What is this about I hear you shout!? Stick with me on this.
We can all agree that cyber security is a complex, almost seemingly impossible problem to solve.
Cyber security is a relatively new problem, so we should look to other more established sectors and see what lessons we can learn. I had decided to look into the reduction of fire related incidents attended by the fire and rescue service, and discovered that the total number of reported fire related incidents in England has halved since 2004.
Was this drop in numbers the result of building more fire stations, purchasing more fire engines, and employing more fire crews? No. We can all agree that there are far fewer fire engines and crews compared to a decade ago (around a 20% reduction in the past 10 years), and a lot more houses and people. If we look at fire fighting technology we can see that there have been improvements related to fire engine appliances and pumps, however in general the fire fighting equipment and techniques used for house fires remains largely unchanged over the past 20 years. Of course there have been advances, but their impact on reducing the amount of incidents is minor, the improvements are related to how efficiently fires can be extinguished.
Perhaps it was due to smoke detectors? Almost every home has a smoke or heat detector, and in general we understand the difference this can make with detecting and alerting us to a fire, and how vitally important early detection is. We can agree that the benefit of smoke detectors has been proven over and over again. The fire brigade have been involved in proactively visiting residents and offering free smoke alarms for many years now which shows it was understood how important early detection is. This is something we also understand within cyber security.
These are two main factors which can be attributed to the fire and rescue service to some extent, and we can agree that these factors alone would not have contributed to a reduction in the total number of fires during a period when the number of houses was increasing.
If Cyber Security analysts and Cyber Security Operations Centres are our fire brigade then we also need to understand and accept their limitations in preventing and reducing incidents. Yes they can respond to incidents and take mitigating actions, yes they can create custom alerts and monitor the environment to identify an early stage attack and react quickly. This is our reactive response, to limit the damage after an event has happened, and best contain the negative impact. (After the event).
We have to accept that our fire and rescue service (our cyber analysts, and responders) can only do so much, their reach and influence only goes so far.
This is where Building Control and Regulations come in. There are an endless amount of factors which can potentially contribute to a fire starting, and the impact of that fire.
Faulty mains electric, or gas, falling asleep while smoking, open flames, cooking, and even a fire that starts in a neighbouring house that impacts our own. More fire appliances and crews were not the answer, they were definitely part of the solution, but not the whole solution.
Building control and regulations were brought in, and tightened over time, which set standards for both the building and any utilities installed. Tradesmen were required to meet certain standards to ensure work was completed competently, and materials used also had to meet certain standards. Any DIY work also had to meet building standards and regulations.
There were also new standards introduced which applied to electrical and gas appliances, and the materials which could be used for soft furnishings.
These controls reduced both the likelihood of a fire starting, and it’s ability to easily spread reducing the potential impact should one start. This quality control also contributed massively towards fire prevention.
If we look at our business as a house that we want to protect from fire, we also need to focus heavily on protective measures and controls, not just fire engines and smoke alarms.
Let’s accept that to prevent cyber attacks requires more than a cyber team, it requires quality controls within all areas of the organisation, and inspections conducted by experts to validate the work has been carried out competently.
We need to build and maintain a safe house, with as many preventative controls as responsive controls. If we don’t give quality control enough focus, no amount of cyber analysts and tools will be able to prevent or limit the impact of attacks. If you build a house without using flame retardant materials or furnishings, install faulty wiring or gas supply, and don’t undertake any inspections to ensure it meets the required standards, 5 fire engines parked outside the house 24/7 won’t prevent a fire. Yes there would be ample responders to limit the damage in the event of a fire, but is this really the most cost effective, or efficient way of protecting the building?
This also relates to cyber security, where recruiting more and more analysts, or implementing more and more “cyber-systems” is not always the correct answer.
We also have to remember there is collateral damage caused by the water used to put out the fire, and the same applies to preventing the escalation of a cyber incident. The techniques required to prevent a serious cyber attack active on our network can be as disruptive as the attack itself. Reinstalling devices, resetting passwords, disabling sections of the network, or shutting down systems to prevent further damage are all actions which may be required. Prioritising prevention over fast response, is more effective (and cost effective) in the long run.
Let’s look at our businesses and organisations differently and understand that yes we do need fire fighters and fire engines, however just getting more of them and having them parked outside is not the answer to the “cyber” problem. Let’s implement building controls to improve the materials we use to build our house, and the items we chose to furnish it with. We would all think twice before using an old microwave with frayed wires and a damaged cover, as we know the risk this poses, and it’s something most of us would avoid.
We need to take the same approach when installing new software or implementing new systems within our organisations. Let’s not install something which is a high risk of causing an incident, because we think our cyber teams can respond quickly to any attack. As we have discussed previously, there is a difference between responding to, and preventing, an attack.
From a business standpoint, we wouldn’t use a damaged microwave just because it was cheap, then hire a private fire crew to offset the risk?
Introducing risky systems, processes or software and thinking the risk is reduced because we have our own internal cyber team or MSP is missing the point. This is why “Secure by Default” is such an important concept, in the same way building controls massively contribute to the reduction of house fires. We have looked at Secure by Design principles in earlier blogs, one of which can be found here.
We’re definitely not saying that cyber analysts and responders provide no value, it’s important to understand that they are one piece of the puzzle, they should form part of an overall strategy that looks to ideally prevent incidents using a holistic approach across the whole organisation.
Next time you are offered the equivalent of a cheap, old and rusty microwave just say “no thanks”.
Cyber security is easy, right?
@2codemonte 