Look back at 2015’s most significant hacks and it’s difficult to imagine how the state of security could get worse. Lowlights included new attacks on industrial systems, an infection of Apple’s Xcode IDE, the devastating OPM breach, and a rash of well-coordinated, multi-million-dollar cyber thefts from financial institutions. Fears of data breaches have reached an all-time high, not only because so many of them occur, but because company officers are being held accountable and losing their jobs.
Each high-profile attack stirs more fear of threats to come. Security vendors play on those anxieties to sell their wares, whether or not a decrease in the likelihood of successful attack will actually result. Some vendors even create logos for infamous malware.
As a result, people prioritize the wrong risks. They hear about scary ransomware, for example, and their first response is to up the ante on the latest technology: next-gen firewalls, elaborate security event monitoring, the latest exotic endpoint protection, what have you. In the process, they ignore the obvious, such as failures to patch Java and Adobe Acrobat, two points of vulnerability that can be blamed for the lion’s share of successful attacks in most organizations.
Fear can have a terrible effect on judgment. For example, the risk that any one individual in the United States would fall prey to an act of terror is infinitesimally small, yet the prospect is so horrific and politicians find exploiting that fear so irresistible, that gullible people turn paranoid and support absurd solutions. It’s a scary world, but living in fear and grasping for the nearest quick fix that “feels right” won’t solve anything -- and distracts from real problems that demand attention.
The same goes for computer security. Before going overboard and deploying technology to monitor the behavior of your users, for example, you might want to implement traffic flow analysis -- and train your users to detect phishing emails, avoid downloading items of unknown origin, and recognize what real antivirus software looks like, so no one is fooled by a fake antivirus exploit. After all, the biggest insider threats are mistakes made by poorly trained users.
Create a security framework that identifies which assets need the most protection and rationally prioritizes risk, then deploy your security solutions accordingly. If you have a framework already, make sure it’s up to date for the coming year.
The hard part is always getting everyone to buy into your vision, from the C-suite to rank-and-file users. But it’s worth the effort because it’s the only way to truly move the needle. It’s a tough world out there, but as always, avoiding knee-jerk solutions and applying common sense based on real information will always keep you safer in the long run.