If All Security Can Theoretically Be Broken, What's The Point?
- Anthony
- November 12, 2019
- 02:50 PM
- No Comments
Why not just give up and see what happens.
We’ve said it before, and we’ll say it again: no cyber security is 100% effective. Anyone who claims otherwise is lying, misinformed or guilty of substantial hubris. The truth is that any form of defence can theoretically be breached. So why bother at all? What is the point of having cyber security if it doesn’t guarantee your safety?
As you can probably guess, it’s a matter of risk reduction not elimination. Physical security provides a useful parallel here.
Let’s say your business premises are monitored 24/7 by a network of security cameras, the locks on your windows and doors are top of the range, you have security guards patrolling throughout the night, and on top of all that, you have motion detectors and alarms.
The business next to you, however, has no such precautions. It has flimsy locks on its doors and is left unattended at night.
It’s fairly obvious which of you is more likely to get robbed.
^ If you make things difficult for criminals, they will likely move on to someone else.
Similiar logic applies to cyber security. The business with weaker defences is going to be easier to break into, and that naturally appeals to criminals. So as well as being harder to crack, strong security can have a kind of deterrent effect that stops criminals from ever trying to attack you in the first place.
Unfortunately for the business with the weak security, it’s more likely suffer a breach at some point . And that’s the sad reality: if you’re on the ball with your cyber security, it will probably be some other poor business that gets scammed and not your own – but someone, somewhere is eventually going to be the victim of a breach.
Of course, there are no guarantees with anything. Let’s return to our physical security analogy to explore this.
What if your business is located in a safe part of town, with a low crime rate and a strong police presence? In such a scenario, even the firm with the weak security might find it never suffers a break-in. If that’s the case, you could argue the company with the high-tech security measures has wasted money on defences it doesn’t need.
However, the internet is more like the wild west than a cosy cul-de-sac in the Cotswolds, and crime is practically inevitable. Research using online 'honeypots' has shown that attacks to newly connected devices can occur in a matter or days or even minutes. It can happen so quickly because many attacks are carried out using automated software tools.
Yet, by sheer luck, the business with the terrible security could still somehow escape the attention of criminals. It can and does happen, which leads to complacency and a sense that these things only happen to other people.
Equally, the best defences can be rendered useless by negligence and complacency. You could have all the security in the world, but if one of your employees leaves the back door open, then criminals can just walk right in. Similarly, if an employee is working with the criminals, they might leave it open deliberately.
^ Trying to get by without cyber security is risk that probably won't pay off.
So why have security at all? Well, why do you have locks on your front door? If someone wanted to get into your property, they could just smash a window and climb in. What the lock does is stop crooks from casually walking in. Smashing a window might draw too much attention, and if they don’t know how to pick the lock, their options are limited, so they might move on in search of a softer target.
It's also true that some security measures are much, much more difficult to crack than others. Two-factor authentication, for example, is an effective way to stop criminals gaining unauthorised access to accounts, and modern encryption technologies are extremely difficult to crack.
Nothing can ever totally eliminate the risk of breaches, but they can dramatically reduce it. And security technology goes hand in hand with, but does not replace, personal responsibility. To stand the best chance of avoiding and mitigating cyber attacks, businesses should invest in their security but should also follow best practice as much as possible. That includes having a robust disaster recovery solution to fall back, should the worst happen.