Given today’s ever-changing threat landscape, it’s important to recognise that our approach to cybersecurity breaches (such as ransomware, for example) needs to change. IT professionals have often told their clients or line managers to adopt a mindset of “it’s not if we suffer an attack, it’s when”. However, security prevention measures and technologies implemented by adopting this mindset are not enough to guarantee safety from an attack. We suggest a new mindset: one of assuming your business has already been breached.
This mindset will bring its own challenges of course, but it will reshape how we think about detection and response strategies and push business’s infrastructure to the very limit of the people, process and technology methodology. We call this the “assume breach” approach.
Using only technologies like anti-virus (intrusion detection systems) it is difficult to fully capture and/or mitigate the depth and breadth of today’s breaches. Network edge controls might keep some perpetrators out, but more resourceful and skilled cybercriminals will all too often find a way to get in. The result is that businesses are often not prepared enough to deal with these breaches when faced with the harsh reality of the scale of an attack or breach.
Whilst some experts point out that assuming a breach can have its flaws as a primary strategy, I would point to the fact that “assume breach” is a mindset as opposed to a framework. The zero-trust model is a framework that is very much the way forward and has “assume breach” as one of its guiding principles. Interestingly, the US government has enforced that all Federal agencies have until 2024 to adopt a zero-trust strategy.
“Assume breach” mentality should help guide decision-makers when discussing investments in security technologies, operational best practices, and secure architecture designs. The mentality seeks to limit the overall trust placed in networks, applications, services, and devices both IT and OT by treating them all as not secure and even comprised.
“Assume breach” changes the security focus by highlighting gaps in
- Detection of attack and penetration
- Response to attack and penetration
- Recovery from data leakage or integrity of data has been comprised
- Prevention of future attacks and penetration
It seeks to verify that protection, detection and response playbooks are implemented properly, with the aim of reducing potential threats from would-be knowledgeable attackers.
How to implement the “assume breach” mentality
1. PeopleEmployees are both our biggest asset and our weakest link. Unfortunately, research shows that up to 90% of data breaches happen as a result of human error (for example, an employee unknowingly clicks on a phishing link).
Operating with the “assume breach” mindset reduces the overall chances of data breaches occurring through driving continuous education, awareness and caution. Under the “assume breach” paradigm, everyone learns to treat applications, services, identities and networks as possibly already compromised, which limits the trust placed in them.
Instilling this approach requires using a good cybersecurity awareness training platform to educate all personnel – from employees to contractors, c-suite executives and third-party vendors – on how to spot the signs of a cyberattack attempt, such as phishing. Operate a think before you click approach when sending and receiving emails, especially those with attachments and/or links. Keeping a log of user activity is also highly recommended: what data is been accessed, by whom and from where etc. This is even more applicable where data is of a sensitive nature.
2. Processes
While education arms employees to understand signs of a breach and what to avoid, processes enforce and formalise the application of these lessons. Processes might include an information security policy, acceptable usage policy, and a bring-your-own-device (BYOD) policy, among others. These form the “rules” that businesses must ensure are enforced to help employees to carry out their roles and responsibilities in protecting against or identifying breaches.
Restricting access to sensitive data reduces the potential for data compromise. Operating a policy of “least privilege first” is one good method of enforcing this. Users only get access based on their specified privilege limits or by means of a signed approval process before access is granted. This multi-layered threat restriction approach makes the “assume breach” mentality very effective in trying to prevent supply chain attacks.
Creating an Incident Response Plan (IRP) is another vital component of the “assume breach” mindset. This lays out a step-by-step approach to what needs to happen in the event of a breach, from who to contact to how to handle communications and how to identify lessons learned to prevent future events.
3. Technology
Implementation of technology solutions should focus its support efforts on two areas:
- Keeping threats out of the system: When it comes to keeping threats out, the best approach to be applied to security systems is to implement layered security or defence in depth. This entails assuming one layer will fail and setting up a next level that would then need to be breached.
- Remediating threats within the system: When a threat breaks through all defences it needs to be isolated, confined and remediated ASAP. This is where an IRP will prove its value and, together with a Zero Trust framework, will help keep the breach or attack isolated. The IRP should be reviewed at least annually to ensure it is up-to-date and still effective.
Get in touch to find out how Numata Business IT can help to implement a zero-trust approach to cybersecurity and data protection to protect your people, your profit and your digital asset. Your initial consultation is free.
