Working in Cybersecurity I have often asked myself this question. We spend so much time convincing each other that cybersecurity is a massive risk, when I often feel like we spend more time talking about it than actually fixing cyber incidents. Now of course there is an element of being proactive as opposed to reactive.
If businesses do basic business business continuity they will actually know what the impacts of losing access to their systems or data are. And will quite easily be able to understand the risks and impacts associated with losing a key system completely, or for a duration of time and whether the business can tolerate it.
From my experience in the last couple of the years, the largest threat has been ransomware attacks. These attacks have seen the largest real impact to the operations of some large organisations, essentially taking their systems offline.
The other point is that companies don't want to announce they have had a cyber incident and perhaps these organisations have had appropriate mitigating controls in place to protect their environment, despite detecting an attack. Which reminds me of the old saying where IT do less work when they're doing their jobs correctly.
My final note would be, these "bean counters" will have a hard time explaining themselves when their key applications are completely encrypted, having not invested in additional DR infrastructure to protect themselves. I have seen many times where the cybersecurity budget has magically increased following a cyber security incident.
Pretty boring today in 2022. Advocates a risk-assessed approach to cyber security, which has been the standard for quite awhile. Maybe not as prominent in 2010, the original date of publication.
One of the things that seems to be missed a lot of the time is the cost of cybersecurity policies, tools and the workarounds users are forced to use to circumvent cybersecurity policies.
Password change policies - say no more,
virus checkers - slowing down workstations for minimal benefit,
internet access filtering - Businesses doing deep packet inspection on the off chance that one of the staff members might bring in something nasty.
The cost in time and frustration is over the top and the benefit is mostly around perception.
The reality is, that if somebody wants to compromise your security, they will find a way. The chances are that it has already happened and you have no idea about it.
I'm not advocating do nothing, but there needs to be an understanding that most of the measures taken these days are patches put in place for broken software, incorrect configuration and poor user education.
The challenge is that chief executives, boards and audit committees set a tolerance to risk, like they do with all other risks. And those responsible will not accept a high level of residual risk, so we put controls in. The challenge is knowing what the best controls are.
Chances are if its already happened and you haven't detected that it has, then you've really not taken cybersecurity seriously.
> virus checkers - slowing down workstations for minimal benefit.
Being able to stop known malware is a significant benefit.
> internet access filtering - Businesses doing deep packet inspection on the off chance that one of the staff members might bring in something nasty.
Doesn't have to be DPI, being able to say "hey this porn is not okay during work" is absolutely fine. Especially if there's malware out there that redirects you around to sites you might not want your customers to see.
> The reality is, that if somebody wants to compromise your security, they will find a way.
That's such a lie by omission, there's a lot of unsophisticated spray-n-pray type of attacks out there.
> > virus checkers - slowing down workstations for minimal benefit.
> Being able to stop known malware is a significant benefit.
Having been part of a malware debacle that essentially circumvented two different av/malware tools it's hard for me to find a pragmatic balance to the year's worth of absolute hell the tooling caused to the systems I'm responsible for. (Log bombing, HDD I/O stackups, chained immune responses and deadlocks to literally nothing) +25% or more resource consumption _just_ to keep the AVs happy.
Couple that with needlessly aggressive IT policy (see Mordac, the preventer of IT services on steroids)
There's got to be a better way, but maybe this is the new normal.
8 comments
[ 4.4 ms ] story [ 24.1 ms ] threadIf businesses do basic business business continuity they will actually know what the impacts of losing access to their systems or data are. And will quite easily be able to understand the risks and impacts associated with losing a key system completely, or for a duration of time and whether the business can tolerate it.
From my experience in the last couple of the years, the largest threat has been ransomware attacks. These attacks have seen the largest real impact to the operations of some large organisations, essentially taking their systems offline.
The other point is that companies don't want to announce they have had a cyber incident and perhaps these organisations have had appropriate mitigating controls in place to protect their environment, despite detecting an attack. Which reminds me of the old saying where IT do less work when they're doing their jobs correctly.
My final note would be, these "bean counters" will have a hard time explaining themselves when their key applications are completely encrypted, having not invested in additional DR infrastructure to protect themselves. I have seen many times where the cybersecurity budget has magically increased following a cyber security incident.
Password change policies - say no more, virus checkers - slowing down workstations for minimal benefit, internet access filtering - Businesses doing deep packet inspection on the off chance that one of the staff members might bring in something nasty.
The cost in time and frustration is over the top and the benefit is mostly around perception.
The reality is, that if somebody wants to compromise your security, they will find a way. The chances are that it has already happened and you have no idea about it.
I'm not advocating do nothing, but there needs to be an understanding that most of the measures taken these days are patches put in place for broken software, incorrect configuration and poor user education.
Chances are if its already happened and you haven't detected that it has, then you've really not taken cybersecurity seriously.
> virus checkers - slowing down workstations for minimal benefit.
Being able to stop known malware is a significant benefit.
> internet access filtering - Businesses doing deep packet inspection on the off chance that one of the staff members might bring in something nasty.
Doesn't have to be DPI, being able to say "hey this porn is not okay during work" is absolutely fine. Especially if there's malware out there that redirects you around to sites you might not want your customers to see.
> The reality is, that if somebody wants to compromise your security, they will find a way.
That's such a lie by omission, there's a lot of unsophisticated spray-n-pray type of attacks out there.
> > virus checkers - slowing down workstations for minimal benefit.
> Being able to stop known malware is a significant benefit.
Having been part of a malware debacle that essentially circumvented two different av/malware tools it's hard for me to find a pragmatic balance to the year's worth of absolute hell the tooling caused to the systems I'm responsible for. (Log bombing, HDD I/O stackups, chained immune responses and deadlocks to literally nothing) +25% or more resource consumption _just_ to keep the AVs happy.
Couple that with needlessly aggressive IT policy (see Mordac, the preventer of IT services on steroids)
There's got to be a better way, but maybe this is the new normal.