[BreachExchange] Cybersecurity: Why do we spend more but get less?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 21 19:56:29 EDT 2016


http://www.csoonline.com/article/3086509/security-awareness/cybersecurity-why-do-we-spend-more-but-get-less.html

Why do we spend more for cybersecurity, but get less?

I’m asked this question frequently when I’m at speaking engagements, and
the answer is actually pretty simple. There are two reasons:

1. We have an archaic view on security.
2. We are spending money on the wrong things.

There are some things in life we just can’t escape. It is in our DNA.
Millions of years of evolution have wired our brains to think in a certain
way, and without almost Herculean effort and will power, we will continue
to think in that way. Our view of security is one of these things. Ask a
child how to protect something and they’ll tell you to lock it away so no
one can take it. Banks lock it in a vault. You probably secure your company
by badging everyone in and out through the access points, and you probably
protect your network by placing it behind a firewall that only lets people
in who have the correct password. Unfortunately, in today's environment,
each of these actions is flawed. Well…maybe not flawed, but certainly not
sufficient.

Our view of security…our overall feeling of security…comes from a time when
we hid in caves where there was only one entrance, and we could guard that.
In the Middle Ages, we hid the king and queen behind a castle wall and a
moat with a drawbridge.  Today, we hide our important information behind a
firewall.

The problem is that once a threat is past the mouth of the cave, or the
castle wall, or our firewall, it is usually free to roam at will without
further challenge. It is a single point of protection and a single point of
failure. Our view of security, i.e. protecting something behind a stronger,
higher, thicker wall is flawed. It didn’t work in the Middle Ages. It
didn’t work in Berlin. It isn’t working in Israel. It isn’t working on the
American-Mexican border, and it doesn’t work for our networks. The idea is
just archaic and it doesn’t work.

Instead of just building a wall, we should be focusing on continuous
authentication and focused more on actions than on identity. In a
continuous authentication system, every act of the user (mouse movement,
keyboard biometrics, browsing locations and actions) is measured and
compared to the norm for that user. If anything is out of the norm, the
system locks the user out until they authenticate further via another
method.

Which brings us to the second point. We are spending money on stronger,
thicker, higher walls in the form of better firewalls. But an analysis of
breaches shows us that very few breaches are the fault of a weak firewall.
In fact, 35 percent of breaches are due to human error: Someone clicked on
a phishing attempt. Someone left a web session open with admin rights.
Someone inadvertently exposed a record set while doing testing. The salient
point is that each of the preceding examples started with the word
“someone”.

The problem is people. Security is not a technology problem; it is a people
problem.

Don’t glance over the preceding statistic too quickly. Thirty-five percent
of all breaches are due to human error. Let that sink in. If I told you
that 35 percent of breaches were because you weren’t using the ACME
firewall, you would probably buy the ACME firewall tomorrow. We know that
35 percent of the breaches are due to human error, yet most company’s
security training remains rudimentary at best.

If you want to make your system a third more secure than it is today,
continuously train your people and then continuously test your personnel to
ensure that the training is being applied.

That’s it. It’s that simple. Want better results? Stop thinking about
security as a way to lock things down and start thinking about it as a way
to ensure proper activity. At the same time, train your people to spot
phishing attempts and anomalous activity. It’s the best bang for the buck
that you can buy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160621/8a68fba5/attachment.html>


More information about the BreachExchange mailing list