A million little pieces: Most cyber breaches don't have to happen

Cyber security isn't just technology. Technology is a tool that depends on human intervention -- and the orderly management of a process that depends on literally a million little pieces.

Sallie Sweeney

Sallie Sweeney

Director, Federal Advisory, KPMG US

+1 703-286-8000

Video transcript

Last year, there were over 2 million cyber attacks. That's one every 15 seconds. It costs about $45 billion dollars, $45 billion dollars. How much is that, really? It's about all of Mark Zuckerberg's net worth. We could go out right now and buy Target. Buy Target with $45 billion, let's go do that. Do you want to do that? Or we can look at it this way, it's $500 to every American household. So make no mistake, these breaches are scary, they cost money, they cost a lot of time and resources. But something you probably don't know is that most of these weren't caused by cyber attacks. And some of these never had to happen. Never.


That's the good news. The even better news is that, most of these were caused because of a single vulnerability. You have a single vulnerability, you have a single thing to fix. Sounds great, right? The only thing is, taking care of that single vulnerability means riding herd on a million little pieces. My name is Sallie Sweeney and my passion is cybersecurity. I've been in this industry for about 23 years and I'm grounded in it for reasons that may surprise you. I'm a wife of 12 year old twin daughters… I'm a mother of, not a wife to them, that tells you how I'm tired a mother to 12 year old twin daughters, lovely young ladies and a wife of almost 15 years. So I've been riding herd on a million details for a very, very long time. And that's what it takes to be successful in a cybersecurity approach.


Single-minded folks focused in a world of a million details. Now fortunately, these details in my experience, in running very large programs and something you can take with you today, is that these fit in three different buckets. Number one –having clear, prioritized goals. Number two –you got to communicate. And number three –be ready to adapt to change. Now here's how that works, in practice. Now when we're talking about riding herd on a million details, a lifetime or two ago, I was a systems security officer and chief security architect for a very large Medicare payment system. Very high profile, quarter of a billion dollar contract, very high visibility for a government client, crown jewel for my former employer. One day I got an email, red exclamation point, we love those, don't we? CDM score is at a D minus. What does that mean? CDM score told us our safeguards were not functioning properly.


Think about your home security system, your door is wide open. This was worse. Someone with even a little bit of skill and a computer could come in, infect your system, steal data, start a bot army, introduce malware, introduce ransomware, and so much more. So the key is here, for having left the door wide open, for our clear goals at the time, there were six of them, once this occurred.


When this happened, the first thing you want to do is close the door, right? Yes, close the door. But if you just close the door, you haven't fixed it. So what you have to do is you make sure you then start to engage in bucket number one, having clear goals. In this situation, we had six goals. Close that door. Isolate the system, make sure you take it offline if you have to, don't just start mopping up the floor, go and turn that water valve off at it's source. Number two, goal number two, look around and see what other damage was done. What other data was removed, if the exploit is still occurring at the time, look to see what else is happening. That may be outside of this the situation that you thought is occurring. Number three –identify what the problem is and fix it. Look if there's a vulnerability, if there was a process not followed, if someone gained access where they shouldn't have, address it. Look at your forensics, look at your fingerprints, the digital fingerprints to see who accessed what and when. Goal number four – fix the vulnerability. Check to see if it's propagated around your enterprise. Address it, test it, fix it and propagate it. Goal number five –when you have everything up and running according to your processes, you have to make sure, then and only then you allow access back to that system. And goal number six –don't just look at that vulnerability. Look at contributing factors around that vulnerability, did anything else fail? And then you can learn from it.


So as you can see, technology is not just about or cybersecurity is not just a technology problem. It's a tool that helps us accomplish our goals. Cybersecurity is about creating goals, executing against those goals, and then it leads me to our next goal, which is to communicate. It's very important to have open and candid communications amongst the people who are taking care of your system. Now in this situation, we had a person not follow protocol, essentially. And stood up a virtual machine in a production environment unpatched –what does that mean? Essentially, opening up a system that wasn't ready to be put into production environment. Our CDM score hit that and it fell into the toilet, so the CDM score technology did its job so we could do ours. You see? It's not just about technology, it's about technology enabling humans to do their jobs.


Communications matter. Especially in running a very large cybersecurity program. Communications matter. So before the breach, make sure that you cultivate a culture where people are okay with talking about things. Maybe situations like this, it's embarrassing to say that you accidentally stood up a VN in production without testing it first. But create a culture so that folks feel comfortable to talk to each other so you can quickly fix problems as they arise or eliminate them altogether. One person cannot ride herd on all of these details across the system. It is critical to create a cross-disciplinary communication approach and it'll give you so much more.


And this leads us to our third bucket. Be ready to quickly adapt to change. So in a breach situation, what happens? Financial implications, data lost, users can't access their systems, loss of business, clients unhappy, national headlines, you name it. Right? Big implications. The time to implement your plan is not when a breach is occurring, you already have to have that plan in place so you can act quickly. Either you do or you don't. But if you plan, you can.


Three buckets, folks, that's what it takes. Cybersecurity is not a mystery of technology. It's about managing people and situations that rely on technology. And it's a field where I'm very proud to be part of and I'm able to mentor young women and members of underrepresented communities more and more. To help us evolve to a place where we can use technology for things we can do. And this is something that we can do. You have to. And when you bring all of these million little details together, they don't work against you. They work for you. Thanks for listening.