I’ve said it before and I’ll keep on saying it: The greatest threat to cyber security is the cyber security industry itself and the “good enough” mindset.
Every day there is a claim of a new product that will be the silver bullet to protect your organization against a breach, and every day a company spins up new “Cyber Security” services division. They’re hopping on the security bandwagon usually with little to no credentials.
The security industry is a market of great need but has fallen into an opportunist industry ready to sell you anything you can imagine. Most people in general don’t understand the complex world of cyber threats and are falling victim to what equates to a global scam of an industry.
Here are a few facts that will help you wade through misleading propaganda:
1. There is no silver bullet and there never will be. Let’s get this one out of the way right off the bat. There will never be a product that completely saves you from every cyber threat. Many products in this space do a very good job of detecting malware and other types of executables that shouldn’t be running on your systems. While these products can and should be included as a layer in your overall security model, each typically only protects one area of cyber threats—mainly publicly disclosed vulnerabilities. Real attackers steal legitimate credentials for your network and use them over time to gain other legitimate credentials. In short, the biggest threats come from attackers accessing your IT infrastructure as a legitimate user in your organization. If your organization has not addressed the fundamentals of network hygiene and regularly scheduled advanced penetration testing from a qualified team, there’s no security appliance on the planet that will save you.
2. Very few people are actually qualified to “test” your system. I know I’ll be speaking for all companies who invest in real talent with this one: The cyber skills gap is the largest skills gap that we face right now, so how can every business advisory firm be selling “penetration testing?” It’s shocking how many of our clients tell us that their last penetration test was done by their CPA, business advisor, or other partner. They are fooled by the fact that a representative of those firms has a Certified Ethical Hacker certificate. What they don’t know is that cert can be obtained in about two weeks. Would you trust a doctor’s diagnosis if you knew he had only attended two weeks of medical school? Many mistakenly assume that there is one level of hacking, and anyone who says they are certified must be qualified to protect your organization. In fact, this industry is much more like the different levels of baseball. You have every skill level from little league all the way up to the major leagues. To be frank, there are some real major league companies putting their trust in security talent operating at a junior high level; and there are some premier security companies that are very guilty of selling minor league talent at a major league rate.
3. Encryption does not always equal secure. There’s a huge misconception around data encryption at rest and it usually goes unmentioned. If you’ve invested in data at rest technology and you think you’re safe, think again. Remember when I said attackers like to steal legitimate credentials, well the encryption at rest goes out the window once an attacker is posing as a legitimate user. More emphasis should be put on credential and access management, multifactor authentication, and visibility into the unique vulnerabilities that are specific to your environment. In many cases encryption at rest is a requirement, and must be implemented. Don’t use it as a loophole. You are still responsible for understanding that implementing such technology is only a layer in a security program.
4. Your move to the cloud does not protect you. I’ve heard it a thousand times… “We moved to the cloud last year so all is well with our data security.” While this model is definitely more secure than keeping your servers in the janitor’s closet, there are still very real ways for attackers to get your data. Again, real hackers use valid credentials to move throughout your network. So, even in the cloud, they can access all the data you can access.
Now here’s the real truth: security is a never ending process. You need to beware of anyone selling you a magic potion. If you have questions about a company’s expertise in this area, your concerns are likely justified.