You read the title of this post correctly. Maybe it should be most people don’t care about cybersecurity, but you get the point. It’s a reality that those of us responsible for securing our organizations know but don’t like to acknowledge because it leads to a tough question. If people don’t care, then what is all of this for?
Lack of caring customers affects business decisions. You don’t see large swaths of people holding companies accountable post-breach. As a matter of fact, In many cases, stock prices tend to rebound after a breach. There are also some who advocate that insecure software is still more advantageous than the potential negative impacts it creates. This argument is inaccurate based on skewed and superficial perceptions of the customer and not based on the reality of the situation.
So, should we all change professions and try our hands at being celebrity chefs? If you are like me and have a weak flambé, we should take a closer look at the situation.
Why people don’t care
It’s essential for us to have a look at the conditions that create this apathy in customers. Understanding these issues makes framing potential solutions easier.
Here are the major ones:
- Short attention span
- Numb to breach occurrence
- Good detection and recovery
Effects of breaches aren’t immediately felt. Of course, this is assuming an attack doesn’t delete all of your data, and by your data, I mean your customer’s data.
If compromised data is used in some form of attack or fraud, it’s not done immediately. Tying an instance of abuse to a specific breach can be hard for a consumer. In that time, their data may have been compromised in other locations, so who does the consumer blame?
Short on Attention
People these days live under a constant bombardment of content all competing for their attention. This is on top of the professional and personal priorities they have. They can be mad at a hotel chain for a breach one day and book a stay with points the next. With the perception that too much is on their plate, only the most egregious instances will stay top of mind.
For perspective, people are more likely to hold a grudge with a restaurant they had a bad experience with than the credit company who lost enough of their data for a criminal to commit identity theft.
People have gotten numb to all of the breaches. High-profile breaches have become a regular occurrence and lesser profile ones even more so. The number of breaches has a numbing effect, so news of a new instance results in little more than a sigh and an eye roll.
Good Detection and Recovery
Companies have gotten good at detection and recovery in post-breach scenarios. Think of your bank calling you when it notices some odd transactions or notification from another site offering free credit monitoring. Most often the customer doesn’t have to take much action at all and only encounters a mild inconvenience.
A Dangerous Road
If your customers don’t care about security, then it can be a hard sell to management and other business units. On the surface, this makes business sense, but letting security priorities slip is a dangerous road. The lack of prioritization and focus on security initiatives opens the door for nefarious actors that goes far beyond the superficial surface. Here are just a few areas to consider.
Autonomous systems make decisions without human interaction. The integrity of the data these systems consume is paramount because tainted data could cause the system to make the wrong decision. Think of a drone attacking the wrong target or an automated trading algorithm triggering a mass selloff of stocks.
Injury or Death
Of course, building off of the previous point about autonomous systems, there is the fact that systems that can kill us are becoming more common. Medical implants, self-driving cars, industrial systems, drones, and countless others that aren’t obvious to consumers have the potential to impact their health and wellness. It shouldn’t take a breach causing large scale death for people to begin caring. Unfortunately, that may very well be what it takes.
Stolen data and compromised systems have monetary value to criminals. Criminals have various motivations for their activities, but a compromise of your systems could assist in the ongoing support of illegal activities. Some of these activities could include terrorism.
Losing a customer’s data is a breach of privacy. Privacy has never been in more danger through shady purposeful activities, but unauthorized disclosure makes it worse. On this front, I think there is some hope. Not only has privacy importance been elevated by regulation such as GDPR, but younger people seem to be caring about it more as technology becomes less of a novelty and more something that’s always been part of their lives.
In my Black Hat Europe presentation last year, I spent some time talking about how the technology created today will be with us tomorrow possibly much longer than their support cycles. You aren’t likely to upgrade your refrigerator or car at the same frequency you do your phone or smartwatch. Tons of low-cost devices are spreading across the planet that will affect our security posture for years to come.
What can we do?
So if all of this is a problem, then what can we do to ensure we are protecting our organizations both now and in the future?
Not be part of the problem as an organization
By contributing to the larger problem, we are contributing to a sea of already compromised data making it hard to determine where it came from other than when an attacker makes it known for their marketing purposes.
Avoid the top-down approach
Far too often people feel that security needs buy-in from senior management to drive initiatives through the company. Laboring under this delusion can cause you to miss opportunities. It’s true that management support can make things easier, but it’s not the only way to get security initiatives implemented. Buy-in from the bottom up or even cross-pillars to other peers can be just as effective, if not more.
It shouldn’t be a secret that reducing the friction of a solution increases adoption. We all know someone who never locked their phone because entering numbers was an inconvenience. Their behavior changed with the inclusion of things like TouchID and FaceID, indirectly causing an increase in security posture. We should be investigating areas where a reduction in friction could lead to increased adoption.
Regulatory compliance and privacy law
Regulatory compliance is a topic that many in the industry love to hate. It may very well take governments and other regulatory bodies getting involved effecting a broader change. Although the effectiveness of such compliance measures can be debated, discussions spring out of these requirements.
It may very well take something that causes multiple deaths or a substantial financial impact to get the average consumer to care about cybersecurity, but we as security professionals can’t let that guide our decisions. Are we okay with allowing people to die before we take a problem seriously? We need to be proactive and find creative ways to get our solutions adopted and look for areas to reduce friction before it’s too late.
Nathan has presented his research at global security events including Black Hat, DEF CON, HOPE, ShmooCon, SecTor, ToorCon and many others. He is also a member of the Black Hat review board where he evaluates research for inclusion into the various conferences around the world.