The 9th annual cost of cybercrime study by consultancy firm Accenture highlighted the tremendous impact of poor cybersecurity practices on organizations around the world. The research pegged the average cost of each attack at $13 million, with the total value at risk to organizations from cybercrime placed at over $5 trillion globally over the next five years.
Despite an average of nearly 150 breaches per year for the typical organization, it’s clear that many are failing in their attempts to shore up their defences. It’s a picture that former National Security Agency cybersecurity expert Thomas Parenty believes is exacerbated by a number of myths surrounding cybersecurity that prevents organizations from taking smart decisions. In his latest book, he outlines three of the most pervasive of these myths.
1. Compliance is enough
When organizations first embark upon efforts to shore up their cyber-defenses, they often begin by exploring how they are currently performing. It’s common in this process to turn to certain regulatory and industry standards to help guide them on their journey. This comes with an implicit belief that if standards can be reached, then this compliance will be sufficient to ensure the organization is protected from all corners.
While standards do have their place, they inevitably address a broad audience, and so run the risk of applying to all but benefiting none. Parenty cites the NIST Framework as an example of a standard that was constructed specifically for the protection of critical infrastructure, yet is widely used in industries as varied as retail and hospitality.
What’s more, the presence of standards can encourage organizations to outsource the identification of threats, and fall into the trap of believing that so long as they are compliant with the standards for their industry, then they are safe from all threats. Indeed, Parenty argues that the work involved in complying to standards often diverts resources from addressing the threats that pose the biggest risk.
2. Employees care about cybersecurity
Employees have a great many cares and desires when they come into work each day, but more likely than not, cybersecurity is not foremost among them. Sure, they don’t want their company to suffer any breaches, but when compared with other motivators, it’s pretty low down their list of priorities.
Arguably at the top of the list is their desire to get the job done, and I’m sure most of us can recount times when we, or colleagues, have had to construct bootstrapped workarounds of official policies, regulations, or systems in order to get the job done. This bootstrapping is quite probably going to lead to security vulnerabilities, but if it means they can meet their targets, get that promotion or bonus, and generally thrive at work, then that's what will happen.
This situation is often exacerbated by financial incentives that encourage employees to pursue stretch goals. Intense deadlines can push employees to cut corners, and cybersecurity can often be among the first corners cut, with this problem especially significant in markets that demand speed to market and low cost.
3. Defenses need to be commensurate to the power of the attack
In conventional warfare, there needs to be a symmetry between the power of the defence and the power of the attack, but in the cybersecurity world, this symmetry seldom exists. Parenty cites the WannaCry virus that was developed using a tool developed by the NSA. The attack was undoubtedly sophisticated, but the solutions required to defend against it were often very low tech, including updating Windows and ensuring data and systems were backed up.
It’s a situation that underlines the fact that many cybersecurity issues are not caused by technical challenges but rather managerial ones, as the technical solutions are often quite rudimentary, but insufficient priority is given to them to be implemented effectively.
Parenty goes on to cite the Quantum Insert tool, which was developed at the cost of some $32 million by the NSA to monitor our browsing and install malicious software on our computer. The tool is undoubtedly highly sophisticated, yet it requires unencrypted browsing to be effective. By accepting that the defenses we deploy are not usually proportionate to the sophistication of the attacks themselves, it allows us to better deploy resources, and accept that adequate defence is usually something that can be achieved with limited resources and unsophisticated means.
Data such as that from Accenture highlights the challenges many organizations still have in successfully tackling the various cybersecurity challenges they face. Overcoming the three myths identified above should go some way towards improving matters as they help to get the leadership of our organizations into the right mindset to succeed. As with so much in organizational life, that is so often the key first step.