Tag Archives: force protection

Most SMB’s don’t consider cyberattack a substantial risk to their business

Ponemon Institute has released its Risk of an Uncertain Security Strategy study.  It surveyed over 2000 IT professionals overseeing the security role in their respective organizations.  The study identified 7 consequent risks of uncertainty in security strategy:

1. Cyber attacks go undetected
2. Data breach root causes are not determined
3. Intelligence to stop exploits is not actionable
4. Cybersecurity is not a priority
5. Weak business case for investing in cyber security
6. Mobility and BYOD security ambiguity
7. Financial impact of cyber crime is unknown

Most respondents believe that compliance efforts did not enhance security posture: [Do you agree that] “compliance standards do not lead to a stronger security posture?”

ponemoncompliancegraphic

Types of attacks that respondents reported are summarized as:

ponemontypesofattack

Notably, 31% of respondents said that no one person or role was in charge of establishing security priorities.  58% said that management does not see cybersecurity as a significant risk. Finally, the study also indicated that the further up one went in the organization’s hierarchy, the more distant they were from understanding the organization’s cyber risk and related strategy. While not surprising, this is discouraging.

I keep getting back to the idea of force protection that the military had to develop 30 years ago. In response to world events to include attacks on bases and personnel, the military realized that it needed to explicitly remove resources, funds, and capacity off of the operational (pointy) end and use them to protect and resource the rear if they were to be survivable and sustainable. Over time, I think the market will bear this out too for most SMB’s. That is, I believe that those businesses that have been successful over several years will tend to be the ones that have made some investment in cybersecurity and resilience. And of the businesses that disappear after a short time, a high correlation will be made with those that did not invest in resilience.

Even though these conclusions might be fairly obvious, it’s not going to be pretty to watch.

Force Protection & SMB Information Risk Management

chestypullerThe term “force protection” entered the American military vernacular in the late 70’s and 80’s in response to several events.  One of the key drivers, though not the only driver,  was the activities of the Red Army Faction or “Baader Meinhof Group”.  This group was responsible for several bombings, assassinations, & kidnappings over three decades.  As US bases and US military personnel were frequently the targets of these attacks (as well as attacks from other groups), the need to develop specific plans to protect ‘the rear’ began to be articulated. In effect, ‘the rear’ was no longer the rear.

Military organizations have always been aware of the concept of ‘protecting the rear’ or ‘covering your flank.’  However, the asymmetric, unpredictable aspects of these attacks put the military in the position of having to explicitly define a process for protection of assets that were not traditionally in harm’s way. Further, by naming and mandating the process, it was clear that some percentage of resources originally intended for forward operations would need to be diverted to support force protection. This was a shift in thinking.

I believe a similar thing could be occurring with managing information risk and security in small to medium-sized businesses (SMB’s).  Relatively suddenly, these businesses are finding themselves in hostile territory and if they want to stay in business, then they must dedicate some operational resources — whether marketing, production, R&D, revenue, etc — to support these protective and risk-lowering activities.

Early Marine Corps doctrine on force protection

I found a Marine Corps publication, “AntiTerrorism/Force Protection Campaign Plan” from 1998 that presents some operational concepts that could be helpful analogies to the issue of information risk and security for SMB’s.

The publication provides some definition of force protection:

In its purest sense, force protection is an overarching concept. It includes those procedural, training, equipment and leadership principles necessary to ensure … safety and well-being … In essence, force protection is an inherent function of [leadership] and as such should be an integral part of the way we do business on a daily basis.

Similarity in threat analysis

It goes on to describe analysis of the threat as considering a stool with three legs — Does the enemy have

  • motivation
  • means
  • opportunity

We can apply similar analysis to SMB information risk.

  • Does ‘the enemy’ (criminals or nation-state actors) have motivation to attack or compromise an SMB’s information assets?  Yes, certainly.  A successful attack provides, 1) potential revenue, 2) an attack point for attacks on other, possibly larger, more lucrative businesses
  • Do they have the means? Yes. They have readily available computers, pre-built networks for attacks, often anonymity, and sometimes protection from their parent state (country)
  • Do they have the opportunity? Yes. There are many poorly protected and non-resilient SMB computer networks available for attack.
Marine Corps operational doctrine on force protection (from 1998) Potential analogies in SMB information risk management
“Force protection is an operational aspect of every mission …” For example, resources are shifted away from marketing, R&D, production, etc to support SMB’s information infrastructure
Work to “eliminate the belief [by the enemy] that opportunity [for attack] exists” Employ basic measures such as anti-virus, firewalls, managed/standardized computers, and awareness education to create an unappealing risk/value proposition for potential attackers
“The value of alarms and drills…[Leaders] at every level should develop recognizable alarms for potential emergencies and critical incidents.” Rehearse disaster recovery and business continuity plans. Practice activities such as data recovery tests.

The US military found itself in a position of having to develop and evolve a practice to address a fairly sudden new threat that was also evolving, as well as unconventional, and unpredictable. Similarly, to remain relevant and to maximize their respective opportunities for success, I believe that SMB’s need to, in some manner, introduce information risk and security management into their daily activities as well.

Do you think there is currently motivation, means, and opportunity to attack your business?