When I was starting my journey with cybersecurity it was still known as Information Security. 13 years ago, my knowledge about information security was mostly based on the Polish Legislature about handling Confidential Data (written in 1997). As you can see my knowledge was already outdated. If you ever worked in a public entity, you probably know that 99.9% of the confidential data was created and processed on paper. Sure, you could probably create something on a computer, but the machine had to be certified by the country’s security agency. There even was a special room that was in fact an electromagnetic cage, where all confidential data was stored. Shhh – it’s not a secret ;) If you worked in a public entity in 2010 you probably had more knowledge about security than 98% of people working in private entities. Why is that you ask? Well for starters if you were working in public sector you had to have a security clearance, which means you had to go through a basic information security training. Back in 2010 not a lot of people were so “lucky” to work for an international corporation, especially in Poland. Even today if you work for a foreign owned company in Poland you are amongst 6% of total workforce – you can only imagine the numbers a decade ago.
If you worked in a private company in 2010 the only concern about data from a regulatory perspective was personal data, and we all know no one really cared about privacy, until GDPR came marching in 2016. Back then all we knew, as security personnel, was we had to take care about the Confidentiality, Integrity, and Availability of data. In simple words, we had to control who had access to the data, protect that data from any unwanted modifications and make sure people could access that data when they needed it. But hey, 13 years ago we did not have such fancy solutions to do all of that. To top it all out it was not the Information Security personnel who had to do it, it was the IT. If you worked in Information Security in 2010 you did not do much cybersecurity, you were swamped in procedures and papers. So, I could say I started working in cybersecurity in 2010 because I actually worked as an IT system administrator, and we did not have many answers on the security controls back then, the most we could count on was a basic antivirus we could buy of the shelf, all the other controls we had to implement from what we had available. Heck, we didn’t even know what the security controls were. We could probably search for the answers in the well-known ISO 27001 standard; however, the first version of that standard was published in 2005 so you can imagine that not a lot of companies were even accustomed to something called Information Security. Well maybe Banks knew a little bit more, but where there is money there is security - and that’s a problem.
Since 2010 IT has evolved into Everything as a Service and Information Security changed its name to Cybersecurity. With that (r)evolution companies have changed their business models, they have changed the way they operate, became more mobile – even in the public sector. Unfortunately, the more cyber is our businesses the more cyberthreats we have to worry about. Fortunately, as cybersecurity experts today we know more about the threats than we knew 13 years ago.
And, how much exactly do you know about cyberthreats?
You probably more know about health issues around the world and how to treat them than about cyberthreats and how not to become a victim of cybercrime. In my first post I compared cybersecurity to healthcare and somehow, I have the feeling that as cyber humanity we are still back in 1920.
In high income countries 60% of all organisations hire not more than 500 people. Worldwide 95% of all business hire around 50 people. So, for a moment let’s step into the shoes of a SME business owner who hires 200 people providing some sort of business services to people and other companies. How much exactly do they have to spend on cybersecurity if they want to have some sort of protection in their company. Assuming each employee has a laptop with Microsoft Windows, you are already protected by the built-in antivirus software. But is that sufficient? You can compare it to taking an aspirin for chronic headache, it will sooth the pain but not heal the disease. If you want to step up the game just by a little bit and have more control over your security posture you have to buy something more, right? You can easily stay within the Microsoft world and spend as little as 1680 Euro a month to protect all the laptops – that’s like buying a new iPhone 14 Pro each month. Will that be enough? well how much do you know about configuring Microsoft Security Services, building policies, deploying, monitoring and so on? Probably not enough, so let’s hire someone who knows more about Microsoft Security, that adds up to a bill another couple of thousand Euros a month. That should be enough. Let’s see, when was the last time you have updated your network devices – I assume you have at least one? Let’s see how many devices you have – servers, switches, printers, screens, mobile phones, projectors, conference webcams… And the list just keeps on growing. Ok so how do we handle that, let’s buy something to monitor and update our devices. Another 500-1000 Euros, oh wait does the Microsoft expert know how to handle Vulnerability Managements software – there goes another couple of thousand Euros. Ok now you should be ready if something happens. You are well prepared! Or are you?! Most of cyberattacks are now concentrated on the weakest link – humans. Do my employees know what to do if they are a victim of a cyberattack? Will my tech experts know how to handle a cybersecurity incident? Shoot, let’s hire a cybersecurity manager to handle all of that. So, what’s the bill now? Something around 25-30 thousand Euros a month! Wow, that’s expensive for 200 people company. Maybe we can outsource? Sure, maybe you can cut 15-20% from that bill, which is still pretty expensive. Small and Medium Enterprises often choose the easiest way and simply don’t worry because they believe they will never be a victim of a cyberattack. The sad truth is that it’s not a matter of “if” anymore, but “when”. What’s worse lot’s of companies (even the big ones) are not even aware that they are in fact already a victim of a cyberattack.
The reality is that indeed, proper cybersecurity is a pretty expensive game that only the privileged can play, because it’s too expensive and SMEs cannot really afford it. But it becomes even worse now that there is more pressure coming to the SMEs from the regulators to join the game. Soon all business will be required to have cybersecurity regardless of the profession and size.
Fortunately, there is hope for everyone, and knowledge is the key. Just like with healthcare the more knowledge we have the better we can prepare ourselves to live a long and healthy life. Just like doctors started popularising knowledge about healthcare it is our responsibility as cybersecurity experts, to start making that knowledge more common to make sure the community is more cyber secure. As we have worked with technology for quite some time now, we have no troubles to discuss the topic internally in our community. That does not come easy as we do struggle to translate all that technical mumbo jumbo to a language that everyone can understand. Imagine you have to explain a heart transplant procedure with all the steps and tools to a shop clerk and expect them to understand everything you said and even more, to perform that procedure next time they step into their store. The same goes with cybersecurity, we cannot expect that people will understand everything we say and be more cyber secure the next day. We have to start teaching them how to live securely in the cyberworld, so we don’t have to perform heart surgeries unless we really need to. The earlier we start teaching the better the results will be. By the way – how old was your child when you started teaching them to wash their hands to get rid of the germs? And how old was your child when you first introduced them to YouTube on your mobile phone? Let me guess YouTube was earlier…
But more on that in my next post.