The world is struck by another cyber breach, and this time, it concerns those who primarily operate in outer space. An unauthorised raspberry pi has breached NASA. You could be forgiven for thinking, well if “NASA” can’t get it right now can I? It must be harder than rocket science! This only spells a wake-up call for organisations who do not have a Cyber for IT approach.
Let’s not beat around the bush. Cybersecurity can be tricky.
However, looking at the audit report NASA got a lot of basic things wrong for an organisation that would be a huge target. The IP these guys would hold let alone the status for breaching such a big name would be huge.
Clearly, they didn’t have the ability to detect rogue devices, quickly report on abnormal network traffic, and from the report adequately patch network devices to prevent lateral movement. These are all risks that have well-known and efficient remedies. However, it is suspected as with many organisations we help the problem starts from the top.
Management has allowed Engineers and IT teams to manage the environment rather than creating strong cyber leadership ( Not IT ), policies, procedures, and alerting systems to ensure compliance with requirements.
Too often, boards allow total freedom and creative license to Engineers and IT professionals however, they are not properly educated or tooled to understand and engage risk. Imminently, a Cyber for IT strategy must be engaged, to strategise all IT activities and infrastructures with a cybersecurity-focused mindset. Only with cyber-aware planning and an security operation centre, organisations may detect and protect themselves against threats in a prompt manner.
More often than not when we get called to assist during a post-breach event, the management advises us that “IT were looking after security”.
Just as we in the industry are realising that cybersecurity is a diverse problem that requires diverse thinking to solve so must organisations learn that security is an organisational problem. Asking IT to include security within their budget is often the first step towards disaster and communications breakdown during a cyber incident.
Proper Cybersecurity Leadership is needed to set the path for IT.
Proper leadership for cyber requires a diverse thinking risk team to first assess risks and identify key assets such as data, IP, functions, and people. Only then can we mandate and create proper policies and advise our IT teams about effective controls and KPI’s such as an advanced security operations centre to protect environments.