Despite the advances in security technology and services available to us, there’s still a gap between the knowledge needed for good security and where businesses are at now.
Part of that is down to the fact that many of the terms we use to describe attacks - like phishing, malware, DDoS and others - tend to be abstract to the average person.
In some cases, it ends up confusing things further as you try to wrap your head around them, let alone get to grips with improving your security.
It’s something Calum Mackenzie, security consultant for Integrity 360, has come across in his time working with companies, and part of it is the information overload that’s swirling around.
“There’s just so much misinformation out there so for a non-security person to decipher all of this, it’s pretty much impossible,” he said. “Even a quick example: in the penetration testing field, unfortunately there are companies out there that [are] running the penetration test and haven’t even reviewed the reports [which tell them] customer A has had vendor X in for three years doing a penetration test.
“I read the report and all they’re doing is running a vulnerability assessment, which is an automated tool that scans for vulnerabilities within the network. That isn’t a penetration test - it’s part of one, but the wider picture is simulating what an actual person would do when a malicious attack on the network [happens].
“Because there’s so much misinformation out there with marketing and buzzwords, it becomes impossible.”
Mackenzie mentions how certain buzzwords, like artificial intelligence, tend to be used to advertise certain products and believes they can cause more harm than good.
Similarly, some companies contact Integrity 360 with security in mind but not knowing what they want to implement. That’s overcome by conversations and understanding how the business works before offering a strategy.
“You don’t want companies reaching out for a one-off purchase or [just] running a project for two months, because [what] a lot of companies want to hear is you can buy this solution and it solves this problem,” he said.
“With anything in life, it’s never the easy fix that gives you the long-term results, so I always take the conversation up a level and say, what brought you to reach out to us - and more often than not, there’s nothing really driving it.
“Sometimes there’s compliance or audit requirements, [but] this isn’t any more a job for the security guys. We need to embed security within our culture and move to a security-first attitude and culture.
“Whereby it’s easy for me to jump into the conversation and say this is where I think you are, you need to get to here and here are a few tips to help you along the way, for someone who doesn’t do this day-to-day, it must be an absolute minefield of information. It’s almost information overload.”
In general, the concept of having one security tool as a silver bullet will likely never exist. The temptation to rely on an easy solution rarely turns out well and instead they should be following a well-defined security programme.
Mackenzie mentions how he sees companies struggling to deal with the basics, some of which can vastly improve your security without having to invest in tools.
Mackenzie says that no matter what tools are going to be introduced, security will remain the same. The goal is to have “a structured, well-defined, layered, in-depth approach where you take everything into consideration and not look for the quick fix.”
It’s hard to get to grips with, especially if you have little to no knowledge about security, but the more time and effort you invest into it, the more it will pay off.
“To the point of setting up a security programme, one you have that defined, there’s no guesswork involved,” he said.
“It’s okay to say this might take five years to get right, but start on the right foot and usually you’ll find that starting with the biggest, the heavy hitters, will reduce how vulnerable you are to different attacks massively.”