For the second weekend in a row, I am sitting near lots of people playing Pokémon.
That’s correct. Pokémon, the Japanese card game launched in 1996 and, as my 12-year-old son would happily tell you, a game that is still going strong three decades later.
So much so, in fact, that we are here at the Hartford Convention Center where he is competing in a tournament of 1,200 mostly “Masters” (16 and up) as one of the hundred-plus “Juniors” (12 and under). I enjoy hanging out with the Pokémon people as they are a community of super-friendly, helpful folks.
The Pokémon company mints money in the form of new cards that are released every quarter. The new cards beat the old cards (I’m oversimplifying, but did you really want to know more?), compelling players to keep buying new ones in order to build winning decks.
The overall result is that the “metagame” keeps evolving, bringing new players, new cards, and new money to the Pokémon bottom line.
The Bad Guys Never Sleep
Cybersecurity is also constantly changing: what worked yesterday won’t work tomorrow.
For example, remember when…
… you had “a password” that you used in all situations?
… you never locked your phone and readily handed it to anyone who asked?
… your banking info, medical records, and all kinds of other confidential information were only accessible in person and (usually) on paper?
Now, of course, all your important “stuff” is digital, giving you convenient access to it anytime and from anywhere.
The problem is that the evolving metagame of security is not static — attackers modify their approach on a never-ending, daily, weekly, and monthly basis. Which means that if your approach to security isn’t also evolving, you are, in effect, holding last year’s Pokémon cards.
For example, Multi-factor authentication (MFA) used to be “unstoppable.” It still is a great technical control to minimize risk, but it’s no longer bulletproof. The bad guys weaken MFA protection by stealing cookies, compromising the SMS network, and tricking users into typing codes into fraudulent dialog boxes.
So, companies (and individuals) must consistently improve, too. How? With an active cybersecurity program.
We recommend a structured, cross-disciplinary meeting every couple of weeks (at least). And not just with the tech folks – your marketing, HR, finance, and other departments are all procuring and running systems; they need to be part of these conversations, too.
Some big things to pay attention to in your meetings:
Changes in Personnel…
If the executive who thought cybersecurity was important leaves your organization, will the new person give it the same attention – or is it their second, third, or not at all a priority? Absent an engaged sponsor, the entire program can fall apart.
Even the loss of a key admin person can bring things to a screeching halt. Suddenly, it’s hard to get a list of valid users, new employees, active vendors, training schedules, etc. If this person was the glue holding your cybersecurity activities together, you need to identify a new person right away.
Changes in Environment…
Often, when trying to launch a new product, there’s urgency to get it out the door with the expectation that we will “fix the rest later.” But once you launch something, you will be busy responding to customers; at that point, it’s hard to prioritize security.
And, unfortunately, the bad guys have not agreed to your timetable! If they move first, it could lead to a very bad day for your organization.
All of the tools that make your digital life easier – automation, easy accessibility, near limitless storage of data, etc. – also make it easier for the bad guys to perpetuate attacks.
Another common environmental element involves a change in a key supplier. When that happens, the procedures that worked before may be overlooked; your data may still be in the hands of the old supplier; or the old supplier may still have access into parts of your organization.
Changes in Market…
We have witnessed many examples across several industries where the “norm” evolves very rapidly. Almost overnight, customers demand better security, regulators establish new standards, and security issues that had been backburnered move to the front.
If you’ve already got an established, in-house cybersecurity program in place, you will be prepared to respond quickly as these types of changes occur.
A Little Bit, Every Day
Like it or not, we are participants in an arms race in which the bad actors never sleep and the definition of “secure” is constantly evolving.
Fortunately, by working steadily, systematically, and cross-functionally, most organizations can protect themselves from the worst of these threats.
It’s either that or take your chances playing with an increasingly weak deck of cards!
If you want to get more great cybersecurity content delivered to your inbox, click here to sign up for our monthly newsletter, Tales from the Click.
