How to achieve more effective cybersecurity protection in 2020

cyber security digital concept with shield picture id1126779135
iStock

In the early 1990s, Northern Irish pop group D:Ream raced to the top of the charts by singing ‘Things can only get better’. But unfortunately, when it comes to cybersecurity in the 2020s, the opposite is very much the case.

Despite decades of development and massive investments in tools and services by organisations of all sizes, successful cyberattacks are on the increase and things are only going to get worse. It’s a frustrating situation with little sign of change.

The problem can be likened to driving a modern motor car. Over the years, cars have become much safer as items such as seatbelts, anti-lock brakes and airbags have been added. Recently, these features have gone even further and now include things such as lane-change warning alarms and automatic braking.

Yet, despite these advances, accidents still occur because one key factor hasn’t changed: the driver behind the wheel. There are no safety features that can stop them speeding or sending text messages rather than watching the road ahead.

It’s exactly the same situation when it comes to using software applications and accessing data stores. The best available tools and processes may well be in place, but they can’t stop users from doing dumb things – and that is exactly what is continuing to happen.

The ongoing security challenge

It should be acknowledged that the cybersecurity tools in use have improved in leaps and bounds during recent years. Vendors have invested massive amounts of time and money to achieve better threat protection and automate effective responses.

For the cybercriminals, this has led to a change in tactics. Rather than trying to outsmart these tools and find weaknesses to exploit, they’ve turned their attention to a different target: the person in front of the keyboard. Increasingly, they’re using psychology to attack people rather than technology to attack systems. It’s cheaper, easier and vastly more successful.

At the same time, the cybersecurity industry continues to pretend that effective security is a technical problem that can be solved by developing and deploying better and more sophisticated tools. While these tools are certainly important, like the safety features in a car, they are only part of the answer. They can’t and don’t stop bad user behaviour.

A new approach

At its heart, ‘security’ is an intellectual concept. There are rules and techniques that, if followed, will create a secure environment. However, to overcome the challenge of insecure user behaviour, we need to shift to instead thinking about ‘safety’ which is a much more emotional concept. People want to feel safe in their environment and with the activities they undertake, and cybersecurity needs to be positioned in this emotional way.

One way to achieve this change would be through a national advertising campaign. Similar in style and approach to those used to promote road safety, a cybersecurity campaign would point out the emotive reasons why people need to be more aware of the potential impact of their poor security behaviours.

They need to understand the ramifications of clicking on a suspicious web link or inserting a random USB key into a computer port. Aside from the technical impact of such activities, they can also lead to disruption, financial cost and even job loss. Spelling that out in a well-orchestrated advertising campaign would make a significant difference.

Education, education, education

The other issue that must be addressed is user education. Just as someone can’t drive a car without first undergoing testing and training, there’s an argument that users should not be accessing applications and data without first learning of the potential security risks that are involved.

In the vast majority of cases, cybersecurity breaches caused by poor user behaviour don’t happen because of malicious intent. They happen because the user is simply unaware of the impact of their actions.

In 2020, organisations of all sizes need to invest more in user education. This needs to cover both the cyber threats that exist and the ways in which cybercriminals are targeting users.

If this new approach to cybersecurity, which includes public awareness campaigns and comprehensive user education is carried out, things could actually start to get better, and that old D:ream song might finally come true.

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?