Is there hype and hysteria around security breaches? Is this going to give rise to a cyber-industrial complex? These questions were recently posed to me by a client at a large insurance company.
Well, let’s look at the current situation. Security breaches are growing in scope and visibility due to the increasing automation and interconnected systems, mobile devices and the sharing of personal data. The financial incentive is there for the criminal, nation-state, malicious actor to perpetrate these crimes.
Cyber-security preparedness in the business community, while becoming more visible in recent years, is still far behind the curve when compared to those who wish to commit cybercrime. There is still a tremendous disconnect with employees and general public regarding the current security threats and what impacts their behavior have in propagating or thwarting a breach.
People should be concerned about security breaches since personal data can be used to damage or destroy an individual’s financial and even personal life. An example of this is the OPM breach were millions of pages of security forms were stolen that contained intimate details of individuals. These can and will be used for leverage against those federal employees in sensitive positions within the government by malicious actors.
Are cybersecurity companies using these incidents as a means to feed the hysteria behind breaches? Of course they are. You see this in any industry when a company sells a product or service that can remediate concerns faced by that industry. However, security is still a comparatively low priority at the executive level within corporations. This is changing, but it remains bailiwick of technologists who have minimal say in enterprise decision making.
Are we seeing the beginning of the “Cyber-Industrial Complex”? Well, this was already the case within the Federal government space. Billions have been spent on cybersecurity initiatives but as we have seen that hasn’t helped many government departments who lack even basic security practices. Standard security programs and practices are not expensive to implement but cybersecurity firms are ramping up all sorts of point security solutions that are quite expensive to implement and maintain. Simple, standard security programs do not generate huge revenues for security companies or consultancies.
There are some basic components to an effective security program that do not involve large technology expenditures. One is to keep your infrastructure (servers, workstations, networking gear) up to date (software patches, hardware refreshes), physical security around critical components, endpoint protection (anti-virus / anti-malware) and user training. Most security breaches gain a toe-hold due an error by the user or malicious user intent. For example, the Target breach was propagated by phishing emails.
One of the most effective security practices that employees can participate in are to be cautious when responding to email and browsing the Web. Employees need to make sure that they understand the risks when opening email attachments or clicking on links from unfamiliar sources, for these can lead to malware or virus infection. This is best covered in an effective security education program.
All of these basic tips contribute to a “Defense-in-Depth” approach or layered to enterprise security.
Cyber Security Liability Insurance is gaining in popularity and could be a good investment for a business. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach.
Just don’t get me started about the Internet of Things (IoT). Talk about security disaster.
Shoot me your opinion in the comment section below. I’d love to hear your thoughts on this issue.