The cybersecurity world is a mess. It may seem like progress that the rate of publicly reported data breaches this year is on track to be less than in 2020, but let me assure you, it certainly is not progress.
Data breaches have decreased because a more profitable attack has taken its place: ransomware. According to Computer Weekly, ransomware attacks have increased by 93% from the same time period in 2020. Combine this with the FBI’s 2020 report that 57% of all reported ransomware attacks in August and September of that year were targeted at K-12, and the concern should skyrocket. According to CBS News, the average ransom paid by schools was $50,000, and the largest payout was $1.4 million.
However, ransomware and data breaches are the symptom, not the disease. When we as a cybersecurity and physical security community get a handle on ransomware attacks, there will be another type of attack to take its place. The issue is not that there are attacks, the issue is the culture in our schools and universities.
The only way to start gaining ground in the cyber war is to instill a culture of security at every level. The only way this culture can be created is through command emphasis from the top of our organizations. A fundamental culture change must happen in leadership to drive that change. Leaders must understand the challenge they are facing to keep the data and the students they are entrusted with safe.
In this article, I will discuss three topics every leader must understand so they can effectively lead security strategies and create a culture of security.
1. Your Perception of Cybercriminals Is Wrong
We as leaders underestimate our adversary. When we close our eyes and imagine who the hackers are, we envision a person in their parent’s basement, dirty and socially awkward pounding on their keyboards at 3 a.m. This perception is not accurate.
[promo_content slug=”csc-edspaces-robuck-promo”]
There are entire companies dedicated to stealing your data and making you pay a ransom for the privilege to exist. There are countries with cyber armies in the tens of thousands that can see your vulnerabilities at the speed of light from half a world away. Even beginners have enough free tools and training at their disposal to become a threat in a matter of weeks. Each of these enemies is more dedicated to stealing data that our leaders are not prepared to protect.
2. The Bad Guys Are Motivated and Singularly Focused
It is understandable if you cringed at that last sentence. However, it is the second issue we are missing as leaders: the bad guys are far more committed to stealing an organization’s data and encrypting their systems then an organization’s leaders are to protecting their data and systems.
This is not an issue of competence, but one of time and culture. Cybercriminals have the luxury of being singularly focused on attacking. All of their research and development is aimed at breaking into systems and making money on data theft and encryption.
Because of a lack of understanding about cybersecurity issues at the highest level of most organizations, the commitment to protection is nowhere near the bad guys’ commitment to invasion, which hands them an enormous advantage.
3. Good Cybersecurity Policies and Procedures Are Critical
The third issue is that there is a lack of written down, understandable, and enforceable policies guiding our organizations through this crisis. Schools, institutions of higher education and healthcare facilities must have all aspects of their infrastructure and employee cyber hygiene under control or there will be an attack.
The visibility into organizational vulnerabilities is staggering. Any misstep by an organization can immediately be detected by cybercriminals. The only way to counteract this is with written policies, procedures, and guidelines that are understood and followed by everyone. A framework like the NIST 800-53 or the ISO 27001 must be implemented a taught.
I understand that this is a massive undertaking for campus leadership. Other responsibilities take our time and attention. This problem must be solved by understanding, then delegating.
A competent chief information security officer is a good first step, however, leaders can delegate authority but not responsibility. The responsibility to keep data safe still falls on an organization’s executives.
Every leader must understand who the enemy is, how they behave and why. They must push a culture of leadership through a framework and be as committed to protecting their organizations as the bad guys are to attacking them.
Erick Robuck is CEO CISO of Valander Cybersecurity.