Opinion: Any organization that has not been hit by ransomware thinks, by default, that its defenses are good.
If internal voices are raised, saying it needs to upgrade its defenses, supporters balk at the costs involved and assume that, since we haven’t been hit yet, we must be OK. They realize that many other organizations have been hit and sometimes severely damaged, but assume that their defenses were inadequate, which they obviously were. If our defenses are good, and they must be because we haven’t been hit, then we don’t need to spend extra money strengthening them when there are so many other demands on that money.
But there is no validation standard for cyber-defenses, only security suppliers keen to sell you their consultancy, products, and other services to protect vulnerabilities or provide attack recoverability. There is no independent or trusted cyber-defense validation standard, no objective test by which you can assess your defenses against a cyberattack and make vulnerabilities visible.
The police can visit your house and suggest security measures that householders can take to help prevent burglaries. But they can’t visit businesses or other organizations to provide digital security help; it’s way, way beyond their expertise level. The only bodies that can do this want to sell you something, which makes them less trustworthy. For such suppliers, trying to scare prospective customers out of their complacency and selling them defensive measures is near impossible, without direct evidence of their specific vulnerabilities.
Of course, if you have suffered a ransomware or other damaging malware attack, then you will devote the effort and resources needed to strengthen your defenses – because you know you were vulnerable, have some idea of the attack entry point and internal spread paths, and a board and leadership unified in their determination to prevent it ever happening again.
Governments can’t realistically provide a cybersecurity validation service for enterprises and other organizations. Bureaucratic wheels turn exceedingly slowly; such efforts would try to cover every circumstance and would likely devise something cumbersome, unrealistic, and late. We would be better off looking at benchmark organizations like STAC. They are funded by businesses and develop performance tests for those businesses covering specific cases and market sectors.
We need a STAC-like body to develop cybersecurity tests that businesses could run against their internal and supply chain systems, and deliver a rating and vulnerability identification and assessment scores. We could envisage, for example, financial, manufacturing, or healthcare organizations refusing to cooperate with other suppliers in their sector unless they had a minimum validated security level. Perhaps cybersecurity insurance suppliers could help here too, requiring customers to meet minimum validated cybersecurity levels.
The best way for organizations to raise their collective cybersecurity is to come together and fund the development of cyber-defense validation tests, in a STAC-like model, and then only digitally connect to other entities with a minimum security validation rating. Such a rating could then spread and become standard practice.
