"Another day, another breach"

"Another day, another breach." I grew tired of hearing that phrase around about 2019! Even back then I thought it's time everyone acknowledges that breaches are inevitable. 

Many of us already have, and that's why the cyber security industry has a fantastic set of standards such as NIST CSF to draw upon for incident response and preparedness. However what I mean by "everyone" is just that - not just cyber sec pros. Business experts, CEOs, tradespeople, school teachers, the whole lot, all must acknowledge breaches are inevitable, and be prepared.

I'm going to compare this to preparedness for other types of disaster, for the sake of the point I want to make. We accepted long ago that floods, fires and droughts were inevitable, so we have a strong culture of preparedness for these. I'm not going to delve into the truly devastating effects of natural disasters, other than to briefly point out that data breach incidents can result in similarly terrible outcomes, including loss of life. So I think it's reasonable to compare the preparedness angle of both.

There's an annoyingly relevant ad playing at the moment on one of the streaming services we use, in which a well known Queensland-based insurance company asks viewers if our homes are storm ready. This was in play well before tropical cyclone Alfred devastated parts of South East Queensland and Northern New South Wales during the past week. The ad goes into the dangers of leaves in gutters and trees too close to dwellings, and whether we have our emergency kit assembled. Drawing a comparison to the "cyber" world, in which technology and the commoditisation of information are simply more layers we've added to our already complex lives, we need to manage the associated risks just as we already do for natural disasters.

Most of us in the cyber security profession have already adjusted our narrative to avoid giving tech-heavy, buzzword-filled advice and instead present clear facts about the risk in the context of the audience. If you're new to this, here's some LinkedIn AI generated content which covers the basics: https://www.linkedin.com/advice/0/what-do-you-non-technical-stakeholders-need-understand-dhdhe

The advice we (cyber sec pros) give can often be driven by regulations, or the applicable set of standards. Fortunately this is usually reasonable, but what if we could apply a layer of intelligence over that advice and tailor it specifically for our audience? Our CIOs, CEOs, boards etc want to mitigate risk first and foremost, so if they have to interpret and prioritise a list of actions themselves, we haven't done our jobs correctly.

For example, we know that Infostealer malware was present on 4.3 million devices around the world in 2024 according to the latest KELA state of cybercrime report, and that around 3.9 billion passwords have likely been compromised. Work related passwords were found on almost 40% of the infected devices, for systems such as email and Active Directory (one of the common directories used in corporate systems to manage identities). We also have to remember that plenty of users blur the boundaries of work and private information systems, using one password across many systems and devices, which could be used to an attacker's advantage. The first thing an attacker might do after finding compromised Facebook, PayPal, Gmail etc accounts for a high profile individual such as a company CEO would be to try the same password on the company's remote login or email system.

Armed with this information, we might decide to run an education campaign targeting our company executives, raising awareness of this. However this cup of coffee has come to an end so please join me later next week over another cup, and we'll talk about how cyber security incident preparedness plays out in the real world.