Page 126 - Cyber Defense eMagazine June 2024

P. 126

the specter of high-tech AI threats that they overlook the foundational practices that protect against most
cyber threats: patch management. While the DBIR doesn’t have data related to the percentage of C-
Levels keenly interested in credential loss or patching compliance, I doubt it matches the risk.

Patching isn’t glamorous. It doesn’t involve cutting-edge technology or revolutionary algorithms. Instead,
it requires diligent, ongoing allocation of resources and a disciplined commitment to routine. In other
words, it’s a grind. But despite its lack of allure, patching is one of the most effective defenses against
cyber-attacks. Regular updates close security holes and fix bugs that could be exploited by attackers.
Even those leveraging AI. Patching is the equivalent of changing the oil and rotating tires of your car.
While discussing the latest car hack from Black Hat might make for good dinner conversation, the two
conversations must not be mutually exclusive. “Honey, I’ve upgraded our garage with metal mesh fencing
to prevent OTA updates.” “That’s great, dear. Did you change the oil? It’s been 30,000 miles.” “That’s
not going to stop the OTA updates!”

The emphasis on the dangers of AI steals time and focus from the real risks threatening organizations.
Take, for example, the recent deepfake incident involving a CEO in an AI-generated virtual meeting,
including fake speech and virtual attendees. Although such an event is sensational and its implications
on misinformation and security are profound, it is a very rare, hard-to-scale attack compared to the daily
occurrences of data breaches and hacks facilitated by unpatched systems. Diverting attention from
foundational cybersecurity to the threat du-jour misses a core tenet of risk management. Risk is likelihood
multiplied by impact. Currently, the likelihood of a direct AI incident is nearly zero while the likelihood of
a breach due to unpatched vulnerabilities is significantly higher.

To focus on real, rather than imagined risk, senior leaders should assign themselves to a committee
dedicated to the fundamentals of cybersecurity. This committee would prioritize developing and enforcing
policies that ensure regular updates and patches are applied promptly. It would ensure sufficient
resource allocation. It would support planned business disruption like maintenance windows. It would
champion asset lifecycle investments. It would ask questions like, “how are we securing our SaaS
applications?”, “are we evaluating our third parties?”, and “are our products secure?”. This committee
would also oversee the training of staff to recognize the signs of an attack and understand the importance
of updates, creating a culture of security that permeates every level of the organization.

By focusing on practical and immediate improvements in cyber hygiene, companies can significantly
reduce their vulnerability to most cyber threats, business disruption, investor concerns, and regulatory
peril. This shift in focus does not mean ignoring the potential risks posed by AI and other emerging
technologies, but it does mean addressing the risks that can have a material impact in the here and now.
Consider all the recent discussion about the SEC rules about reporting incidents or the lawsuits against
CISOs for misreporting risks. Those potential pitfalls are rooted in real risks, present in the everyday
operation of organizations.

The tale of the deepfake CEO serves as a stark reminder of the dual threats facing modern organizations:
the tangible and the theoretical. While it is necessary to prepare for the future and innovate to stay ahead
of potential threats, this should not come at the expense of addressing present and pervasive risks. Patch
management may not be headline-grabbing, but it is a fundamental aspect of maintaining security in a
digital world. Organizations must stop chasing the AI squirrel and focus on the essential tasks at hand.

121 122 123 124 125 126 127 128 129 130 131