The size, scope, and impact of information (“cyber”) security problems – which we will simply call security problems, now – is finally matching the breathtaking upward slope we see in other technological progress. Incidents large enough that they are impossible for even powerful victims to conceal appear weekly in major news media. The vast majority of incidents go unreported. No sector of the economy is untouched.

America’s technical sector in Silicon Valley had a rude awakening to its real place in geopolitics by way of security problems in 2009, when the Chinese military was discovered deep inside Google’s production infrastructure. We were there, and see it now as the forebearer of much to come over the following decade.

Looking at the most recent five years is powerful. Community Health Systems suffered the theft of 4.5 million individuals’ medical records in 2014, likely an operation by China. Anthem saw the theft of 78 million individuals’ health records in 2015 (China, again). In 2016 the general public saw America’s Democratic National Committee lose all its email to Russia, and Yahoo admit to an attack compromising a billion users’ information including their passwords and dates of birth. The latter was maybe Russia, maybe China, or maybe criminals who sold to both of the former.

Maersk, the 115-year-old company holding more global shipping capacity than any other organization, had its operations crippled in 2017 by a criminal attack using malware adapted from Russian intelligence tools. To close out 2018, Marriott publicized an attack which stole information about 500 million customers. Whoever holds that data knows exactly who your C-suite and board members went to meet with the past few years.

The public sector mirrors the timeline above. Russia in the White House and State Department in 2014. China in the U.S. Government’s Office of Personnel Management in 2015. Layer Aleph’s partners helped with service restoration and mitigation prioritization in those events, like we do with our clients.

The list of risks and fixes is overwhelming for both the recently- breached, and organizations struggling to prioritize work to secure their own infrastructure. Decisionmakers don’t know what to be afraid of, and prioritize blindly. An entire “cyber” industry buys expensive ads in business magazines featuring sharks, snakes, and hoodie-clad hackers. We’ve occasionally recommended a small subset of these products, but most are selling on fear and buzzwords.

Imagined threats are often much grosser and worse than the real threats an organization faces. Sometimes, real threats are much worse than those imagined – the healthcare companies above are excellent examples of that.

We always walk clients through a simple threat modeling exercise on any projects where security is a factor. That’s most projects, these days. Our clients are confidential, but this exercise isn’t. We keep it simple:

  1. What are the three most valuable assets you have?
  2. Who are the three most likely adversaries you’ll face?
  3. Which are the three most likely attacks you’ll experience?

One is probably health data, economic data, demographic data. For high-risk individuals, reputation, harassment, and identity theft may be more relevant. Three, now and for the foreseeable future, is password guessing, phishing, and old infrastructure. Two, you’ll want some experienced help with, but it’s probably not the rarer monsters. Criminals deploying malware and ransomware will do, in your first draft.

We encourage clients to publish the results and post it on their walls. If it hangs in every room, every individual can be empowered to pressure test security-related decisions against it. The most paranoid decision is expensive to implement and may harm your organization’s goals. This is always an incredibly clarifying exercise. Our experience is that fear is our friend, when it is accurately grounded. Monsters are real – we’ve seen them with our own eyes.