While recent Federal Government investments in cyber security training and resources are a step in the right direction, there’s an alarming trend in the way some Australian organisations are reacting to cyber attacks.
Most often, when a data breach occurs, the C-suite is demanding to know the potential impact, issue resolution timeframe and cost.
Meanwhile, the security teams are frantically trying to answer these demands.
A new security tool that promises the fix but only delivers a superficial solution is suggested and quickly approved, and the matter is considered resolved in the short-term.
This sort of urgent reaction in response to a data breach is known as security theatre, a term coined by prolific security expert Bruce Schneier.
It’s the practice of organisations or security teams implementing superficial measures that create an atmosphere of safety but, in reality, do very little to improve the situation.
It simply elicits a feeling of security.
Imagine installing a dummy home security camera that doesn’t record or broadcast footage - it provides the illusion of security but won’t actually stop a thief entering a home through a window.
In cyber security, attackers aren’t going to shy away from the sight of a firewall, unlike thieves when they spot a dummy camera.
Cyber criminals are efficient in their approach too.
They’ll simply find another vulnerable system that may still be running unpatched software and find a way into the network.
With how far technology has progressed, combined with how rampant cyber attacks are, it’s easy for Australian organisations to become a victim of security theatre.
Doing something is better than nothing, right?
Not if the ‘solution’ is poorly constructed, because going through the motions without getting to the bottom of the problem will eventually creep up and cost the organisation more in the long-term.
Throwing money at the problem
Let’s be honest, the cybersecurity industry feeds off fear mongering and this is demonstrated in the millions of dollars businesses are told to invest in shiny new tools that scratch the periphery of the issue.
Building your fortress walls out of gold won’t keep your infrastructure secure, it just makes it expensive.
A global survey by IBM found that an organisation’s effectiveness to combat attacks has not increased despite increased investment in cybersecurity.
The most crucial thing to understand about the threat landscape is that more often than not, attacks conducted by cybercriminals are the result of known, but unpatched vulnerabilities.
Even sophisticated state actors are taking advantage of this.
Before throwing money at the problem, organisations need to get the basics of cyber hygiene right.
Things like maintaining systems, enforcing multi-factor authentication and using encryption may seem basic but go a long way to prevent breaches from taking place.
Making critical decisions based on hype
“Headline” flaws tend to be the ones that attract the most attention from the C-suite, putting pressure on security professionals to respond even if the threat to the business is low.
A review of high-profile vulnerabilities in 2020 revealed that not every high-risk vulnerability had a name and logo given to it.
Conversely, not every vulnerability with a name and logo should be seen as high-risk.
With over 18,000 vulnerabilities reported in 2020, finding and fixing every one of them is impossible and only wastes time and budget.
It’s important for security teams to focus on real risks that impact the business rather than perceived risk.
No way of measuring the millions invested
You’ve invested a million dollars on new AI technology but have no way of measuring whether your cyber risk has reduced.
Apart from not getting your million dollars back, you don’t know if your organisation is more or less exposed to cyber risk than before you deployed the new tool.
An effective cyber security program should be able to measure success by risk reduction.
Remediation actions should be prioritised to reduce the organisation’s cyber exposure.
Security leaders should view, validate, and prioritise vulnerabilities critical to the business, while also understanding the context of the vulnerability.
Patching and remediation are critical, but equally important are follow-up testing and quality assurance reviews.
In doing so, security leaders should be able to provide clear reporting metrics and analysis of program effectiveness.
Security theatre is a false economy
The cyber risk we face today is more than a technical one.
It is political, social, economic and physical.
That is why cyber security cannot be addressed by simply scratching the surface of the problem.
Doing so is costly and isn’t an effective use of already strained resources.
Cybersecurity needs to be handled rationally.
To defend your organisation, foundational cyber hygiene; the ability to differentiate between real and perceived risk; and measure the program’s effectiveness are elements that cannot be compromised.
Continuing to indulge in security theatre is a false economy.
Break out from this vicious cycle now.
Gary Jackson is vice president for Asia Pacific at Tenable, a company helping organisations around the globe understand and reduce cyber risk. His career spans more than 40 years in the technology industry, previously holding various regional vice president roles with Cisco Systems, EMC, and Aruba Networks.