Two men can keep a secret if one of them is dead. It’s no secret that the cyber threats are now being taken more seriously, it’s a topic that has even made its way up to the board rooms and for good reason companies are now more aware of the risk posed by threat actors to their systems and their data.
However, let’s not get carried away by all the talk here, the threats are still here (of course they were not to go away overnight) and we keep seeing more sophisticated attacks. So why are we always under prepared? Why are we losing the war?
There are somethings we are missing in all of this mashup of cyber security strategies, new cyber security appliances and technologies, cyber security compliance and anything else that someone can slam on the words cyber security/resilience on.
We aren’t handling this issue correctly (though companies are trying more and more taking things seriously just not seriously enough). It is estimated that bad actors out spend companies and by a huge margin too so using this alone we can see why they are always one step ahead. They are more invested than their targets and so more likely to succeed. Bad actors also share a lot more of information with each other even if it’s a price it’s a small price this further strengthens their position and boost their advantage of successful breaches into companies.
There should be a great deal of worry of how Security news is disseminated to the mass. The trend has been to mention the losses the breach caused that’s how it becomes news, if a breach doesn’t lead to significant losses to a corporate then it doesn’t get much coverage.
This trend presumes that this space is the TV show fear factor far and we are only interested in those cases that are shocking. When reporting of cybersecurity news improves to cover the kill chain and vulnerabilities exploited knowledge will be spread over fear. Hats off to the few who focus in the breach and not the hype of the losses incurred by the corporate.
It’s not just systems that need to be safeguarded. People one of the main assets of any corporate must also be secured. There is nothing more frustrating than having a breach caused by human error or social engineering knowing very well how well secured your systems were bit your people were not up to per.
The assumption that an annual training where staff sit down for three hours as they are lectured about best practices on cybersecurity will improve the corporates changes to be more resilient is wishful thinking. Remember education is not a spectator sport. These trains need to frequent and engaging to the staff putting them in scenario where they encounter these threats and react to them.
From time to time I always mention how deceptive an obvious fact can be. The most defined words in the English language are set and run respectfully. And it seems cybersecurity terms want to follow down this road. And there is no one to control this mess. If you have the freedom to redefine the meaning of a word to suit a use case mostly with vendors (not vendor bashing) this takes away the strength and power of that word. We should be very careful.
Well, we shouldn’t be caught up with all the buzz words that jump out from time to time, it’s best to assume (though we shouldn’t be making assumptions in cybersecurity) that they are not new just old terms given a grace lift and some new Tech to suit the new name.
“Embarrass yourself it builds character” I heartily believe it is this and wish we could see it in industries, corporates coming out and saying how they were breached and educate others not to share the same fate. However, competition reputational loss and other factors are seen as more important.
However, all these can be avoided if we focus on solving this problem. If there was a system that allowed for anonymous reporting of breaches while maintaining integrity of the report to avoid false report. Sounds difficult but it’s easier than it seems the hard part is getting corporates to treat cybersecurity as an industry issue not a corporate issue.
Giving credit where its credit is due though, industries and institutions have improved their security posture as compared from before battles are being war but the war is far from being won and its pitting on the losing end.