A Bizarre Field
Cybersecurity is, at times, a bizarre field to be in.
You undoubtedly have heard the cliché that there are two types of companies, those that have been breached and those yet to be breached. When I hear someone say those words, my eyes start rolling around in their eye-sockets. But the fact is that it is true.
And what is very strange is that companies that were never breached don’t think they will ever will. Incidents happen to others, not to me. “We are safe”.
But they never are. And it’s frustrating because in smaller companies there’s never any budget available to build a solid defense. Don’t get me wrong; I understand this completely. Why would you invest in something that does not generate direct extra revenue for your company but instead avoids something terrible happening?
That is why all cybersecurity marketing and sales used to consist of fearmongering—trying to scare the living hell out of companies. Like a fireman coming to your house and pointing at all flammable materials – so next time you’re in your home, you cannot help but glance at your new wooden dining table that – apparently- is coated with a violent propellant.
Recent years have seen improved legislation with specifically the GDPR here in Europe – which is a good thing because it has driven companies to tighten security controls around personally identifiable information. More and more large companies also demand that smaller firms that serve as a vendor can prove in the form of an ISO27001 certificate that they can be trusted handling data from the large corporation. It has been a massive catalyst for the industry – and while there is still fearmongering, it has created some awareness.
Then there is the rise in cybersecurity insurance, another trend that is geared towards a vast market of companies that don’t want to invest much money in security, but they buy insurance in case it goes wrong.
This is understandable but psychologically very strange behavior—a bit like buying expensive health insurance but continuing to smoke cigarettes and eat junk food.
And what people also fail to see is that cybersecurity attacks can vary between extremely blunt and very subtle.
For example, a Ransomware attack – where a piece of malware gets opened usually by clicking on something in a phishing mail – after which the malware encrypts all the files it can find from the computer where it was run. In exchange for payment, you can get the decryption key. Ransomware is exceptionally blunt as an attack vector. There’s no subtility.
But in most cases – attackers are there for information gathering and financial gain in the form of selling information. The breach will come first, but the actual attack will come much later using the information they gathered in the meantime.
In Mandiant’s (a security firm) 2020 Security Effectiveness report, it is stated that 51% of cybersecurity attacks go undetected and those that are detected take about 200 days to be discovered.
If I’m an insurer, I would be over the moon, and sorry if I’m cynical here, but this is a great model. Like signing up for fire insurance, in half the cases, you don’t actually see that it is burning.
If there’s something I know it’s that insurers are very good with statistics and probabilities. They are very glad to offer you the opportunity to insure yourself.
Anyway, enough ranting.
Something to Protect
The point here is that if you as a company have something to protect. Something of value. Always. And there is a digital version of that content, then you need to build a defense around it. You need to defend it from outsiders as well as insiders. You cannot wait for the bad guys to show up at your door.
And I guess I’m fearmongering now myself.
It’s the only way to make people see that their house – it may already be burning.
Contact us if you’d like to find out if it is.