Even the best hardware and software security can be undermined by poor security awareness and culture, argues this expert.

Cybersecurity is a complex problem and there is no standard way to define, approach or solve it. In fact, to a beginner, it can be easy to become overwhelmed by the broad range of standards, regulations and expert advice that is provided.

Businesses can invest heavily in tools and protection but none of it guarantees complete security. In many ways, investing in cybersecurity can feel like spinning the roulette wheel—a blind endeavor based on a limited budget where players must gamble on a buffet of security controls ranging from staff background checks, segregation of duties, authentication, network security, endpoint security, deep packet inspection, behavioral analytics and so on and so forth.

One of the biggest problems with this approach is that there is no way to prioritize which threat is the biggest or most relevant. So, security controls are deployed in a broad manner that is disproportionate to the actual risks.

But even in cybersecurity, there are ways to tip the odds in your favor and help you to work out how to put the right defenses in the right places while protecting against the right threats: all by simply asking the right questions.

As an exercise, it can be useful to ask your business what it perceives the biggest threat to be. The chances are there is not much consistency in the answers. This can boil down to the fact that most organizations are not relying on their own data to drive security decisions, and because of this there is usually a gap between what they are being told their risks are versus what they actually are.

Employees: your weakest link

To address this, organizations should focus on root causes of attacks as opposed to the threat.

What I mean by this is, rather than focusing on ransomware or credential stuffing, focus on the root cause that allowed these threats to manifest in the first place.

What you will find is that the number of root causes will be significantly less than the overall number of threats. In addition, you will find that your employees are the weak link that allow the majority of these root causes into your organization.

For example, ransomware, corporate espionage and crypto mining are different threats, but could all have the root cause—phishing. So, while investing in and implementing technical controls is necessary, it is not enough unless you are also training staff to detect and report phishing emails to help make them into your last line of defence.

A concise list of root causes can be:

  • Programming bugs
  • Social engineering
  • Authentication attack
  • Human error
  • Misconfiguration
  • Eavesdropping / Man-in-the-middle
  • Data / Network Traffic Malformation
  • Insider attack
  • Third-party reliance issue
  • Physical attacks

In fact, if you go through any stories of recent breaches, you will be hard-pressed to find an incident which did not stem from one of these root causes. Looking at incident trends, we see the majority of breaches are the result of social engineering (phishing in particular) and unpatched systems (externally facing). So, by focusing on these root causes, the majority of threats can be thwarted.

Fostering the right culture

Having a strong security culture is also an important consideration in an organization’s cybersecurity strategy. According to a recent security culture report, while some industries such as banking, financial services and insurance fared significantly better than education, transportation and energy & utilities, there was still much improvement by organizations to ensure that employees see the seven dimensions of security culture (attitudes, behavior, cognition, communication, compliance, norms and responsibilities) as critical to safeguarding the organization.

For a better approach to cybersecurity, my advice would be to absolutely take external sources of data, but more importantly, collect better internal information and threat intelligence, rank risks, collect metrics and use that information to select and deploy root-cause defenses and ensure that you continue to nurture a strong security culture within your organization.