One undeniable fact: the 2016 elections brought the word “cybersecurity” into the mainstream. The problem that stemmed from that fact: nobody is actually sure what “cybersecurity” is. And as a result, we spin our wheels or head off into differing directions.
For all the tech talk, commentary, and promise of some incredible “save you from all cyber threats” solution, lost in the conversation are the cybersecurity basics. It is a disservice to all when pundits use words, such as hack and leak, interchangeably. Those who have a more informed understanding of the issue know that these terms having incredibly different meaning. The same can be said for words such as stolen and copied. They are not the same and are often confused, even misused. And how about this one: the difference between authorized access by an unauthorized user and unauthorized access. The fine nuance between the two can entirely re-characterize the nature of an attack.
I have not conducted a formal study to know how many people know the differences or can spot the nuances, but from informal observation of my own experiences, about 95% of people cannot tell the difference and of the 5% that do, almost all of them have some form of security-type training or professional work experience. Another informal observation: even those who have the training still cannot always spot the difference.
Why is all of this important? Because if we cannot get the basics right, chances are everything that follows will be wrong, insufficient, or inadequate.
I start from this premise: we have finite resources. I do not think anybody serious would disagree with me on this premise. Therefore, let us be smart about how we use these resources. And part of being smart is asking the right questions and knowing the basics.
In the middle of serious cybersecurity policy debate, does it make a difference if a Senator asks a witness whether data was stolen or copied? Yes, it does. In trying to determine how an attack happened, does it make a difference when the Board asks its IT manager if the source of the attack came from authorized access by an unauthorized user or by unauthorized access? Yes, it does.
The human brain can only process so much information and the more complex we make the cybersecurity discussion, the increased likelihood of us mucking it up. Add into the mix a disregard or misunderstanding of the basics and the muck up is almost certain.
What are the basics? A few are here, from my last #CyberTuesday blog. Successful cybersecurity relies on personal ownership. Somebody else does not make you fit; you make yourself fit. And we are quite poor at personal ownership, with multiple studies showing that human action/error is responsible for 90+% of successful attacks or breaches.
Some more basics include the understanding of terminology and the state of affairs. We know the difference between somebody kicked down the front door to my house versus somebody stole my house keys and walked in the front door. If somebody kicked down your front door, chances are you need a stronger door or you may consider putting a gated fence around your house to make it more difficult for a perpetrator to get to your front door. If somebody stole your house keys you would do a better job to protect your keys.
It is worth asking: would you erect a 30 foot high six foot thick steel perimeter around your property if you lost your front door keys? No, as that would be resource overkill. Instead, you would likely change the locks on your doors. And if your problem is your keys getting stolen, what good exactly does this mega-fortress bring you? Unless you plan to seal yourself off from the entire world, the mega-fortress will need an access point, say, like a door with a lock. What happens when you lose your keys again? Build a mega-mega-fortress that will protect the mega-fortress?
If this is sounding a bit ridiculous, welcome to the world of cybersecurity. Because so many of the basics are misunderstood, or even outright ignored, many of us are seeing mega-mega-fortresses being erected all over the place. But we are not exactly sure if they are making anybody more secure. Part of what we do at SDICyber is to help you understand these basics. The basics can work miracles, as I point out here with some fellow patriots.
There is no harm in saying that you are unsure of the basics. Nor should you be embarrassed to ask that question. That very admission may be the most crucial step to getting you cyber secure.
By George Platsis, SDI Cyber Risk Practice
July 11, 2017