Why do we spend more for cybersecurity, but get less?
I’m asked this question frequently when I’m at speaking engagements, and the answer is actually pretty simple. There are two reasons:
- We have an archaic view on security.
- We are spending money on the wrong things.
There are some things in life we just can’t escape. It is in our DNA. Millions of years of evolution have wired our brains to think in a certain way, and without almost Herculean effort and will power, we will continue to think in that way. Our view of security is one of these things. Ask a child how to protect something and they’ll tell you to lock it away so no one can take it. Banks lock it in a vault. You probably secure your company by badging everyone in and out through the access points, and you probably protect your network by placing it behind a firewall that only lets people in who have the correct password. Unfortunately, in today's environment, each of these actions is flawed. Well…maybe not flawed, but certainly not sufficient.
Our view of security…our overall feeling of security…comes from a time when we hid in caves where there was only one entrance, and we could guard that. In the Middle Ages, we hid the king and queen behind a castle wall and a moat with a drawbridge. Today, we hide our important information behind a firewall.
The problem is that once a threat is past the mouth of the cave, or the castle wall, or our firewall, it is usually free to roam at will without further challenge. It is a single point of protection and a single point of failure. Our view of security, i.e. protecting something behind a stronger, higher, thicker wall is flawed. It didn’t work in the Middle Ages. It didn’t work in Berlin. It isn’t working in Israel. It isn’t working on the American-Mexican border, and it doesn’t work for our networks. The idea is just archaic and it doesn’t work.
Instead of just building a wall, we should be focusing on continuous authentication and focused more on actions than on identity. In a continuous authentication system, every act of the user (mouse movement, keyboard biometrics, browsing locations and actions) is measured and compared to the norm for that user. If anything is out of the norm, the system locks the user out until they authenticate further via another method.
Which brings us to the second point. We are spending money on stronger, thicker, higher walls in the form of better firewalls. But an analysis of breaches shows us that very few breaches are the fault of a weak firewall. In fact, the Ponemon Institure 2016 Cost of Data Breach: Global Analysis reveals that 25% of breaches are due to human error. Someone clicked on a phishing attempt. Someone left a web session open with admin rights. Someone inadvertently exposed a record set while doing testing. The salient point is that each of the preceding examples started with the word “someone”.
The problem is people. Security is not a technology problem; it is a people problem.
Don’t glance over the preceding statistic too quickly. 25% of all breaches are due to human error, and this hasn’t changed for the last two years. Let that sink in. If I told you that 25% of breaches were because you weren’t using the ACME firewall, you would probably buy the ACME firewall tomorrow. We know that 25% of the breaches are due to human error, yet most company’s security training remains rudimentary at best.
If you want to make your system a third more secure than it is today, continuously train your people and then continuously test your personnel to ensure that the training is being applied.
That’s it. It’s that simple. Want better results? Stop thinking about security as a way to lock things down and start thinking about it as a way to ensure proper activity. At the same time, train your people to spot phishing attempts and anomalous activity. It’s the best bang for the buck that you can buy.
This article is published as part of the IDG Contributor Network. Want to Join?