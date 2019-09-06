Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
Infosec Blog

Finding Real Risk

Are you investing your cybersecurity budget in the most appropriate place, or are you being guided by what you see in the headlines?

Cybersecurity speaker Bruce Schneier once gave a great Tedx talk on perceived versus actual risk. The basic message was that we spend a disproportionate amount of time worrying about relatively small risks, while not looking at the bigger ones. Bill Gates put it more succinctly back in June, when he tweeted about the “fear instinct that distorts our perspective:”

He pointed to research showing that you’ll see roughly 35% of media stories focusing on causes of death citing terrorism (which fewer than 0.01% of people in the US die from) while running only 2.5% of stories about heart disease, which accounts for 30% of deaths each year. Some risks are sexier than others. You don’t see many Hollywood movies in which Tom Cruise advocates half an hour of daily moderate exercise, reducing greasy foods, and cutting down on sugary drinks.

The same is true in cybersecurity. You should invest in protecting yourself from hackers, especially if you’re in a high-risk industry like financial services, retail, healthcare, or government. But compromise is likely to come from distracted poorly educated employees or a year-old, already-patched vulnerability in unpatched software as from some carefully crafted zero-day sent by an elite spy unit.

Several surveys point this out to varying degrees. Security company Egress, analyzing 4,856 personal data breach reports from the ICO, recently found that 60% of them were down to human error (the company does this regularly). This suggests that some solid training and focus on process is at least as important as shelling out money on the latest exciting-sounding AI-powered cybersecurity tool.

Security shouldn’t be about who shouts loudest or comes up with the sexiest-sounding name for an existing form of attack that has been around for decades. Techniques like ‘pretexting’ (basic social engineering) or advanced persistent threats (good old hacking) spring to mind. It should be about comprehensive risk analysis that examines different cybersecurity risks, the likelihood that attackers will use them to target your type of company, and their potential impact. By ignoring the never-ending rounds of cybersecurity theater and focusing on relevant, real-world risk, companies can multiply the effect of their cybersecurity budget.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

40% of IT Pros Would Outlaw Ransomware Payments

2
News

Security Flaws Found in 600,000 GPS Child Trackers

3
News

Android OTA Bug May Have Hit One Billion Users

4
News

Catastrophic Incident at OS Provider Could Cost US Insurers $24bn

5
News

New Bedford Hit With $5.3m Ransomware Demand

6
News

South Korean Firm’s Email Leak Exposes Global Clients

1
News

Coalition of Attorneys General Opens Investigation into Facebook

2
News

DOD Picks Insider Threat Awareness Month to Train Staff in Threat Detection

3
News

Scams and Ransomware Cost Kiwis $6.5m in 3 Months

4
News

NCSC CEO: Vigilance and Coordinated Action Needed Against "Big Four" Nation State Threats

5
News

Catastrophic Incident at OS Provider Could Cost US Insurers $24bn

6
News

Only One Third of UK Employees Receive Regular Email Security Training

1
Webinar

DNS: From Security Risk to Defensive Asset

2
Webinar

The Key to Successful Cybersecurity Projects: Asset Management - Asking the Right Questions

3
Webinar

How SOAR Can Improve Security Operations, Monitoring & Incident Response

4
Webinar

Can You be Secure by Design, Compliant and Enable Optimum Functionality?

5
Webinar

The Persistence of Ransomware, New Variants & Better Tactics to Defend & Defeat

6
Webinar

How to Identify and Overcome Offensive AI Attacks

1
Blog

Security by Sector: Young Brits Call for Smartphone Policies and Social Media Lessons in Schools

2
News

US Government Flags 2020 Election Ransomware Threat

3
Opinion

Flexibility in Vulnerability Management: Why It’s Essential

4
News

Imperva Breach Hits Cloud Customers

5
Blog

Going Beyond the Gender Gap – Why Diversity is Vital for the Future of Cybersecurity

6
News

NATO: Attack Like WannaCry Could Prompt “Collective Defense Commitment”