In the last few years, there has been a rapid development in digitalization alongside a massive increase in cybersecurity incidents. The ongoing pandemic has not, in any case, eased the situation, and right now cyberspace feels a bit like the wild west. It seems every week there is news of another organization being breached. Despite all of this, information security is often neglected, and many businesses seem to be overly relaxed with protecting their data. This article addresses excuses that are commonly used to explain insufficient cybersecurity, and why you should do your best to avoid them.
“We can not afford to spend money on cybersecurity”
I’ll start by saying that I understand that putting money aside for information security can be challenging. This is especially true in times like these where many organizations are struggling to keep their business going. With that being said, it is possible to build a solid cybersecurity defense without a ginormous budget and endless spending. There are a couple of security domains that are considered foundational, and possible to implement without splashing the cash. Some of them include secure configuration of devices, keeping software updated, strong authentication, and teaching employees security awareness. This does however require you to put in some time and effort, which should be acceptable.
Completely neglecting cybersecurity does not make a lot of sense from a cost perspective anyway, because it is guaranteed to come back and bite you. Security incidents are expensive to deal with, and if you do not put in the effort, the chances of you being a victim of one increase immensely. In many cases, the incident ends up costing a lot more to recover from, than what you could have paid to protect against it. It is a catch 22. You can not afford to spend money on cybersecurity, but you for sure can not afford to not spend money on it.
“We are too small to be a target”
This is a very common misconception. Most cybercriminals are financially motivated and try to hit as many targets as possible. It might very well be that they target small and medium-sized companies because they expect them to be easier targets, with lower security. The truth is that the size of your company does not decide how dependent you are on your data and systems. The attackers also know this, and that it is just as likely that you will pay a ransom to recover your stolen data, as to some large corporation doing it. There are countless examples of small companies being the victim of very damaging cybersecurity incidents, but let’s have a look at a concrete example.
In 2016 an employee at a hair salon in Kongsberg, Norway received an email from what she thought was the US Postal Service. The email contained a link which she was lured into clicking, and ransomware was downloaded and launched on the device. From there all systems were locked down, and their data was encrypted. This included their register and 6 months of customer bookings. The owner ended up paying the ransom and replacing all her systems, estimating the total cost of the incident at around 30 thousand US Dollars.
“This system is not patched because we are going to replace it soon”
Procrastination does not go well with cybersecurity. There is this well-known quote that says: “There are only two types of companies: those that have been hacked and those that will be”. Vulnerable systems are what the attackers are after, and they put in the work to find them. If you expose a service on the internet you’ll see attackers scanning it for vulnerabilities in seconds. To them, finding that unpatched system could mean a way into your network, or being able to spread malware onto more devices. If you were planning to patch that system tomorrow, next week or next month does not matter to them. You could ask the attackers to come back later when you have updated your software, but I wouldn’t be too hopeful.
“Securing this server is not important because it is inside our perimeter”
Digitalization has made radical changes to the way we work. Companies consist of employees spread across the entire globe collaborating on the same projects. Working from home, the office or at a local Starbucks are all viable options in the modern work environment. These are all changes for the better, but calls for a shift in the way we do network security.
Traditional network security revolves around building a strong perimeter to protect the company network and assets. Its primary focus is to keep unauthorized users outside the network. An attacker being able to breach a network designed with the “everything on the inside is secure” way of thinking usually means big trouble. These networks seldom have the resistance to stop the adversary from pivoting the network and accessing the information one is trying to protect.
Modern work environments require more services to be available on the internet and allowing users to connect to the company network with any device and from untrusted networks. This enforces us to assume that there will be compromised requests and that there are no longer any threat-free zones. This makes the perimeter-based approach to network security obsolete. A concept often used to deal with these problems is something called Zero trust. This security model is built upon the principle that a request can not be trusted, no matter the source, and it always has to be verified. It relies on strong access control and the principle of least privilege. The zero trust architecture will be covered in detail in one of my upcoming articles, make sure to come back for that!
Did any of these excuses sound familiar? I’ll openly admit that I am guilty of using one or two of them in the past myself. The takeaway here is that whenever you make excuses that impact your information security negatively you should try to consider the risk you are putting yourself at and if that is acceptable. There are many cybersecurity incidents these days, which could mean there are too many excuses out there as well. Let’s try to change that!