To Improve Cybersecurity, Assume Vulnerability
A. Khedron de León, Senior Technical Writer, HYPR
5 Min. Read | September 15, 2022
One struggle continues to rear its head with regard to cyberverse security: adopting a proactively vulnerable mindset. Understanding the nature of vulnerabilities allows a company to address them in a proactive manner. Google understood phishing was a preventable problem, and famously implemented FIDO to good effect; they have not been successfully phished since. But their choice is an exception rather than the rule.
Thus far, market adoption of cybersecurity best practices has been an exercise in corrective maintenance, not preventative. Among SMBs who have implemented MFA, most haven’t made it a requirement. Free credit monitoring is a poor anesthetic to the sting of a stolen identity, and does nothing to stop someone from using it to compromise your accounts. Implementing a robust security plan after you’ve paid a hefty ransom doesn’t protect your customers whose data was already leaked.
Culpability is slippery; the propensity of password reuse across sites provides adequate deniability for most companies to come away blameless. Perhaps that’s why, according to the HYPR 2022 State of Passwordless Report, almost two-thirds of companies who weathered an attack did absolutely nothing to change their security model afterwards. The company doesn’t suffer much, but affected individuals are left with the choice of either plowing forward with the knowledge that their PII is now a commodity they no longer control, or resetting their lives, often with the foreknowledge that choosing a careless data steward in the future will lead to a repeat ordeal.
Don’t Talk About Breach Club
Breach costs include everything from operational costs, to loss of employee hours dedicated to liaising with the authorities, to reputational damage, to loss of stock value and loyal customers — and plenty more beyond that list. The total costs associated with a reported breach have steadily risen, while ransomware demands for payout dropped. If it’s solely a matter of money and headache, capitulation looks to be significantly less than coughing up fines for being found guilty after (of?) reporting a cybercrime. Attackers do their research before picking targets, and are likely aware they are the less expensive option.
Cyber insurance can be its own worst enemy, as hackers know that you’ll be good for the quid. To make matters worse, it’s often in the interest of the insurance company to encourage a speedy payout, as the passage of time bloats secondary costs literally by the minute. But if you pay once, you’re on the map, making you a more likely target for repeat attacks. And your premiums will likely rise.
Such recalcitrance to admit to poor security models leaves others vulnerable until the issue comes to light — which may mean months or even years of undisclosed vulnerabilities. Typhoid Mary refused to believe her illness was real and affecting others, and she just had a personally communicable disease. The ripples are exponential when contagion uses the internet to spread and the speed of computers to infect. Passwords make it even easier.
The Payment Card Industry Data Security Standard (PCI DSS) evolved when the major credit handlers put their need for proprietary safeguards aside and recognized that the same level of protections was warranted across the board. The evolution of viruses pushed this to the fore, and though it is not law for banks to be PCI DSS compliant, if they want to do business with the card companies, there are some clearly defined criteria to be met.
The pandemic of 2019 drove a huge jump in the number of remote workers and a coincident rise in cyber vulnerability. Not coincidentally, remote work is the primary driver of companies’ desire for a secure solution; 86% of organizations report it as their number one passwordless use case.
Not least by any stretch is the US Government (USG), exposed by the now-infamous SolarWinds breach — which is still being felt, and by all accounts will have implications lasting for decades to come. Hacks on US nuclear weapons systems have already been successful; the dire state of USG cybersecurity versus that of some other world powers has even been cited as the reason for resignations. It was not until the eve of becoming heavily involved in the Russia-Ukraine conflict that the USG issued its Zero Trust overhaul plan.
There are many others like these examples: always after the fact, in reaction.
It is exponentially less expensive to plan for vulnerability and implement simple solutions up front. The simplest foil to ransomware attackers is to maintain regular backups and encrypt your data; then it’s useless to them and even if they encrypt it again, a restore will undo their handiwork. For SMBs this can be as simple as a removable encrypted drive, but for large enterprises, it quickly becomes muddy water.
For instance, the majority of breaches occur from human error, whether from clicking a dangerous link or leaving a desktop unlocked or being duped by social engineering techniques. Employee security training can be the difference between a good cry and a good laugh after reading a phishing email. Hiring security professionals can be pricey, but they are still a bargain compared to high ransom payouts and possible fines.
Shared secrets are antiquated — and we’d go as far as to say obsolete — as a means to protect computers. Lost or forgotten passwords lower productivity. Secrets of any sort can be stolen and used for nefarious purposes. Implementing a passwordless multi-factor authentication (MFA) solution can eliminate both human error and shared secrets.
Proactivity begins with the assumption that your company is already vulnerable, even that it has already been breached. Admitting this to yourself is much easier than enduring the scrutiny of authorities under duress later on; and exploring it can teach you a fair amount about your own security needs and steps to take for greater peace of mind.
A. Khedron de León
Senior Technical Writer, HYPR