Ajay Jotwani is cofounder and CEO of i2Chain Inc., a SaaS infosec micro-services platform.
As we dive into Q1, executives are thinking carefully about priorities for their operations, internal business processes and budgets. In many cases, cybersecurity will not top these lists. This could have serious consequences: Globally, the number of enterprise-level cyber attacks has risen exponentially in the past year; recent estimates put these numbers at around 500 million worldwide. In 2021, of the total number of entities attacked, 16% were hacked once, but 60% were hacked twice or more. In September 2022 alone, hackers successfully gained access to and compromised 35 million files, targeting companies’ “crown jewels” (flagship assets, highly sensitive files, or data).
Breaches caused by ransomware in particular have increased not only in number (by 41% in 2022 alone), but in cost. The “ransom” for these breaches—that is, the amount the attacker requests in exchange for a company’s stolen assets, files, data, or systems—has become increasingly expensive, averaging over $800,000 per attack in 2021. By comparison, that number was closer to $500 in 2016. And the total cost to companies for the entire recovery effort averages $1.4 million. Small businesses are also significantly impacted: 43% of data breaches involve small businesses, leading 60% of these businesses to file for bankruptcy within six months of the attack.
Viewed as a criminal “industry,” cybercrime is now expected to amount to 1-2% of the global GDP, or $1-2 trillion—and that number is expected to grow with each passing year. Intellectual property theft has also become part of the cybercrime ecosystem; Mark Warner, head of the U.S. Select Committee on Intelligence, has said that the United States alone loses $600 billion annually in IP theft.
Due to the growing frequency, sophistication, and magnitude of cybercrime events, it is more and more difficult to safeguard an enterprise from breaches such as ransomware attacks. As a result, executives who do not make plans to prioritize cybersecurity are not just taking a passive risk—they are actively courting danger.
Too Many Footholds On The Wall
Cyber attacks are crimes of opportunity. Say we view cybersecurity as a metaphorical wall around an organization’s data and systems: A cybercriminal only needs one foothold to climb that wall, and most companies offer them a plethora of possible footholds. For example, a midsize company may have multiple data centers, databases, middleware, and application interfaces, all of which are vulnerable to hacking and ransomware. And then, crucially, they have users—sometimes thousands—each with their own credentials and multiple devices through which they routinely log into the system.
A hacker may only need one person’s credentials to gain access to company’s data, including the crown jewels. As a result, the effort a hacker must expend to gain access and the effort enterprises must expend to proactively secure their data are notably disproportionate. And that’s the fundamental problem: cybersecurity initiatives are a millimeter deep and a mile wide.
Enterprises are constantly being attacked. Many can now respond quickly because they’ve made significant investments designed to help them respond to threats. However, until you invest in both response and prevention, you’ll never get ahead of your adversaries.
Three Tenets Of Cyber Attack Prevention
Traditional means of securing data and information are no longer sufficient to protect companies’ information assets and crown jewels, which can be stolen by both outsiders and insiders unless prevention strategies get ahead of hackers’ breaching capabilities. While there are many ways to defend, here are three tenets of a well-developed breach prevention strategy:
1. Keep The ‘Crown Jewels’ Out Of Sight
Access to the crown jewels and sensitive files, assets, or data must be completely encrypted and kept in digital “sealed enclosures” that are invisible to all but the users with authorized credentials. I recommend using decoy URLs, which look and feel like the actual files, and routing all authorized access through these decoys. The crown jewels must remain in sealed enclosures, ideally in proxy domains to prevent improper access even if credentials are breached. To prevent more sophisticated attacks, each artifact should be exclusively encrypted and permissioned, and activity on the data traceable to harvest forensics. Taking these steps is how you simultaneously leverage all of the three tenets. It is not enough for crown jewels not to be directly accessible to users—they must be invisible.
2. Maintain Strict And Up-to-Date Permissions
On the face of it, maintaining up-to-date permissions seems obvious—but it is dependent upon the employees to adhere to the policies. Consider Edward Snowden, who was able to take a large number of files from what was supposedly the most secure facility, the National Security Agency, on his USB drive, and fly out of the country. How was this possible? Because permissions were not enforceable across private stores and untrusted networks. Permissions should automatically expire for ex-employees and previously granted access should immediately be revoked. Moreover, permission status must be consistent across all networks, applications, and domains. I recommend exclusively encrypting each artifact in a sealed enclosure and making permissions automatically consistent and enforceable across untrusted networks—and then maintaining this standard in perpetuity.
3. Track And Trace Everything
This essential tip is even referenced in the White House cybersecurity guidelines: Maintain audit logs and traceability for every action that is taken. Consider this practice through the lens of a different area of prevention: traffic violations. How do you enforce speed limits to prevent someone from driving 100 miles an hour when they don’t see police cars around? You install cameras everywhere, and say, “Don’t speed—these cameras are watching you.” In cybersecurity, audit logs function the same way. Every action taken is automatically recorded in the log, along with the identity of the actor. Simply keeping that log can itself significantly reduce the number of breaches, both from inside as well as outside the company.
While there are, of course, more intricate strategies for cybersecurity, these tenets are the most basic, non-negotiable steps for fortifying a system against breaches and attacks. And yet, not enough company heads are taking steps to proactively mitigate risks, in spite of the magnitude of the threats their systems face. As executives review their budgets for the coming year, cybersecurity must not be simply a “nice to have.” Instead, protecting enterprise IP, data and valuable assets must be a business priority.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?