an IT discipline that falls within the digital optimization process. As an organization’s current cyberattack surface expands, it’s critical that businesses understand the existing elements of their ecosystem that need to be updated, changed or removed, and where the highest risk targets exist.
“Organizations need to be aware of what they have and how it ties to their critical business functions,” Hendricks says. “That allows them to prioritize the data and systems they need to protect. Then, you determine the security measures that make the most sense from a cost-benefit perspective to address the security implications associated with your most critical assets.”
The 60 Minutes Test
We mentioned that the 60 Minutes Test is a model that can help you improve your cyber risk management strategy. So, what exactly is it and how does it play into digital optimization initiatives?
First, let’s not confuse the 60 Minutes Test with the 1/10/60 Minute Challenge introduced by CrowdStrike in 2017. This framework is based on the idea that it takes an intruder one hour and 58 minutes on average to move laterally from the initial breach point to other systems within a network. In other words, how long it takes for an incident to blossom into a breach.
Under the 1/10/60 Minute Challenge, organizations strive to meet the following response times:
- Intrusion detection: 1 minute
- Investigate and understand: 10 minutes
- Eject the bad actor: 60 minutes
While there are merits to this framework, aiming for a 60-minute ejection may not be practical for your organization. Some need to respond faster.
Perhaps you manage consumer data or proprietary information, the release of which could harm your company’s reputation or competitive advantage. Cyberattacks against defense, healthcare and other critical infrastructure sectors pose significant health and safety risks and need to be resolved quickly.
Thus, it helps to take a conceptual approach. Imagine you’re being interviewed for the popular broadcast program, 60 Minutes. If your network was breached, what would an investigative reporter find? Would they see an organization that did everything to protect their assets and customers that they could? Or would they see an ecosystem fraught with holes and potential entry points?
Essentially, if you were on the hot seat, would you be asked if you can think of anything more you could have done, or would you be asked how a breach didn’t happen sooner?
“The 60 Minutes Test isn’t a real test. It’s a concept,” Hendricks explains. “Nobody wants a cyberattack at their company to make the news. By approaching cyber risk management through the lens of the 60 Minutes Test, you’re saying ‘I’ve done my due diligence.’”
“As cyber professionals, we need to be prepared for bad days,” Alan continues, “because bad days will happen. It’s a matter of how prepared we are to deal with it. If we’ve developed a strategy and put the right kinds of security measures in place, then we’ll be able to respond to threats in an organized, structured way — and the investigative reporter isn’t going to find anything newsworthy.”
The benefits of thinking about your cyber risk management strategy in this way are reflected in the stock market. While data breaches and other incidents often drive down stock prices in the short term, research from MIT’s Sloan School of Management suggests that having an effective response strategy can minimize the duration of negative market reactions in the long-term. Thus, companies’ stock prices can recover more quickly than if they hadn’t done their due diligence.
It’s important to note that improving your cybersecurity practices doesn’t mean ripping out existing processes and infrastructure root and branch and replacing them. The costs would be staggering, and the implementation effort would leave the business exposed in the meantime.
Instead, organizations need to begin by reviewing their existing risk mitigation plans and optimizing their cybersecurity procedures. It may not be possible to detect a breach within moments today, but ensuring that simple steps like software updates, email governance procedures and training, as well as migrating away from old, unsupported software and systems, can help organizations avoid 93% of breaches.
Cybersecurity is an important part of corporate risk management, and ignoring it or treating it as a checkbox instead of a discipline can result in millions of dollars lost and reputations damaged. It’s also an element that falls under the umbrella of digital optimization. By reviewing and understanding your organization’s current state, informed prioritization can be done to update, migrate or replace those parts of the ecosystem that elevate the risk.
It’s likely that work will need to be done to get your business closer to the 60-minute detection, investigation and ejection of an intruder to effectively respond to a breach. However, by optimizing your existing systems and processes, a vast majority of breach vectors can be minimized, buying you time to address and mitigate other cybersecurity risks.
Not every organization has the skill set in-house to understand what protections in place are effective and which need re-evaluation. And, according to Gartner, 80% of organizations expect to be using cybersecurity as a service by 2023.
DMI combines the full spectrum of cybersecurity skills needed to help you identify and plan your security strategy to address risk today and implement the right systems and processes tomorrow. Our focus is on a collaborative approach that addresses the business needs, first, with the right technology solutions.
Contact DMI today and let us show you how optimizing your existing cybersecurity can reduce your risk and protect your business.