Expert Roundup: Why Can’t Cybersecurity Be Simpler?
Security is sometimes too complicated for all parties involved and affected. Let’s explore why.
Time and time again, people ask:
Why can’t cybersecurity be simpler?
This question is not asked just by regular users confused by the “techno-babble” or enraged by information leaks.
It’s also increasingly asked by business owners, analysts, journalists and even the people involved in securing information, whether sysadmins for small companies or even high-level executives in multinational organizations.
This is why we thought to go straight to the source to find the best responses. Last time, we asked specialists to say whether they think that Internet security is a losing battle or not and their responses were memorable. Today, we asked highly accomplished cybersecurity experts from various infosec fields another tricky question and they were gracious enough to provide their insights.
If you’re a regular user angry at your data being exposed to various leaks and cyber attacks, you will get a behind-the-scenes look at the reasons why these incidents happen. If you’re someone involved in handling customers’ data, these perspectives will prove to be just as illuminating.
We wanted to provide you valuable, often hard to find perspectives. We managed to make a great start to answer a simple-looking, but actually difficult and ramified question.
Why can’t cybersecurity be simpler?
Use the links below to quickly navigate the experts’ replies.
Brent White (BITKILL3R)– Senior Security Consultant at NTT Security and the founder of the Nashville DEF CON group
Ian Thornton-Trump – Cyber Vulnerability & Threat Hunting Lead at Ladbrokes Coral Group and CTO of Octopi Managed Services Inc
Isaac Kohen – Founder and CEO of Teramind, an employee monitoring and insider threat prevention platform
Joe Ward – Senior Security Analyst at Bishop Fox
John Mason – Cyber security and privacy enthusiast, analyst for TheBestVPN
Peter Buttler – Cyber security journalist, consultant at PrivacyEnd
Brent is a Senior Security Consultant at NTT Security and the founder of the Nashville DEF CON group. He can be found at We Hack People, a website dedicated to red team and social engineering assessments.
I focus on social engineering and physical security and see this come in to play on a regular basis when a company hires me to break into their buildings.
For example, tailgating (piggybacking) is one of the most common ways that I gain unauthorized access to a business.
This could be mitigated if employees followed their security awareness training and made sure that everyone who entered was scanning their badge, and that the badge being scanned was valid.
However, this takes time and requires people who are already focused on their own paths and agendas to slow down and be more aware of their surroundings.
Asking them to change their thought process and to “validate” each person coming in the door isn’t something that’s going to happen overnight.
You also have the human kindness factor that is innate in most of us, where we naturally want to help out someone in need.
This is easily exploited by a social engineer in many ways, whether it’s pretending to need help opening the door because their arms are full, or the social engineer can simply tailgate in, be in an “argument” on the phone (making the situation uncomfortable on purpose).
People will want to avoid a potential confrontation with someone who already appears to be upset about something.
Once an attacker has physical access to data, it’s pretty much “game over”.
Companies need to go beyond the required annual “security awareness” training PowerPoints if they want to get serious about addressing these issues.
Regular drills such as internal phishing campaigns, testing unauthorized entry, and even full red team assessments are a good way to consistently check the level of awareness and response within an organization.
Employees should be incentivized to find and report something, and have a clear path of how and who to report incidents to in a way that is easy and convenient for them.
It’s very difficult to incorporate a security mindset 100% into the culture of a company. But, when it’s done correctly, it can be a very effective countermeasure against potential threats.
Ian is the Cyber Vulnerability & Threat Hunting Lead at Ladbrokes Coral Group and CTO of Octopi Managed Services Inc.He can be reached on Twitter here.
Security can be simple, but it won’t ever be because business is not simple. And humans are not simple. And security today is in some malevolent Venn diagram right in the damn center of what can only be described for 80% (ish) of the GNP of a country as the small-medium business/enterprise (SMB/SME in the EU UK) security nightmare.
It’s not easy being profitable and everyone from the governments to the regulators (hackers in suits) to the cyber criminals (hackers in hoodies) is out to attack the hard work of organizations which strive to make an honest living.
I’m a cybersecurity Captain Willard.
“I was going to the worst cyber security situation in the world and I didn’t even know it yet. Weeks away and hundreds of dollars/pounds/euros spent on a security project that snaked through the compliance regulations like a main circuit cable plugged straight into the businesses cybersecurity posture. It was no accident that I got to be the caretaker of a business’s cybersecurity any more than being back in some SANS certification course was an accident. There is no way to tell the businesses’ cybersecurity story without telling my own. And if that business story is really a confession, then this may be my own as well.”
