A recently founded tech company got a startling call from the FBI. A Special Agent had reached out to the CEO to inform him that their company had caught the attention of the Chinese who were actively seeking this type of technology to improve their standing in China.
The executive team wasn't sure how to take the news. It was completely unexpected, and as troubling as it was, there was actually a sense of accomplishment in that call. Their product was finally ready to sell and they were looking for attention wherever they could get it. They had invested in booths at tech conferences and a few PR releases. They were in talks with several potential buyers but still didn't have a sell. They weren't sure how effectively they were marketing their product but to have attention on an international stage felt like it was worth a pat on the back.
Still, they spent years in R&D to get to that point and the thought that someone else could step in without paying that price and potentially undercut their business caused some alarm. They reviewed their security and revealed the concerns the FBI had to an all hands meeting to get everyone to be security aware in their day-to-day operations.
Investing in controls
The company was well funded and owned by a larger parent company that had invested heavily in security. They had their own soc team, analysts and a CISO at the helm and this new tech company benefited heavily from best practices.
The tech company had previously, under the guidance of the parent company, installed badge scan access to the building. Also, they created public spaces isolated from workspaces. This allowed them to host investors and potential clients and keep their IP safe. Engineering, science and employee access areas were separated by separate badge access internally. In fact, the employee and executive workspaces were all hosted on the second floor, which was also protected by a second badge scan access while the first floor was made available to visitors.
When confidence becomes the weakness
Their confidence also became their weakness. Upon a cursory review, they decided they had best in class and felt there wasn't much left to do to ensure their IP didn't fall into the wrong hands. Like in most situations, that kind of behavior only happens in spy movies and somebody else. It's never going to happen to me was the calming hum that quietly eroded any concerns about their technology.
Still, I was able to perform a more holistic risk assessment for this company. In that assessment, there were some interesting discoveries made. In the lobby of the building there were manholes that led out to parking lot access. These manhole covers were not secured, anyone could have gone down and out through one, or more critically, up and into their building from the parking lot.
During nights or weekends, anyone could bypass locked doors and still access the building's interiors. Fortunately, the second-floor access was also guarded by the principle of defense in depth. Unfortunately, the lobby also hosted a massive two-story plant wall that required regular watering. To reach the plants, a scissor lift was parked behind the plant wall. Always plugged in. Key in the ignition.
Not only could anyone enter the building undetected, but they could also access Executive and employee workspaces.
Why a little security is worse
In many ways, a little security is better than no security. But, counterintuitively, a little security can be worse than no security. It gives us a false sense of having resolved all of the problems.
I see this all the time. If my child is doing online school and gets one assignment done, they treat it as license to spend three hours on YouTube. Having done something becomes an excuse to stop.
Also, in regulated industries, there is a reason risk assessments are required year after year. It doesn't matter if you did one last year. It doesn't matter if you have vulnerability scanning, email protection, firewalls configured. You are still required to look critically at what you have and identify your gaps. Having a best in class vulnerability scanner can do a lot to identify critical problems in your tech stack, but tells you nothing about unsecured access points, missing policies, employee training or other vital points of interest in a healthy cybersecurity posture.
As unpleasant as it is, we need to ask ourselves the questions and identify potential gaps in how we do business if we want to ensure the long term success of the company we invest so much of our time day in and day out building.
SignumCyber's risk assessment platform does a good job breaking that process down into bitesize chunks that can be delegated out. It covers over 600 questions in over 73 security domains and 6 different business departments. It's worth taking a look at your business holistically rather than tunnel visioning on things automated scanning can more easily identify.