Published On: June 12th, 2015/Categories: Data Security/6.8 min read/

Your Cyber Vendor Is Lying To You

After three days of the InfoSecurity Europe show In London this week, one thing is certain, the biggest threat to your organisation is the hoody wearing hacker with his trusty APT. Whether he’s state sponsored, a lone hacktivist or part of a criminal syndicate, this is the man that will breach your fortress and steal your crown jewels.

Actually, no, this is complete BS. And here’s why.

Within the vendor community there is a sad truth, sex sells and boring doesn’t. Whatever the product and whatever the industry, money always gravitates towards the flashy, cool, techy stuff and the more bright lights the better. Nobody got rich selling fruit and vegetables to the overweight and likewise no security vendor (or VC) will get rich being honest with the true state of the threat.

Any employee that has worked for any company knows that the biggest threat to that organisation’s information protection is the behaviour of them and their colleagues. Every day, each one is causing a breach and it’s got nothing to with China or Russia, whatever your celebrity vendor CISO might tell you. Sit on a train with your business partner and discuss your next meeting. Grab an overpriced coffee whilst you do your expenses on the free Wi-Fi. Email yourself the spreadsheet so you can work on it tonight. Install that browser toolbar so you can remember your latest password. Send that database on a CD using the internal post. Download all your files onto USB before resigning. Breach after breach after breach. It’s not that we’re all being malicious or particularly negligent, we’re just doing what we’ve always done and focused on our work and not the privacy of someone else’s information.

These may not be the big headline grabbing breaches that Sony could be proud of, but these are the ones that are continuously puncturing your defences and causing the biggest impact. And you’ll never see it coming. And you’ll never see it happen. The impact is the death by a thousand cuts, each one seemingly insignificant and just “normal” day-to-day office activity.

Companies (and careers) fail to thrive, fail to dominate and fail to surprise when everything they hold dear is out in the public domain. Just think about all the information you know about your former employer, your partner’s employer, the stories you heard down the pub, the conversations you heard on the tube and the notepad you found lying in the empty meeting room. You shouldn’t have this information and you know that in the wrong hands it could be damaging.

Forget the malicious insider for the moment, it’s every insider that’s the problem.

The boring solutions that don’t make money will advise you to do the basics. Remove local admin rights, enable employees with better collaboration tools, regular awareness training, that kind of thing. Dull. Dull, Dull. Basic hygiene is boring. It’s no wonder that Mr Vendor is telling you Cyber! APT! China! He wants you to think that 99% of your employees are model citizens and the other 1% are the vicious rogue insiders, implanted by a foreign power wielding weapons of cyber destruction. Mr Vendor wants you to believe you’re at war. You’re the good guys defending against the evil power. It’s you versus them. White Hat versus Black Hat. There is no shade of grey. In the midst of the battle you need the magic shield that only they can provide.

Take any major headline grabbing breach, such as that on Sony Pictures in 2014, and the boring reality is that underlying security practices were bad. Storing clear text passwords in files named “passwords” is never good and in the presence of a determined and targeted attack it’s behaviour like this that makes the whole problem a hundred times worse. Whilst the very best APT protection tools will help slow down and identify an attacker, they’ll never stop the most determined. So when these do get through you’re back to relying on good practice to keep your information safe. Just as you would be on a daily basis.

At Cognition I’m fortunate to speak to many customers and assess many tools and see what works in the “real world” and what gets replaced after a year of time wasting. Sometimes a tool is the right thing, other times it’s a good procedure or a day of training. But if they’re honest, vendors know that you don’t really have an APT problem or advanced malware problem. You have an information protection problem, of which a small part is IT related and an even smaller part is “Cyber” related.

Don’t be distracted by the bells and whistles of sexy tech. It has a value, but it should be way down your shopping list.

Share This Post!

About the Author: Carl Gottlieb
I'm the trusted privacy advisor to leading tech companies, helping them gain maximum advantage through the right privacy strategy. My consultancy company Cognition provides a range of privacy and security services including Data Protection Officers, in-depth assessments and virtual security engineers. Get in touch if you'd like to learn more.

Related articles