Originally published on Tripwire, April 24, 2017
The title of this piece is quite obvious, but it is also an unappreciated fact. Consider for a moment the change we have seen over the last 30 years: access to cyberspace was scarce, often limited to enterprise users such as governments, educational institutions and the largest corporation, whereas today, there are billions of users that treat the Internet as some basic need for living – just like electricity – with access points into this domain continuing to grow.
The entire Internet of Things (IoT) wave may very well clobber us as, even in 2017, we cannot figure out if there will be 20, 30, or 50 billion devices by 2020. (Don’t believe me? Just do a quick Internet search. Reports published over the last 18 months can’t make up their minds). And we are not making our lives any easier when 99 percent of computers are considered vulnerable and attackers are just plain better and faster than a defenders’ ability to protect a network.
In brief, technological advancement does not seem to be the problem; we are pretty good at that (like 3D printing an ICBM, for example). But dealing with the technologies we create is a bigger problem. (The thought of your next door neighbor having the capability to “print up” a ballistic missile delivery vehicle should worry you.)
So, to better address this problem, we need to ask: how do we use our technology? And perhaps more specifically: how much do we rely on our technology?
Consider this: up until the mid-2000s, we used to use our “cellular” phones to make calls, maybe send text messages, and little else. (By the way, bonus points if you know the difference between cellular, mobile, network, and very impressive if you know what “handy” means!)
Today, a smartphone allows you to place calls, send multimedia messages, take pictures, watch videos, listen to music, make financial transactions, understand your voice, tell you what your heart rate is, and so much more. Smartphones can even be used to hack networks. (Long gone are the days when you were a cool geek amongst your friends because you knew a few GSM network codes and could do some funny things on your phone.)
It’s important to note that there is something much more valuable than money: our information (remember from the previous piece: network security + information security = data security). And yet a paradox exists where we would rather not give up this valuable currency, but we continue to do so like we are addicted to some bad fashion.
I would suggest to you a main reason for this is that the general public – and perhaps even so-called “experts” – do not have a uniform level of understanding of “cyber” issues. This lack of uniform understanding helps explain why human error is still responsible for 95% of cyber incidents and why, for some time now, malicious actors have shifted away from trying to take advantage of system vulnerabilities to trying to take advantage of users.
And remember, if you cannot get at your target directly, you can always take a different route, like going through a third party that has trusted access, a tactic we are seeing more often as cyber incidents attributed to business partners is significantly on the rise. (This is largely due to the fact that both individuals and organizations do not know the details of the cyber policies in place at the third party.)
So, let’s think about that for a moment: we don’t really know what we’re doing and we know that we have problems, but now you’re telling us that we have to worry about our third party’s problems too?!