Wishful Thinking as a Security Strategy
Last month, CIPP/US President Rick Kam finished publishing a three article series about mitigating cybercrime.
His overall argument is this:
- Cybercrime is now big business, and its players operate as businesses. So, they must direct their efforts at the highest-ROI activities.
- As a potential victim, you must understand the economics of their ‘business model’. By doing so, you can know the most likely ways they will attack you.
- This will allow you to “apply business tactics to discourage cyber criminals from attacking your organization… if you can take away the ROI, attackers will bypass your business in search of more profitable targets.”
So how can you “apply business tactics” to cyber-security? Mr. Kam explains that you should figure out the most likely attacks (on an ROI basis) for your industry, and then defend against them.
For example, retailers process large amounts of credit card data in their point-of-sale (POS) systems. Since card numbers are valuable on the black market, retailers should expect POS attacks. Thus, he says, retailers should “make sure your POS system is running an up-to-date OS and that your IT team is applying security patches as soon as they are available. Experts also recommend deploying secure card readers that enable point-to-point encryption of card data within your networks,” along with implementing other best practices for information security.
This all sounds quite logical. Nevertheless, the overall reasoning is flawed. Let’s see why.
First, is cybercrime big business? Yes, absolutely.
As we’ve written before, cybercrime is more than a business model. It is now an industry. It has transparent marketplaces, a mature ecosystem of vendors and solution providers, regular publications and news sources reporting on current events… the list goes on and on.
But the second point — that criminals prioritize their efforts according to potential ROI — is not always true. On today’s Internet, you can’t assume all potential attackers are rational players obeying big-business economics.
There are (still) a substantial number of attackers that don’t fit into this characterization. Even setting aside the script kiddies (who mount unskilled attacks for their own amusement, or for bragging rights among their peers, etc.), this category can represent substantial threats.
For example, a significant number of attacks are politically motivated. When a cyberassault is mounted by a terrorist organization, or an activist group, or even a government like North Korea, profit is not a goal.
And for other attacks, normal calculations of cost and so on don’t even apply. For example, when a hacker collective like Anonymous goes after an organization, often the resources needed for the attack (the manpower, bandwidth, etc.) are contributed by the attackers themselves, for free.
What about the third point in the article series — that applying business tactics can prevent cyberattacks? This idea is based on the previous two points, which we’ve already seen are not true.
But there’s another incorrect assumption here — one that’s more subtle, and more dangerous.
The ‘business tactics’ approach implicitly assumes that it’s impossible to have comprehensive security. (In fact, the first article says so explicitly: “You can’t afford to defend on all fronts.”)
And so, Mr. Kam says the best practice is to defend against the most likely attacks — i.e., those with the highest potential ROI for the attacker.
Even then, you can’t fully defend against those attacks (according to this view). Your only goal is to make those attacks as expensive and/or troublesome for the attackers as possible.
Hopefully, if you do this well enough, they will shift their attention to other, easier victims.
And that’s the key word: ‘hopefully’. This entire approach is based on the hope that if you make an attack inconvenient enough, the attackers might leave you alone.
This is just wishful thinking. And it’s completely the wrong attitude.
Your goal should not be to inconvenience the attackers, at their most likely points of attack. Your goal should be to defeat them, at all possible points of attack.
To achieve effective cybersecurity, you shouldn’t implement best practices only for the most likely targets. You should implement best practices everywhere, throughout your organization.
To do otherwise is to deliberately have inadequate security, for at least some attack vectors.
And that’s a strategy that will inevitably backfire.
Photo credit: Helloquence
