Investing in Security for Your Company: Where to Start?

No matter how much money you spend on security, you are never going to prevent an incident, a bridge, a hack- something -penetrating your network.  I’m not saying this as a you should throw your hands up in the air and just say, “Oh we give up because we can’t do anything about it in the first place.”   

Yes you can do something about it! 

A common conversation we have with security takes usually one of two paths:  it’s either, “We have nothing that a hacker would want so we don’t need to spend any money on it,” or “It’s too expensive for us to invest in security and then we’re not going to do it either,” and “It doesn’t really matter, it’s OK if we have something happen to us because we’re not doing anything critical, there’s nothing that’s really important here…”   

Let’s dispel a few of those things. So the first thing: you absolutely have something that a hacker wants:   you have resources, that you have paid for you to use.  You have computers, you have employees working at those computers, you have money in your bank accounts, you have access to your customers’ data information systems, resources, etc  

If we go back and look at massive MASSIVE major hacks: Target had a massive breach where spyware was running on their point of sales terminals harvesting credit cards. How did Target’s network get penetrated?  

Well, Target’s network was penetrated because their HVAC contractor had access to Targets network so that way they can monitor and manage the HVAC systems inside of Target facilities. What was the threat vector? The threat factor was the sub-contractor for the HVAC systems, and then going through that way. So the HVAC company would say, “Oh, we don’t have anything of value, nobody wants to hack us.” Of course they wanted to hack you! You gave them access into Target’s systems they could install and monitor and collect credit cards off of Target’s platform.  

So I don’t care if it’s just a bank account, I don’t care if it’s your phone system… there’s PLENTY of organized crime examples of people’s phone systems being hacked into and long distance being run through it. And if your phone system is compromised and somebody runs $100,000 long distance or international calling through your phone system over the course of the weekend -this is not a hypothetical example, this is a true story- it happens all the time.  

What happens with the phone company says, “Hey you owe us $100,000!”  And you’re going to say, “Well, no, I didn’t make the phone calls…” and they’ll say, “Well, yeah, you did, and we completed it. And guess what you’re going to have to pay us for it. 

Let’s dispel this myth that you have nothing that matters. Outside of just the fact that you do have money in your bank accounts or that somebody shuts down your entire network and none of your employees can actually work or do anything and then you have to pay them in order to recover from that, you absolutely have something that a hacker wants.  

The other part of this is “it’s too expensive.”  There’s a lot of acronyms and security and we can talk about SLM, and SIM and threat intelligence and CASB and SASE, and all these different things and the important thing to understand here with it is: it’s not one size fits all.  If you’re a defense contractor you have a different security requirement that if you’re an investment bank, than if you’re a manufacturer than if you’re hospital, than if you’re and insurance agency. So based on what you’re actually doing and how big you are –obviously a billion dollar business has a different security requirement than a $10,000,000 business– so where you fit into appropriately within that scale really impacts that a lot. 

Some honest realities of this:  

  • No matter how much money you spend on security you are never going to prevent an incident, a bridge, a hack, -something penetrating your network.  I’m not saying this as a you should throw your hands up in the air and just so we give up because we can’t do anything about it in the first place. 
  • Yes, you can do something about it  
  • The name of the game’s security is too lower the amount of damage that’s done to you.  you want to decrease the amount of time it takes to detect that something has happened, and you want to increase the amount of time it is for you to respond to it. 
  • Instead of talking about stat around 120-day dwell time, if you can lower 120 days dwell time down to you know even 30 days, it will have a massively different effect for you on your network.  now you’re not talking about data exfiltration, you’re not talking about all these other things that could potentially happen to you.  

We see on these “hacker forums” where people have compromised some network and now, they’re going out and they’re subcontracting to other people to help them figure out how to exploit the network in a bigger way! For example: “oh, we got under this resource, now let’s go jump over here, what else can we do? Maybe there’s something valuable, we don’t know what’s here, we know we have access to it so let’s poke around until we find something that might be interesting to us.” 

Security is not about insurance, it’s not about absolute prevention, it’s not about nothing will ever happen to you, security is a measured response based on the particulars of your business and what is unique about business.  

If you’re going down this path and you’re looking for help with security, you don’t know where to start, and you don’t even know what’s appropriate to you, give us a call ITBroker.com. We will have a conversation with you, we’ll help you align with best practices based on your actual unique business, what industry are in, how much revenue you have, how big the company is, what your threat vectors are- all these fun things you don’t want to really talk about the first place…  

We will help you match up with the right technology and the best vendor for you so that way you can have better peace of mind at night and not worry about what is going on with your systems and your network. 

Featured Posts