Security By Design- Part 10

I am going to begin this blog post with a provocative statement:

From a security perspective, the public internet is the weakest cybersecurity component of your business operations. It is literally the superhighway runway from which Cybersecurity attacks are launched.

Now that I have your attention, let me return to my primary question for you last month:

Do you and your business have the ability to anticipate, prepare for, and adapt to changing conditions to withstand, respond to, and recover from a Cyber Business Disruption?

We often think of business disruptions as specific to our own company, firm, or organization. We seldom include risk assessments for the world at large. This has perplexed me for years. The reason this has perplexed me is our dependence upon the Internet as the backbone of our business operations. No local, regional, or global business operates today without relying upon the ubiquitous digital communication connectivity of the Internet.

Let me update and add to this post my question concerning your ability to withstand, respond to, and recover from a Cyber Business Disruption to:

Do you and your business have the ability to anticipate, prepare for, and adapt to changing conditions to withstand, respond to, and recover from any disruption to your access or use of the Internet?

or more bluntly 

Can you conduct business operations without the Internet?

I have been acutely aware of the risks of operating commercial business operations with a reliance on the use of the public Internet since the 1990’s. It is pervasively risky! As Kevin Roose recently wrote in his NYTimes article “Did One Guy Just Stop a Huge Cyberattack?

The internet, as anyone who works deep in its trenches will tell you, is not a smooth, well-oiled machine. It’s a messy patchwork that has been assembled over decades and is held together with the digital equivalent of Scotch tape and bubble gum. Much of it relies on open-source software that is thanklessly maintained by a small army of volunteer programmers who fix the bugs, patch the holes, and ensure the whole rickety contraption, which is responsible for trillions of dollars in global G.D.P., keeps chugging along.

In this article, Kevin Roose goes on to describe the nature of the Internet and World Wide Web and how it is a globally distributed network comprising many voluntarily interconnected autonomous networks. There is no central governing body. There is no central maintenance organization. Each component network sets and enforces its own policies without coordination with the whole. Yes, the Internet Engineering Task Force (IETF) oversees the Internet protocols, and the Internet Society that oversees the IETF, and the Internet Consortium for Assigned Names and Numbers (ICANN) controls the DNS hierarchy and the allocation of Internet Protocol (IP) addresses. Yes, the larger Internet Service Providers (ISPs) own and provide the largest parts of the Internet infrastructure, but … there are thousands of ISPs around the world (Note: IBIS World research indicates that there are 27,978 Global ISP businesses as of 2024), and the IETF / Internet Society and ICANN do not manage the physical manifestation of the Internet. The Internet backbone is physically owned by the various commercial, educational, government and military entities around the world who implement their networks and interconnections. The Internet is the most complex of digital environments, representing the highest level of systemic digital risk which your business organization faces every day.

From a security perspective, the public Internet and your digital communication connections to it are the weakest cybersecurity component of your business operations. It is literally the superhighway runway from which Cybersecurity attacks are launched.

This is why the foundations of Cybersecurity, and your awareness and specific knowledge of your organization’s Cyber Insecurity is so important. The Yang of the Internet is that it enables global digital commerce. The Yin of the Internet is that it enables and facilitates cybersecurity attacks.

Closing question for today:

When you brief your senior Executive Leadership Team and Boad of Directors about Cybersecurity Risk, do you highlight that the Internet and your digital connections to it are the weakest cybersecurity component of your business operations?

In my upcoming posts I hope to share perspectives on the importance of protecting your Internet Connection Perimeter, Enterprise Critical Event Response as an Enterprise Process, and SEC Cybersecurity Incident Materiality determination and reporting.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s. He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.