InfoSec budgets often fail to cover everything that is needed to keep businesses safe. Most execs either think things can wait, or they think it will never happen to them.
Information Security and IT leaders often butt heads with business leaders over budget. Most InfoSec budgets fall very short of what is actually needed, largely because higher ups fail to understand the importance. Not only that, but many leaders will put off fixing things for as long as possible, making it more expensive and time consuming to fix when the time comes. Or they think it’s something that will never happen to them. Business leaders are more concerned about the bottom line than anything else, but what they miss is that a data breach will eat up that bottom line faster than any other potential problem.
Getting business executives to understand why InfoSec and CyberSec need more funding can be a frustrating endeavor, so we decided to provide an example of how an attack can come to fruition. This story is based on actual events, although no names are included.
There came a situation where passwords for all users of a subscribed service were stored in a database in plain text. No encryption, nothing. Sales and customer service representatives could go to a page, click a button and see a user’s password. But leadership’s view was that changing passwords to be hashed (encrypted), and having users change their passwords because they technically exposed, was not a priority. There was an ensuing battle over this, so a red team exercise was conducted to illustrate why this was necessary.
We had employees acting as confederates who were sent out to talk with the key decision maker, saying things like, “Ugh, I hate my bank, they just added this new fee. Aren’t banks the worst?” Within two weeks, enough information had been collected to know where this person banked, where their children went to school, their home security login, where their email was hosted. This person’s plain text password was then applied to some of the systems this person used. This information was then compiled into a slide deck to show how this can happen. The information in the slide deck included this person’s vendors (bank, security company, etc.) as examples, and in the footer of every slide, next to the date, the plain text password was written out like this: December 31, 2020 | password.
As the presentation was given, a laser pointer may have rested a few seconds on the footer, and suddenly the decision maker had a change of heart. They decided that this needed to be immediately prioritized, it no longer mattered that users may need to reset passwords, we had to get this done.
That one little exercise showed not only how easy it was to find out the information needed to hack someone, but also the seriousness of what can happen when it does. Especially if you’re recycling passwords and not using two-factor authentication. People are easier to hack than machines. You can set up all of the firewalls and geofences and automated incident responses in the world, but if someone can get in with credentials, none of that matters. That isn’t treated like an incident until damage is already done.
Now, businesses around the world have learned through the COVID-19 pandemic that cybersecurity needs a bigger budget. They’ve seen the spikes in attacks and some of the fines and extra costs businesses like Capital One are facing due to negligence. It’s starting to become more accepted and more widely understood. But that may not immediately equate to an increased InfoSec budget, especially given the global situation. At a minimum, make sure you’re requiring strong passwords and encrypting them, as well as using 2FA.