The Security Conversation has to change.
Unknowing we(us humans in business and more) create a scenario which prevents us from being more secure
Our Psyche seeks risk when confronted with loss decisions but seeks safety when confronted with gain decisions.
This has been studied (Previous post as well) and is accurate for 70% of the population.
So what does that mean especially when decision makers do not understand Cybersecurity anyway? Let’s dissect this “Seek risks when confronted with loss“.
So we are confronted with a ‘loss’ in Cybersecurity that usually means a breach, ransomware or other calamities. But they don’t happen everyday and in fact a security event is usually unnoticed for months. So everything looks like its going fine. The person who spends money to prevent an attack are less in number than the people who are betting that it will not happen to them.
WHY SHOULD I SPEND MONEY ON CYBERSECURITY?
The consumer bets that nothing will happen (risk) than give out hard earned money for a day that ‘might’ happen.
The constant Cybersecurity industry yelling from the rooftops about xyz vulnerability that will take down the network is also to blame. I.e. man crying wolf one too many times.
This human psychology is a false bravado and a false argument.
Bad Cybersecurity practices will make you become a casualty of Ransomware and other maladies sooner rather than later.
The criminal hackers are having a field day with the malaise of the users and administrators.
(Following image from Derbycon6.0 Recharge Adrian Crenshaw videos)
So where do we need to be? “What is Your Budget in Unforeseen Attacks” is a a good starting post.
To save you from reviewing: the post recommends to spend 10% of your time and resources on Cybersecurity on a regular basis. Since it is a good idea to learn new things. Imagine yourself in the future with a better understanding of Cybersecurity and therefore you will incorporate Cybersecurity within everything. We need to become better at Cybersecurity as a whole.
Sure I can also say hire pentesters to test your newfound acumen, but you would know that now that you are more cybersecure aware.
Becoming compliant is one thing, but being “CyberSecure” is another.
And that is where we truly need to get to – we need to be Cybersecure all the time (but we are not there yet).
Due to human psychological failings we will always have a certain amount of the population be insecure. And since the hackers are getting better every year where the insecure person is not. Thus there will be a bountiful harvest of potential hacked devices for the criminal hacker until the numbers ar switched.
Unless we can turn the numbers around i.e. 90% are safe or “hard to hack” … only then the criminal hacker will have a hard time to operate. Until then the Criminal hacker has it easy and is making thousands of dollars on our general malaise.