Cybersecurity in 2021: Stopping the madness


Marc Andreessen had it right – software has eaten the world. As a result, the world can be hacked.

Just look at the past few months. The – the “largest and most sophisticated attack the world has ever seen” according to Microsoft president Brad Smith – gave its Russian perps months of free reign across untold US government agencies and private companies. But stupid also works: Last month in Florida, a water treatment plant’s cybersecurity was so lax, anyone could have been behind a clumsy attempt to . Meanwhile, miscreants bearing have made hospitals their favorite target; in October 2020, six US hospitals fell prey within 24 hours.

Cybersecurity wins the award for Most Dismal Science. But if suffering attacks now amounts to a cost of doing business, then the time-honored approach of prioritizing risk and limiting damage when breaches occur still offers reason for hope. This collection of articles from CSO, Computerworld, CIO, InfoWorld, and Network World delivers specific guidance on best security practices across the enterprise, from the C-suite to developer laptops.

Writing for CSO, contributor Stacey Collette addresses the age-old question of how to focus upper management’s attention on security in “.” The thesis is that five-alarm debacles like the SolarWinds attack can serve as useful wakeup calls. Collette suggests seizing the moment to convince the board to match the company business model with an appropriate risk mitigation framework – and to use to exchange information on industry-specific threats and defensive measures.

CIO’s contribution, “” by Bob Violino, surfaces a problem hiding in plain sight: Digital innovation almost always increases risk. Everyone understands the transformative power of the cloud, for example, but each IaaS or SaaS provider seems to have a different security model, raising the odds of calamitous misconfiguration. Likewise, digital integration with partners promises all kinds of new efficiencies – and by definition heightens . And does it even need to be said that launching an initiative will vastly expand your attack surface area?

A second story written by Violino, this one for Computerworld, explores the cybersecurity obsession of our era: “.” Some of the article covers familiar ground, such as ensuring effective endpoint protection and multifactor authentication for remote workers. But Violino also highlights more advanced solutions, such as and . He warns that a new wave of preparation will be required for , in which employees alternate between office and home to ensure social distancing at work. The pandemic has proven that remote work at scale is viable – but new solutions, such as , will be necessary to secure our new perimeterless world.

, adoption is accelerating for secure access service edge (), an architecture that combines with various security measures, from encryption to zero trust authentication. According to Korlov, for the rental car company Sixt, the result was “a 15% to 20% reduction in costs for network maintenance, security, and capacity planning.” At Sixt’s 80 branch offices, downtime purportedly averages a tenth of what it used to be.

In “,” InfoWorld contributing editor Isaac Sacolick reminds us that modern cybersecurity means secure code, too. An cited in the article reveals that nearly half of respondents admitted they release vulnerable code into production on a regular basis. Thanks to Sacolick’s hands-on experience with development teams, he’s able to offer a trove of practical remediations for developer managers to embrace, from explicitly documenting code security acceptance criteria to ensuring version control repositories are fully locked down.

The SolarWinds fiasco has proven that enforcing such policies is no longer optional. Coverage of the attack has focused on the backdoor that Russian hackers inserted in SolarWinds’ Orion products, instantly compromising customers who installed the software. Less attention has been paid to the custom malware the hackers created to slip into SolarWinds development process undetected and implant that backdoor. Can any software development shop say with confidence that it can withstand such a sophisticated, concerted effort?

Software firms are asking themselves that question right now – while at the same time governments and private enterprises seen as high-value targets are furiously vetting their operations to see if they’ve fallen victim to other compromised code. True, this is merely the latest battlefront against a global horde of cybercriminals, from script kiddies to malicious hackers to state-sponsored masterminds. But no one can accept anything other than the strongest defenses affordable in a war without end.

Copyright © 2021 IDG Communications, Inc.