Why Cyber is not enough...
In today's world just securing your Cyber infrastructure is not enough. In many cases companies and agencies spend huge amounts of their budgets on protecting network connected resources but there are other areas that need to be evaluated.
In early 2018 Jigsaw Security adopted the CDM model (diagram) for protecting networks. This is great except that it lacks in some areas that we feel are very important in protecting your corporate and proprietary information.
Annually over 10 Billion in US dollars is lost to theft of proprietary secrets of US based companies. These companies are targeted because they typically carry out many of the research and development activities that lead to technological breakthroughs. What this means for US based companies is that they are and will be targeted for theft of intellectual property.
Non Technical Threats
There are always threats aimed at these companies and agencies from non technical means. Attendees at conferences just talking shop end up spilling information that allows the adversary to collect bits and pieces that although in their individual capacity are not important, when combined with documentation and human intelligence collection, can paint a picture that allows those wishing to steal these ideas to come up with the full picture. In the classified world this is known as derivative classification. This is when several non classified pieces of information are collected that when combined form the basis of highly classified content. In the corporate world we need to be aware of this same issue. Although information may be sensitive but unclassified, when combined with other information it can cause grave damage to companies and agencies responsible for protecting the valued information.
Technical Non IT Attack Vectors
Another area of concern is non IT technical attacks that exploit other electronic devices. An example of this would be a hacker stealing and using someone's ID badge before it can be reported to security or the interception of communications such as cell phone calls or the tracking of individuals based on information collected by applications installed on their cellular phones that can be used to attack the human element by knowing where somebody is so that contact can be made with the individual.
The equipment needed to carry out non network based attacks has gone down in price. Surveillance equipment that used to cost $50,000 can now be had for around $1,000. This makes the barrier to entry for spies to be much less than it had been in the past. This means that more people are targeting others and collecting sensitive information.
Big Data Threat
Although we are users of big data based systems and love the technology, just with anything else it can be used for good or evil. Just like we as IT professionals have adopted big data, so too have the hackers. These systems allow hackers to take individual unclassified bits of information and combine them to paint a very different picture, opening companies up to attacks that otherwise would not have been possible just a few years ago.
While Cyber is important, we highly recommend that Non IT Technical items be a part of your checklist. Adopt continual monitoring such as the CDM model and ensure that you are covering your human assets as closely as you cover your IT and network based systems. Networks and IT based attacks are a major problem but they are only 78% of the problem. The other vectors deserve 22% of your budget but we are seeing IT based organizations make this mistake more and more and it's costing them when they show up in the news as being breached. In many cases they were attacked with IT based systems but the information needed to carry out the attack may have been obtained by other methods. Be Vigilant!