[BreachExchange] Are threats and recriminations an effective method for encouraging cybersecurity?

[Audrey McNeil]

https://www.v3.co.uk/v3-uk/opinion/3029022/are-threats-
and-recriminations-an-effective-method-for-encouraging-cybersecurity

Any business leader will be kept awake at night by issues facing their
organisation, and rising steadily up the list of concerns in recent years
has been the threat of a data breach. Not only are almost all business
operations now conducted online, but the consequences of mishandling or
losing data are becoming more and more severe. In fact, earlier this year
the World Economic Forum's (WEF) Global Risk Report 2018 listed cyber crime
as one of the five most likely risks facing the world in 2018.

This isn't going to come as a surprise to many. Over the last few years,
cyber crime has moved into the public consciousness thanks to global
headlines on attacks such as WannaCry and data breaches at large companies
like Equifax and Target. These instances have shown that it's not just
organisations' bottom-lines that are negatively impacted; it can also be
devastating for the innocent individuals caught up in the aftermath. From
identity theft to cancelled operations, and from cash-drained bank accounts
to the lights going out - the consequences from different acts of cyber
crime are wide-reaching.

Clearly the threat requires a response. Organisations handling any kind of
personal or otherwise sensitive data must protect it as best they can in
order to minimise the threat. There will always be the potential of a
hacker getting in, or a particularly rushed employee emailing the wrong
spreadsheet to the wrong person, but there is also a clear effort and
expense to be expended in ensuring that systems and data are adequately
defended. Additionally, we need to overcome the slightly erroneous
mentality of ‘It won't happen to me, so why bother?' that abounds, which
leads plenty of organisations to bury their heads in the sand and simply do
the bare minimum.

In response, governments and lawmakers have determined that the threat of
punitive damages must be used to encourage greater responsibility. The EU
General Data Protection Regulation (GDPR) will finally come into force this
year and includes potentially massive fines for data breaches (up to €20
million, or four per cent of annual global turnover, whichever is greater).

Separately to this legislation, the UK Government announced earlier in the
year that firms in critical industries - such as energy, transport, water
and health - could face fines of up to £17 million if they fail to protect
themselves effectively from cyber-attacks. Clearly, a measure that had
previously been described as a ‘last resort' is now the go-to method for
encouraging organisations to up their game.

Of course, the threat of penalties tends to be an effective way of steering
people in the right direction, especially when tied to regulation. Since
the deadline for complying with the GDPR was announced, thousands of
organisations have been forced to take a long hard look at their data
protection practices and, one assumes, improve their security
infrastructure and guidelines (although only time will tell how effectively
this has been done, and we'll be keeping a careful eye on fines and
warnings issued by the Information Commissioner's Office (ICO) come May
25th). However, by focusing too much on punitive ramifications - and, as a
consequence, public exposure of failures - we run the risk of creating a
culture where organisations simply follow a tick-box process in reaction to
specific regulations, rather than taking positive steps to improve their
overall security posture. With the rate at which technology changes, new
risks constantly appear and focusing on only the areas that may result in
penalties will leave many threat vectors exposed.

Does the average organisation really understand the threats that a business
faces? Look on most security vendors' websites and you'll see them awash
with messages loaded with FUD: the exponential rise of ransomware, the need
for next-generation solutions, the threat from nation state hackers, etc.
To most businesses this means little and only serves to instil fear; but,
if the role of government is to penalise bad behaviour, surely it is the
role of the security industry to engage with organisations and educate them
on the benefits of having good security?

Vendors too frequently focus on the terrifying threat of external sources.
No doubt these threats are headline-grabbing, but are they really what pose
the greatest risk to organisations? Everyone who works within the industry
will recognise that the language of security is almost solely negative. The
marketing message security vendors perpetuate is that solutions are
required to block and stop any and all threats; rarely are they positioned
as being helpful. This creates an environment where users are continuously
told ‘no'. No, you can't download productivity applications to help you do
your job; no, you can't use that file sharing website; no, you can't email
yourself documents to finish your work at home.

As a consequence, an antagonistic relationship is established between
security solutions and the end-user - but without the user's buy in, these
solutions simply don't work. If users are prohibited from sharing a
document, or visiting the website they need, chances are high they will
find their own workaround, which can often prove more dangerous. This is
why, despite unprecedented investment in security technologies, the number
of data breaches continues to rise.

As an industry we must focus on positively engaging the user. We need to
show that security and effectively doing your job go hand-in-hand. We need
to discourage the mindset that security is a tick-box process and clearly
establish it as a critical business function that enables, rather than
disables.

We now have a responsibility to engage with businesses and their employees
to make it simpler and easier for people to do the right thing. No-one,
after all, wants to be the cause of a data breach, and with the right
approach we'll do a far better job of preventing that than by scaring
people senseless.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180327/c41882de/attachment.html>