Merriam-Webster defines conventional wisdom as “the generally accepted belief, opinion, judgment, or prediction about a particular matter.”
When it comes to cybersecurity, conventional wisdom has settled on a set of beliefs which, taken together, foster a false sense of security, and actually make it easier for bad actors to find and exploit their next victims.
At SLPowers, we’ve been on a mission to bust the myths that sprout up within the cyber threat landscape like so many mushrooms around an oak tree. Earlier this month, we tackled the belief that being compliant with regulations makes you secure.
If that were true, the annual cost of cybercrime wouldn’t be pushing the trillion dollar threshold. A recent report from the Center for International Studies estimated the yearly take now exceeds the annual revenues of Walmart, Toyota, and Exxon-Mobil -- combined.
Today we’re taking on another common belief that carries dangerous consequences. And you might be surprised to see us, of all people, shooting this one down.
Business owners have long understood the importance of having an outside party conduct annual audits of their financial health. To that end, the American Institute of Certified Public Accountants (AICPA) set up guidelines, laws, and rules regarding the preparation of financial statements. These guidelines are referred to as Generally Accepted Accounting Principles, or GAAP.
So it’s logical for those same business owners (or their boards of directors) to believe that the quarterly, semi-annual, or yearly testing and validation from an outside security specialist would be enough to keep their data network on the right path. (It’s especially easy to fall victim to this myth when the CPA who handles your annual financial audit also claims to offer data security validation services. Beware!)
But if that was all it took to assure security, no company would find itself victimized by a data breach.
Think of a neighborhood security patrol, or the classic night watchman making the rounds in a large industrial plant. Whether they can prevent a break in is entirely contingent on timing. They must show up during the narrow window in which the burglars are doing their thing. Such measures are usually more effective in recognizing that a crime has already taken place.
In the cyber world, even that value is compromised. In 2014, it took an average of 80 days to discover a malicious data breach (and 123 days to clean it up). Only three years later, most breaches take more than six months to discover.
And according to the Verizon Data Breach Investigations Report, customers are nine times more likely to identify that you’ve been breached than an outside IT auditor is. Not good.
Does that make assessments useless?
Not at all. (Given our company’s extensive security consulting practice, that’s the last argument we’d make.)
Regular comprehensive security assessments, conducted by a well-vetted and experienced third-party organization, should be an important part of every company’s security program.
But assessments alone won’t make you secure. The regularly scheduled arrival of your security specialist—even one of our security specialists—won’t make you secure.
There is no white knight.
What’s needed is a holistic program that encompasses assessments and testing, employee training, risk management, incident response planning, and a layered approach to protecting your network’s perimeter – from within and without.
It all starts with a conversation, and that won’t cost you a nickel. Contact us today.