Sometimes reality beats Hollywood by orders of magnitude. Here’s one such case: Your cybersecurity sucks. Seriously.
It’s embarassing. We’ve been pouring billions into cyber defence and cyber security for years. We’ve become good at it. Or so we thought. Then the war came.
With the war came the truth. We’ve been had. No, that’s not fair. We’ve welcomed and embraced the illusion. Like ‘oh really, is the world now even more dangerous? Let’s throw more money at it’.
It’s rude awakening if we ever saw one. Scores of vendors have sold us levels of safety that couldn’t possibly exist. We – including the experts – have bought it. Felt good, and moved on. Trusted occasional penetration testing, rattling the cages every once in a while, followed best practices and defeated day-to-day attacks. Not bad, but not good enough – and seriously: We know it. And in case someone needed proof, the ransomware wave of the past 3 years should have pulled the plug on the illusion. What we have may be good, but it’s certainly not good enough.
The emperor’s new clothes moment came from american authorities a few weeks back. Triggered by Russia’s atrocious war on Ukraine, US authorities launched a huge digital defence effort in order to protect ‘everything’ from Russian cyberattacks. I’m sure many had the same reactions as I:
What? Why is this happening now? Isn’t this what we’ve been doing for 10+ years?Apparently not. Ponder this quote from Wired magazine for a moment:
Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities.
Seriously — did we need a war to get serious about defences, even cyber defence? It surely looks that way. There is nothing the US (and other authorities) are doing today that couldn’t have been done a month or 2 years ago. By authorities and businesses. So what’s the problem?
Actually, the sudden action – the willingness to see, accept and act – reveal several problems, all selfinflicted. The most obvious is money. Selling defence is hard. It’s like insurance – the expenditure, regardless of size, will never contribute positively to the balance sheet. Not the useless defence, not the defence that actually saved the organization on numerous occasions. The cost/benefit balance has to be defined and sold to management by the experts – using understandable facts and trustworthy reasoning.
Then there is the fact that some security measures will always be visible, which complicate things. Such as 2-factor authentication (2FA), which most of us have become accustomed to in recent years, but still is under-utilized. Interestingly, security departments still blame the users – ‘they resist’, but the users do as they’re told – if they understand why.
The same goes for ‘procedural changes’ – the ‘we’ve always done it that way’ and the ‘if it works, don’t fix it’ factors. Security departments often blame the users, but again the users do as they’re told – if they understand why. They’re used to it. Most of us are adapting to changes, even big changes, quite frequently. Our phones, TVs and entertainment systems, our homes, alarm systems, cars, traffic regulations, parking, apps all over the place. We’re easily accepting them (although not necessarily liking them) because they’re perceived as ‘necessary evil’. In other words, the resistance to improved security is a management problem much more than a user problem. Lax management, lax security.
I could go on, but the message is clear already: Our under-par cyber security is most of all an attitude problem. Everyone, and management in particular, need a new mindset. And unfortunately, it takes a war (or some other serious crisis) to wake up. Check out the Wired article for more details. It’s interesting reading.
Part of the same picture is the fact that Russia’s cyberwar capabilities have been severely overrated, at least by the media. Their success at infiltrating businesses, authorities and infrastructure in Ukraine and the rest of the world has been very limited, as I’ve pointed out before. Also, as reported in a different Wired Magazine article, counterattacks against Russia have been surprisingly effective, indicating that their cyberdefences have received a lot less focus than their offensive capabilities over the years. Not necessarily surprising, but important.
If you need a break from the war, and of course you do – here’s something else to keep your mind busy this weekend: Most businesses, most organizations, are out of touch with reality along many lines, not only security and understanding of threats. Running a business (or a public service for that matter) means being able to adapt to markets, changes, opportunities fast. Some times, and more often than most like to admit, fast paced change is the biggest challenge of all. Here’s an example – and how to deal with it: You Need a Business Prenup: Exit Strategy.