March 22, 2021
“We don’t need to comply to a standard.”
"We are not going to worry about those changes right now.”
"We were told by someone that this won’t affect us for many years to come.”
“We aren’t vulnerable, no one wants what we have.”
“I think our IT guy has us covered; he has been reading up on those attacks.”
“I’m pretty sure we are already compliant, we had an audit a few years ago.”
“I will worry about it when it happens to us.”
“I just downloaded this new app and it wanted permission to use my bank information.”
“The rep said they would delete all of my files if I didn’t pay them."
"I don’t have a computer, just my smart phone.”
Even though headlines on social media and major news networks cover cyberattacks and data breaches daily in the 2020’s, we in cybersecurity still face a daunting task:
Overcoming the "It Can Wait" Mentality of Stakeholders Around the Globe
The dilemma we face today is that adjustments to risk tolerance cost money, while incidents resulting in lost or stolen data also carry a price tag—but the cost of a breach is not always worse than the cost of a robust cybersecurity program. Some of the hesitation begins here.
The antiquated mentality of ‘if it’s not broke, don’t fix it.’
That might be fine, if we were living in the “pre-internet” age, but it is detrimental with the current threat landscape. Not fixing it, because it is not broken does not work anymore. Look at the vulnerabilities that hit the front door the day that systems or software go end of life—think Windows 7 and Adobe Flash. Many of us can probably name an acquaintance, client, or friend still utilizing these systems or software. How many companies still thrive on EOS/EOL systems? Too many. Way more than any of us want to count, and probably a lot more than anyone can reasonably estimate. Wherever this mantra is used, there is likely a machine within walking distance that hosts vulnerabilities waiting to be exploited.
These ways of thinking only add to the complexity of an ever-evolving cyber-based world we inhabit. Long gone are the days of criminals robbing banks in person, it is hardly as fruitful as criminalizing the internet and exploiting the unaware.
The untrained user is as dangerous as a bank with open vault doors.
There has been a lot of focus on user awareness training and certain vectors of attack, like social engineering, but these are far from programs with mainstream outreach. We are at a crossroads, one that we must choose our path carefully and tread cautiously.
For the business in doubt of the rOI of a cybersecurity program, there is a more value than a dollar amount.
The loss of trust in a brand, the lawyer fees, the settlement dollars, and the employees that a business may no longer be able to support after such heavy impact in lost revenue. These things represent the figurative ‘mud’ that a business will be dragged through before recovering, if possible. This is the world that we live in, businesses lost entirely due to someone behind a keyboard on the other side of the world or a disgruntled employee looking to make a statement against an employer they despise. Whatever the case, businesses must take a long hard look at these realities. Gone are the days of honor systems and widespread trust, the era of zero trust and security protocols is upon us.
For the individual still struggling to wrap their head around cybersecurity and the implications of an attack, we are here, and we want to help. We as a community of security professionals must come to embrace those that are most vulnerable. The people of the world need us, they simply are not ready. It is time that we push to be active in our communities, because it's through these gaps that greater threats are born and spread throughout the areas we serve.
Community Awareness & Training is the First Step to a More Secure World
When we are able to stall cybercrime and prevent attacks that were completely avoidable in the community, we can rest easy knowing we served a mission bigger than our own small circles and niches. Only then can we truly say we have advanced our profession and made the world a better place.
So now it is up to us. I challenge all in the cybersecurity community to make a difference in their own community. To bring awareness and training to the vulnerable and help to make cybersecurity a reality, in turn helping to shape a more secure future. Our mission is colossal, our goals are attainable, and our efforts must be stalwart. The future is in our hands.