The human brain’s innate sense of paranoia likely evolved as a self-preservation mechanism to protect man against actual and perceived natural threats. That sense of paranoia, however, now makes man susceptible to unusual suggestions to protect himself from new actual or perceived threats that arise in modern society. In the cybersecurity arena, some of those suggestions can be downright weird, where “weird” is defined as ineffective or ignorant of the substance of cybersecurity threats. Five particularly weird cybersecurity suggestions have permeated the industry for many years, yet they continue to have traction even though they have been debunked.
The Default Permit Approach
Cybersecurity teams that implement a “default permit” protocol are treating symptoms without curing the disease. In a default permit environment, any external calls into an information systems network that are not explicitly forbidden are, by default, permitted. Network administrators follow this weird suggestion out of a false sense of confidence that hackers are not interested in breaching their networks, either because their companies are too small or they do not maintain sensitive information. The reality is that all networks are hacking targets, and preventing breaches from only known threat sources leaves a network vulnerable to other attacks.
The Unplug It Suggestion
Ending internet connectivity, avoiding use of public wifi, and staying away from social media will help a company to avoid cybersecurity problems, but total cyber-isolation will also kill the company. Some cybersecurity teams have suggested an “unplug it” approach on a subtler level. One cybersecurity expert tells a story of one of his clients that shut down certain ports when a system test had been scheduled. The test showed that the remaining system ports were secure, but once the test was complete and the closed ports were reopened, the system was once again vulnerable. Unplugging system access and gaming security tests are among the weirdest cybersecurity suggestions.
The Hack and Patch Practice
Businesses pay good money to teams of hackers that attempt to find holes in their networks, and then pay additional money to technicians to repair those holes. Many times, the repair has holes of its own that become exposed in subsequent system breaches. This “hack and patch” practice is the equivalent of paying vandals to break windows in a building and then paying to replace those windows with glass that is susceptible to further breakage. This weird practice throws good money at a seeming solution that does little to create a more secure information systems environment.
Relying on Users and Employees
HR departments go to great lengths to educate employees on the best cybersecurity practices and to warn system users to protect their information and to keep login IDs and passwords secure. At the end of the day, however, employees and users are the weakest cybersecurity links. There is no weirder suggestion than absolute reliance on user and employee education, regardless of how good that education may be.
The sad realities of the cybersecurity world are that network and data breaches do happen and that companies lose millions of dollars as a result of those breaches. Every company, regardless of size and the quality of data that is retains, is susceptible to hacking. Cybersecurity insurance provides a backstop against ruinous losses when all other cybersecurity tools have failed to prevent those breaches.
Pay the Ransom
Hackers have developed ransomware that holds a company’s network hostage until the company pays a cash or bitcoin ransom to release it. The FBI has inexplicably recommended that companies should simply pay this ransom, even though ransomware losses have grown to almost $18 million annually. Paying ransom may be a company’s only option when it needs to recover access to critical data, but capitulating to hacker demands is a weird cybersecurity strategy.
The point of all it all is, you don’t have to follow a suggestion. Read up on cybersecurity and develop a plan of action from there.