FUD - the real enemy of IT security
A report released today by the British Chamber of Commerce (BCC) has 'revealed' that one in five business in the UK were attacked by cybercriminals during the past year, and found that only 24% of businesses said they had security in place to guard against hacking. Not only this, but larger companies are apparently more at risk of being targeted.
Call me cynical, but is this really news? It seems that a new piece of research or study is published on an almost weekly basis saying pretty much the same as all the others. The number and variety of cyberattacks is on the increase, and British companies are ill-equipped to manage them. And woe betide you if you do happen to fall foul of a cyberattack, because you can be almost positive that the details will become public and will spread as fast as, well... a typical virus.
And yet the fear, uncertainty and doubt (FUD) spread by these types of reports and research doesn't seem to have done much to alleviate the problem. As someone who began their career in the IT security industry back in the year 2000 (don't get me started on the complete non-event that was Y2K!) and came back to it ten years later, very little appears to have changed. The scary statistics and warnings continue, cybercriminals and their malicious wares become more vicious, and IT security vendors strive to find new and innovative technological solutions. Sometimes they work, sometimes they don't - not because the technology is poor (for the most part), but due to other factors such as human error, miseducation or the evolution of the attack vector.
Surely the time has come to accept that on a weekly if not daily basis your organisation will be targeted by a cyberattack. It is, sadly, the way things are. Just like in the real world, as long as there is money to be made cybercrime will never be eliminated. But this situation cannot be remedied by the continual torrent of FUD that surrounds it. Would it make any difference if one in three UK business had been the subject of an attack, or if smaller companies were at just as much risk as larger ones? You have to question how that should change what an organisation can actually do to protect itself. In my humble opinion, not a great deal.
I don't have all of the answers, but I would like to make a suggestion. Wouldn't it be more productive and inspiring if once in a while we saw stories of how people have tackled IT security in a new and innovative way, how organisations have prevented themselves from becoming the latest head-in-your-hands headline or about the ongoing research that those cleverer than myself work on day after day? Of course there is an inherent danger in giving away too much, but surely giving people hope and a belief that IT security isn't an unsurmountable challenge can only be a good thing? There are cybercriminals and there are cybersecurity heroes, and I for one vote for the latter!
by Natasha Staley, Infradata UK