Gambling on cyber-security

As many enterprises have undergone a digital transformation, cyber-security has become increasingly important. It is worth remembering, however, that cyber-security is a complex problem and there isn’t any standard way to define, approach, or solve it. In fact, to a beginner, it can be easy to become overwhelmed by the broad range of standards, regulations and expert advice that is provided. And none of it guarantees complete security.

In many ways, investing in cyber-security can feel like spinning the roulette wheel. A blind endeavour based on a limited budget where players must gamble on a buffet of security controls ranging from staff background checks, segregation of duties, authentication, network security, endpoint security, deep packet inspection, behavioural analytics and so on and so forth.

One of the biggest problems with this approach is that there is no way to prioritise which threat is the biggest or most relevant. So, security controls are deployed in a broad manner that is disproportionate to the actual risks.

But even in cyber-security, there are ways to tip the odds in your favour and help you to work out how to put the right defences in the right places while protecting against the right threats – all by simply asking the right questions.

As an exercise, it can be useful to ask your business what it perceives the biggest threat to be. The chances are there isn’t much consistency in the answers. This can boil down to the fact that most companies aren’t relying on their own data to drive security decisions and because of this, there is usually a gap between what they are being told their risks are versus what they actually are.

Add on to this the fact that humans, as a whole, are poor at making accurate risk decisions. People might be afraid of flying or sharks, but statistically speaking are more likely to be injured or killed in a car accident. Or how mosquitoes kill more people in a few days than sharks have killed over the last 100 years.

Find the root cause

To address this, companies should focus on root causes of attacks as opposed to the threat. What I mean by this is, rather than focusing on ransomware, or credential stuffing, focus on the root cause which allowed these threats to manifest in the first place. What you’ll find is that the number of root causes will be significantly less than the overall number of threats.

For example, ransomware, corporate espionage and cryptomining are different threats, but could all have the root cause of phishing. So, implementing technical controls and training staff to detect and report phishing emails will allow a number of threats to be addressed with one control.

In fact, if you go through any stories of recent breaches, you’ll be hard-pressed to find an incident which didn’t stem from one of these root causes. Looking at incident trends, we see the majority of breaches are the result of social engineering (phishing in particular) and unpatched systems (externally facing). So, by focusing on these root causes, the majority of threats can be thwarted.

If companies are looking for a better approach to cyber-security, my advice would be to absolutely take external sources of data, but more importantly, collect better internal information and threat intelligence, rank risks, collect metrics and use that information to select and deploy root cause defences.

Javvad Malik is a security awareness advocate at KnowBe4, a blogger event speaker and industry commentator. Prior to joining KnowBe4, he was a security advocate for AlienVault and a senior analyst at 451’s Enterprise Security Practice (ESP). Prior to joining 451 Research, Malik was an independent security consultant, with a career spanning 12+ years working for some of the largest companies across the financial and energy sectors.