What I’m about to say may sound a bit heretical, given my profession as a cybersecurity attorney, but for many years we have been living with the myth that we can completely protect our computing systems from cyberattacks. Although preventative measures can help reduce the likelihood of a breach, most people in the cybersecurity industry know a dirty little secret: You can never keep the cyberattackers out.

Raising the “price” for hackers

In 1964, internet pioneer Paul Baran from RAND said we must presume that the attackers have already penetrated our ostensibly secure systems. His solution in 1964 was to “raise the price of the espied system to a point where it becomes excessive.” This still holds true today.

Put another way, we need to make our computing systems more expensive to attack successfully and, therefore, less attractive to the cyberattackers. This is because the cyberattackers only need to be right once. In contrast, you theoretically need to be right every time whether you are a large multinational corporation, a small-to-medium business, or an individual or home user. The myth of cybersecurity is that stopping 100 percent of cyberattacks can be achieved.

How to plan ahead

Pundits debunking this myth have begun to hit the mainstream. A popular phrase (actually attributed to the Director of the FBI, Robert Mueller) states that there are two types of companies, those that know that they’ve been hacked and those that just haven’t found out yet.

“The myth of cybersecurity is that stopping 100 percent of cyberattacks can be achieved.” 

What this means is that all stakeholders need to put in place a combination of proactive and reactive planning measures in order to “raise the price of the espied information” prior to a successful cyberattack, and then have a plan in place after a cyberattack has occurred. If each stakeholder accomplished this, we could eliminate the majority of common vulnerabilities and cut down significantly on successful attacks.

Tactics for businesses and individuals

Although many expert lists of “best practices” exist, the two lists below outline a few things that both businesses and individuals should consider to eliminate being easy targets. Trust me, these may sound like common sense, but you would be amazed at the number of situations that we deal with on a daily basis that could have been prevented by these relatively straightforward tactics.

Top five actions that an enterprise should consider include:

  • Start strong. Create a security and privacy governance structure, such that your entity is secure by design.

  • Stay vigilant. Research threats to the organization and perform a risk analysis on those threats.

  • Make a list. Prioritize the information assets of the organization.

  • Formalize your process. Create a security protection plan that is tied to a technology acquisition strategy.

  • Ask for help. Utilize third parties that have been appropriately engaged, including legal and technical personnel (or contractors).

Top five actions that an individual should consider—both for personal security and to protect their employer or any organizations with which they are affiliated:

  • Anticipate. Be aware of the consequences to which your actions could lead. If you post personal information for public view, be aware of the results.

  • Guard your cursor. Don’t click on something that doesn’t seem quite right. Phishing (emails sent to massive numbers of people containing malicious payload) and spearphishing (same as phishing, but cleverly disguised to look like a real email by being directed to a specific person and containing realistic-looking content) both rely on people clicking on links or opening emails and attachments that contain malware. If you get an email from someone you don’t know or that you didn’t expect, call the person first.

  • Switch it up. Use a different strong password for each site where you will be transacting financial business or sharing sensitive information.

  • Back up your data. Without data backups, you could wind up being victim of ransomware or some other attack that destroys or makes unusable your current data.

  • Refresh your system. Make sure your computer defenses are operating and up to date.

An optimistic outlook

While things may seem bad based on the constant barrage of stories about data breaches, ransomware and phishing attacks, the collaborative efforts of all stakeholders can create an environment where the cyberattackers cannot easily breach our defenses. When they do attack (and they will), having a plan in place to deal with the attack will go a long way toward minimizing the damages.

With the cooperation of the government and the private sector, in combination with the diligent efforts of all citizens, we can increase the effort required by the attackers to penetrate our systems. Once we do that, we will significantly reduce the exposure of our systems. Or, as Paul Baran would have said, we will have raised the price of the espied information in a way that causes the attacker to go somewhere else.