That’s where we are today. Most businesses are scared of an existential threat from criminal hackers (or regulatory authorities) and are turning to security vendors and consultants to solve their security problem.
The reality is: the problem is cultural and societal.
We reward efficiency over good decision making, we sacrifice security for convenience and we consistently place profit in front of pragmatism.
Cybersecurity is complicated because life is complicated and there is no perfection. We can’t be a hundred percent secure – so the rhetoric and fear monger of vendors and security professionals has given in to a feeling of helplessness and disparity among the 80%.
If this short essay strikes you as incoherent, it only matches the vast majority of SMB/SME firms approaches to cybersecurity: cybersecurity perfection is not attainable.
Attempting to apply the binary model of security and compliance to the “grayness” of business, life and society only ends in disappointment.
If this is dystopian view makes you angry or causes you discomfort – good, do something about it – change the security culture, change the business world.
It may never be simple, but you may be able to keep the doors open.
Isaac is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior. He can be reached at firstname.lastname@example.org.
The reality around security is it feels complicated, dynamic and perpetually a ‘catch up’ game in keeping company data secure.
With new technologies advances like the internet of things (IoT), the security landscape becomes more intertangled, and companies find themselves with new vulnerabilities and ‘patching’ new security holes in their IT infrastructure.
With many moving parts, it’s not a surprise that the traditional approach to a security plan doesn’t seem possible.
In my opinion, the best way to prepare for the future is to move from a protection to a prevention security mindset.
This progressive strategy looks at data security in ‘real time’ meaning security isn’t viewed as an afterthought, rather it’s using data, monitoring, and analytics to anticipate security breaches and adapt quickly to changing security landscapes.
Joe is a Senior Security Analyst at Bishop Fox. His thoughts on infosec can be found here.
Driven by market forces to deliver more features and derive more value, new technologies are invented every day, and old technologies are being leveraged in new and interesting ways.
Second, there has been historically strong pressure to maintain backward compatibility to the point that the foundation of newer technologies is built on legacy systems riddled with security defects that can never be fixed.
Ultimately I think the increasing pace of “what CAN we do” has overshadowed the fundamental question of “what SHOULD we do”, leaving the question of “what can we do SAFELY” unasked.
John is a cybersecurity and privacy enthusiast, working as an analyst for TheBestVPN. He can be reached on Twitter.
That’s the average cost of one cyber hacker who penetrates your security and wrecks havoc on your business.
Online security isn’t just a matter of protecting your website’s IP address. You are protecting your customers from identity theft and your business from a lawsuit.
Of course, those are just two examples of the potential damage. Hackers intent on disrupting your business for their own gain won’t stop at mere annoyance. They’ll do everything they can to harm your website and take what they want.
Sadly, they’re pretty good at their work. Extremely good.
There’s no shortage of high-ranking companies who’ve fallen victim to a website breach, like Verizon Wireless or Virgin America. All of those hacks damage not only the business but even worse, they damage customer’s privacy even more.
Which further means that you, as a business, don’t just lose the public’s trust, you lose previously loyal customers.
From restore points and network monitoring to firewalls and malware scanning, each integration protects your business and, more importantly, your customers.
Prioritizing simplicity over thorough security is a mission-critical mistake. One that CEOs from bigger companies who’ve fallen victim will tell you not to make.
Peter Buttler is a cybersecurity journalist and a tech reporter. He is the security consultant at PrivacyEnd. You can follow him on Twitter.
Security isn’t an accommodation since it requires being cautious and demands clients to be persistent about finding a way to look after weaknesses.
Cyber-security is complex in light of the fact that our life is never 100% perfect.
We can’t be a hundred percent secure – so the talk of security experts has yielded to a sentiment weakness among the 70%.
With new innovations like IoT, the security scene turns out to be more complicated, and organizations end up with new vulnerabilities and ‘fixing’ new security flaws in their IT foundation.
Driven by advertising powers to convey more highlights and determine more esteem, new technologies are designed each day, and old technologies are being utilized in new and fascinating ways.
From re-establishing indicates and organizing monitor firewalls and malware filtering, every coordination in cybersecurity protects your business and most importantly your clients.
We would like to thank all the people who participated in this expert roundup for taking the time to answer this question and provide the community some necessary insights into the fascinating world of cybersecurity.
Do you have another perspective on why security is too complicated? Are you from a different background or feel the need to add to the topic?
We plan to keep this column updated, so if you want to contribute, drop us a line and let’s talk!