A great deal of security writing is about preventing breaches. This seems pretty sensible at first glance – after all, isn’t that what security is?
But when you think about it for a little longer, you begin to see some cracks. Let’s just remind ourselves that “cyber”-security is just part of an overall security picture. It’s a spectrum all the way from protecting physical assets – and people – through to defending the intangible. And what that means is that everyone is actively enforcing security controls. Because even if you have no cyber-security at all – in which case please do get in touch, my rates are very reasonable – I’ll bet you have doorlocks.
So here’s the thing. Do doorlocks prevent burglary?
No. All the doorlocks, hinge-bolts, security shutters, alarms and CCTV in the world won’t prevent someone who’s really determined to get in to your building. In reality these are all deterrents; they’re trying to make it less likely that your building will be selected as a target. Of course, they also advertise that you have something to protect; there’s a balance to be struck.
Out in the real world, we accept that at some point being burgled, or being in a car accident, or getting ill is inevitable. So we have insurance; we wear seatbelts; we make wills. This doesn’t mean we’re actively seeking those consequences – we still lock our doors, drive with care and take our vitamins – but we do accept that these things will happen.
We’re not so good at that in cyber security. We’re still preaching the language of prevention – and with good reason since most businesses barely lock their metaphorical doors, certainly don’t drive cautiously and are mostly intestate. The trouble is that even with the best security money can buy, your business is more likely to have a cyber-security breach than it is to get burgled.
There’s many reasons for that enhanced risk:
The attack surface is much greater. Your house only has a few entrance points, and only a few people are trusted with the keys. Your network has a myriad of vulnerabilities and everyone using it has a password.
The level of threat is higher. We don’t have automated burglaries, yet. However many conventional crooks there may be, each one can only rob at most a few houses a day. One cyber-criminal can send millions of phishing emails, launch hundreds of thousands of vulnerability scans and infect tens of thousands of browsers with drive-by malware in a few mouse clicks with plenty of time left over for ordering another batch of stolen credit cards from their favourite darknet site.
Most people know how to work a house. By the time we’re given the responsibility, most of us can manage to turn the hob off, shut the windows and lock the door. And we probably think we’re too sensible to let the smooth talking con man come in. Funny how most of that good sense seems to go out of the window when it comes to IT, isn’t it?
The authorities are of little help. By and large the police and the justice system do a reasonable job of coping with real-world crime. But the police themselves admit that they can’t cope with cyber-crime, and we’re talking here about the most serious kinds – child exploitation, for example – so imagine how well they’re dealing with the script-kiddy who’s trying to turn your webserver into a spambot right now.
And all of this is just stretching a metaphor to talk about exogenous intentional risk. I’ve not really touched on all the other things that can go wrong – insider risks, negligence, natural disasters – all of which are equally difficult to prevent.
Back to the point: in the real world, we don’t just deter, we mitigate. We accept in advance that the things we are trying to prevent may – or will – happen anyway, and we prepare for the consequences. We’re not so good at that in cyberspace. Because IT kit used to be pretty unreliable, and the results of a disk failure are severe, most organisations have some kind of back-up in place. You’d be surprised how few test it frequently, though. And a back up is usually all there is. Oh, and a firewall that someone installed three years ago, presumably dusting their hands afterwards and walking away whistling with the serene expression of a job well done, never to look at it again.
What most businesses don’t have are any kind of co-ordinated plans for responding to security incidents. If they have resilient systems, they probably haven’t considered that in a security breach those systems will be just as compromised as the primary installation. They don’t have communications plans either for alternative internal co-ordination or for dealing with the outside world and the press. They may have business interruption insurance – and the government is now proposing data breach insurance for the first time – but no idea what they’d spend the money on if they made a claim. Many have no intrusion detection or logging, so if they are compromised, they won’t know where, when, how extensively or by whom. Scarily, they may not know they’ve been compromised at all.
The key thing is to recognise that there is no prevention; there is only deterrence. Clearly deterrence is a good thing and not to be discouraged. Nonetheless, bad things will happen; they probably already have. What will you do to minimise their impact? How will you even find out that they’ve happened and how bad they are? How will you compensate and continue to function, and how will you put things back to normal?