Strategy, Policy

How to guard against cybersecurity hopelessness

Today’s columnist, Stephanie Aceves of Tanium, says while the Biden administration has taken the lead on cyber policy, it’s still up to each and every company to develop a security strategy and do the hard work of security. (Photo by Alex Wong/Getty Images)

A year into the new presidency, the Biden administration likely wants to talk about priorities like healthcare, education, and jobs. Instead, what has emerged as one of the defining agenda items of this administration? Cybersecurity.

It’s no secret why. Parallel to the ongoing health pandemic, an insidious ransomware epidemic has infected computers, threatening organizations of all sizes across all industries. Many security experts consider ransomware the greatest cybersecurity threat we face today.

While ransomware has emerged as an immense menace — I think there’s an even greater looming danger around cybersecurity.

Apathy.

Privacy as a bellwether

When the digital boom started and companies first began collecting more personal user data, there was an optimism among privacy advocates that stronger protections were achievable and worth fighting for. Unfortunately, that optimism has since deflated into hopelessness. Many people today now believe privacy has become a lost cause — companies already collect too much data and know too much about people.

What was once a rallying cry has become a faint whisper. That broad resignation — and overall pessimism — is incredibly detrimental, as it effectively halts progress and stymies any efforts to improve digital privacy.

Unfortunately, the pattern threatens to repeat itself in cybersecurity. In the midst of headline-grabbing ransomware attacks and a steady drip of alerts that consumers receive about their data being leaked by X or Y company, a deep level of pessimism has taken hold among the public that all attacks are inevitable, hackers will steal personal data, and that’s just “the way it is.”

I know from experience: Attackers feed on that kind of passive resignation.

Profiting on hopelessness

It’s one thing for consumers to become apathetic, but it’s worse when even IT and security practitioners start to feel the same pessimism. Unfortunately, I’ve come to believe that the cybersecurity industry wants them to feel hopeless. They monetize fear. In the last five or so years, the industry has been pushing the narrative that prevention has become a lost cause, attackers are already in corporate networks, and all security teams can do is mitigate damage. In doing so, sales of detection and response tools have unsurprisingly surged.

Don’t get me wrong, detection and response are absolutely pivotal. But believing there’s simply “no need” for preventative measures condemns us to resignation. Not to mention, history tells us that many attacks could have been proactively prevented with very basic steps: The 2017 Equifax breach that exposed sensitive data of nearly 143 million people — more than 40% of the U.S. population — happened because the company failed to patch a vulnerability that they knew about for more than two months.

In cybersecurity, the claims that “attackers are outsmarting everyone” are not true. Businesses can’t stop every attacker, but they can stay proactive and maintain a security posture that lets them prevent many attacks from ever happening.

What organizations can do to stop attacks

Here are three steps organizations can take now to improve their security readiness:

  • Prioritize employees cyber education programs.

Cybersecurity Ventures predicts cybersecurity clean-ups will cost around $6 trillion globally in 2021, up to $10.5 trillion by 2025. Cybercrime costs include revenue and IP loss, productivity loss, not to mention massive reputational damage.

By prioritizing cybersecurity awareness and training, organizations can significantly lessen the possibility of getting breached and facing those financial damages. Research shows that employees who receive security awareness training are significantly better at recognizing security threats than those who have not received training. Cybersecurity training programs are particularly effective at helping employees identify phishing and social engineering. Given that past Verizon DBIR reports have found that nearly one-third of all breaches involve phishing, organizations could prevent huge damage — thousands, even millions of dollars — purely by investing in security awareness.

  • Don’t get distracted by the shiny object.

Security vendors, thought leaders, and popular media love to make ominous threats about “AI wars” and nation-states. No question, those are threats enterprises should consider, but focusing on the flashy sci-fi-sounding attacks diverts attention from what’s actually threatening enterprises the most: phishing, credential stealing, and inadequate patching. The biggest security threats are the “boring” ones, and it’s imperative that businesses keep their eye on the ball.

  • Invest in basic cyber hygiene.

So many of the security crises that enterprises experience are caused by a basic hygiene issue that could and should have been identified and fixed. Security teams should focus on maintaining patch compliance, rapidly applying new patches when they're released, keeping software up-to-date, enforcing policy and access rights on assets, and following compliance with regulatory requirements. When vetting cybersecurity tools, look for platforms that help team members discover all assets, gain visibility across distributed environments, and identify potential risks in real time.

I know the cybersecurity landscape can feel overwhelming. But there’s no reason to lose hope, it’s the worst thing we can do. Remain vigilant, do the work, and know that even small actions can yield huge improvements.

Stephanie Aceves, senior director, threat response SME lead, Tanium

prestitial ad