Last Monday’s mass shooting in Boulder is yet another reminder in the past year of reminders that controlling known risks does not guarantee security. The known-unknowns and the unknown-unknowns are still out there. As Helen Keller, an extraordinary model for resiliency, commented: “Security is mostly a superstition.”
Nonetheless, I will continue to insist that my grandchildren wear seatbelts, look both ways before crossing the street, eat their vegetables, and not breathe in my face when they or I are unmasked. I will continue to take precautions.
When it comes to cybersecurity, the probability of experiencing an attack is high, and yet many organizations and individuals demonstrate either an Alfred Neumann-style optimism bias (“What—me worry?”) or an Eeyore-style defeatist bias (“It’s all for naught.”). Either mindset is flawed. The simple message this month is: Focus on what you can control, not what you can’t.
To the Alfred Neumanns: Yes, please worry.
Statistics collected on the frequency and cost of cybersecurity attacks indicate that there is something to worry about, especially when compared to the likelihood of other types of adverse events that we spend time worrying about. Consider the following two sets of statistics:
Statistics and Event Probabilities: Cybersecurity[i]
- 1 in 13 web requests lead to malware. (Symantec)
- 1 in 36 mobile devices have high-risk apps installed. (Symantec)
- Smaller organizations (1–250 employees) have the highest targeted malicious email rate at 1 in 323. (Symantec)
- Remote workers have caused a security breach in 20% of organizations. (Malwarebytes)
- Financial and manufacturing services have the highest percent of exposed sensitive files at 21%. (Varonis)
- 88% of organizations worldwide experienced spear phishing attempts in 2019. (Proofpoint)
- 94% of malware is delivered by email. (CSO Online)
- Data breaches exposed 36 billion records in the first half of 2020. (RiskBased)
- The average time to identify a breach in 2020 was 207 days. (IBM)
- The average ransomware payment rose 33% in 2020 over 2019, to $111,605. (Fintech News)
Statistics and Event Probabilities: Other Events[ii]
- Experiencing food poisoning in any given year: 1 in 6
- Catching a foul ball in a baseball game: 1 in 835
- Dying in a mass shooting: 1 in 11,125
- Being struck by lightning in any given year: 1 in 700,000
- Being killed by a shark: 1 in 3.7 million
- Being killed by a tornado: 1 in 5 million
- Being killed in a plane crash: 1 in 60 million
- Being born: 1 in 5.5. trillion
- Creating a perfect March Madness bracket: 1 in 92 quintillion (Forbes)
To the Eeyores (and Alfreds): It’s all for ought.
Good cybersecurity practices reduce the likelihood that an attack against your organizational or individual information assets will be successful. Here are some focus areas organizations and individuals ought to bring under control:
- Email and Web Use. Train employees to spot suspicious email, text, video, and phone messages. Consider using a tool like KnowB4 to evaluate learning opportunities about phishing. Verify sender/destination information. Remember that the ratio of spoofed to legitimate websites is about 20:1.
- Content Filtering. Configure next generation gateway devices or security services (e.g., firewalls, routers, OpenDNS) to control the flow of communications coming in and going out of your organization or device. Similarly, keep anti-virus software current. Tracking reports indicate that about “560,000 new pieces of malware are detected every day.”[iii]
- Credential Theft. Change administrative default settings on equipment. Deactivate functions and protocols that you don’t need. Never allow “automatic login” or “remember this password” or “don’t ask again” (the latter is with respect to multifactor authentication) on organizational or personal devices.
- Identity Protection. Robust passwords and multifactor authentication are low-cost fixes. It’s worth repeating: Passwords should be unique to each account or individual, difficult to guess, at least 12 characters (with no repetition or predictable sequences), sprinkled with special and alphanumeric characters. Check <haveibeenpwned.com> for the 613,584,246 real-world passwords previously exposed in data breaches.
- Detection and Response. Implement procedures to monitor system activity and detect unusual or disturbing behavior. Baseline what “normal” communications traffic is for organizations and individuals. Practice how you will respond to an event and evaluate how to manage it. Develop an incident response plan that aligns with your system security plan.
To Everyone: Target your focus.
Some of the best self-help resources for templates, checklists, and how-to guidelines are free. Some of my favorites are the following:
- NIST Small Business Corner https://www.nist.gov/itl/smallbusinesscyber
- FTC Cybersecurity for Small Business https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity
- US Telecom Cybersecurity Toolkit https://www.ustelecom.org/research/ustelecom-cybersecurity-toolkit-2/
- Cybersecurity and Infrastructure Security Agency https://www.cisa.gov/
The target is to be safer today than you were yesterday, but not as safe as you will be tomorrow. Adverse events will occur—there is no talisman that will guarantee otherwise—but known risks can be controlled and their impact reduced. Be safe!