As if trying to assemble a successful cybersecurity department were not difficult enough, one of the hardest battles we all find ourselves fighting is the one against well-meaning but often misleading information.
Sometimes the information is wrong, but more often it is right … but only when viewed from a certain angle that in many cases might not apply to your own specific situation or organization.
In this article, we look at three of those examples. Our purpose is that maybe, the next time one of these statistics or facts undermines your efforts, you can show your management this article as evidence that unquestioning reliance on facts and statistics without the right context is not always wise.
Truth or Myth 1: The average cost of a data-breach is … (insert figure here)
The most widely used figure here is the one from IBM; $3.86m (£3m) per data breach. I am sure this is a correct statistic BUT as one company representative put it to me: “That’s not plausible for us, we don’t even turn over that amount of revenue each year.”
The problem for any statistic about average data breaches is that there is not really an “average” data breach:
- Including mostly mega breaches makes the figure go high
- Include too many small events and the figure can be very low
- Include or exclude certain industries and the figure can also leap in either direction
To further compound the problem, the cost to manage any breach or successful cyber-attack is usually inversely related to how effective the security function and security incident response teams are. That means:
- An average company with great security is probably paying a lot less per data breach
- An average company with terrible security is probably paying a lot more per data breach
The better your proactive cybersecurity is, the less incidents you will have and the less money any breach should cost you. Or to put this another way, the worse your cybersecurity is, the more often your last lines of defense (items such as data loss prevention software and security incident response) will be triggered.
Of course, every sane enterprise should have incident response and data loss prevention capabilities. The issue comes when, from my experience (based on inspecting security at more than 50 organizations of different sizes); the size of your security incident response headcount is more than ~15% of your security function. In such a case you may want to consider upping your enterprise investment into enhancing the defences; it will be cheaper in the long run.
If you have just a few people, continuously running around mopping up incidents, I have important news for you; that is not cybersecurity; it is just incident response.
So, the truth here is that the less you spend up-front on cybersecurity, the more you can expect to pay on reactive responses, including damages from data breaches.
Truth or Myth 2: Clicking on a single link took down our entire organization
This one should be a myth because unless you only have one computer or your security was configured by Coco the Clown, a single malware infection on one device should not burn through your digital ecosystem like an uncontrolled wildfire.
As every infosec professional knows, cybersecurity is not only about implementing protection against the latest vulnerabilities but also about containerizing our digital assets. Gone are the days where everything inside a given digital ecosystem can trust each other in relative safety.
Despite this, many enterprises continue to have great oceans of interconnected and trusting devices, especially in environments that often need to hold on to old technology for as long as possible. Prime targets include hospitals and manufacturing plants. These are locations that in many cases continue to run computer systems they know are vulnerable … but may also fail to take them off the network or take other countermeasures to isolate them effectively.
Training staff not to click on suspicious links makes a lot of sense, but let’s be clear: if your security relies entirely on people never clicking a bad link or opening a malicious file, you are going to have a life filled with disappointment.
In fact, the most skilful hackers and attackers are getting so good at writing compelling phishing scams that, in some cases, they are more convincing than legitimate communications.
Effective enterprise cybersecurity needs to expect occasional rogue links and files to be opened and to be able to rapidly or automatically contain such threats.
So, is this a myth? The truth is that some organizations are still so vulnerable that a single click on the wrong device at the wrong time could still bring them down. However, in that scenario, it would not really be the person doing the clicking who was to blame – it would be whoever decided to under-invest on securing the environment against an obvious and near certain risk.
Truth or Myth 3: Cyber threat Intelligence is complicated
It is a myth that threat intelligence must be complicated, but it is the truth that it is often made so complicated it can be hard to comprehend.
Yes, staying up-to-date about threats against your own particular industry is advisable, but (and you knew that “but” was coming), what continues to prevent most cyber-attacks from success are the basics such as:
- Hardened security configurations on devices and applications
- Running effective anti-virus on each digital asset
- Ensuring that back-ups are taken regularly and are protected from corruption
- Keeping all software and operating systems up-to-date with the latest patches
- Having a robust identity and access architecture that is well managed and works on the principle of only giving the least privileges possible for the work required from each person
There is a phenomenon known as “analysis paralysis,” where too much information can be worse than very little. With the rapid evolution of cyber threats, I have witnessed many professionals coming unstuck by spending too much time locked up in trying to solve how to filter so much information.
The problem is that there are huge numbers of potential sources of intelligence and millions of new attack types each month. Instead of distilling threat information into a single, simple feed, following too many sources can have the opposite effect.
For the simplest route to threat intelligence, look no further than the cybersecurity news headlines. If something is really starting to trend and is being discussed in threat intelligence circles, it will start to appear in the press.
If there is a threat intelligence service for your industry or country that will send you a concise list of threat highlights, it is a good idea to subscribe to a few … but you probably don’t want to subscribe to hundreds of them.
The next time you are told a cyber-fact, just remember:
They can be very useful
Nearly all of them are very well intended
But, they are not always relevant to your situation
Sometimes, there could be a deeper truth hiding somewhere in the background.