Dr. Oren Eytan is the CEO of Israeli startup odix and previously led the IDF cyber defense unit.
Consensus in cybersecurity is hard to come by. From CISOs with the resources and motivation to think big to nontechnical executives chasing the risk-reward train and putting an IT title on things to justify their confusion, nothing is as it seems. The forces of risk and technology are constantly shifting as tech leaders collectively attempt to create a baseline understanding of what’s at stake and what is feasible.
Experience has proven that cyber preparedness is only effective when the approaches don’t focus too heavily on the fear factor but rather shift toward attainable goals and practical skills to empower employees and digital citizens to protect themselves and their organizations.
In an attempt to push the conversation toward practical skills, I want to dispel some of the biggest myths in cyber protection and speak about how overreliance on these ideas has prevented many from tackling some of the biggest issues in cyber protection.
Myth: Cybersecurity is complicated.
Everyone has heard the talk around the water cooler: “It would be great to improve our cybersecurity policies, but it’s just too complicated.” This is often followed by the adage: “I don’t even know where to start, so what’s the use?”
Getting over the all-encompassing idea that cybersecurity is one massive problem, the conversation must be transformed into bite-sized and easy-to-apply steps. By demystifying the risks and providing clear context, cybersecurity becomes manageable for even the least technically savvy person on your staff.
Stat: 56% of Americans don’t know what steps to take in the event of a data breach.
Reality: Easy wins are achievable.
While it’s true cybersecurity can be complicated, it doesn’t have to be. From straightforward and nontechnical conversations about how to avoid common cyber risks to IT teams applying updates, patches and optimizing type filters to prioritize assets and determine the strength of cybersecurity, protection can be achieved.
For CISOs and HR, if they invest the time and resources to speak directly to everyday threats and common situations that impact employees across departments, low-hanging fruit can be found and some semblance of cybersecurity can be simply implemented. The context will always be king in making (typically boring) cyber threats into situations prioritized by your team. By removing unneeded technical jargon and focusing on easy wins, cybersecurity becomes more tangible to your team without drowning them in the process.
Myth: Cybersecurity is expensive.
There’s no such thing as a free lunch. Well, in cyber defense, this might not actually be the case.
Cybersecurity deployment comes in all shapes and sizes. From low-cost email filters and off-the-shelf antivirus software to high-end, fully bespoke cyber management policies with dozens of integrated solutions and costly advanced technologies in place to (attempt to) corner every threat, cyber solutions are as varied as their end users. As a result, businesses must realize that cybersecurity is more like playing a game of Tetris than playing the lottery. With the right combination of legacy solutions, innovative low-cost technologies and a proactive IT team, many of the most common cyber threats can be mitigated at minimal cost to the organization or managed service providers.
Stat: The average cost of antivirus protection is between $3 to $5 per user, per month, on their workstations, and $5 to $8 per server, per month.
Reality: Cyber education pays major dividends, with fewer upfront costs.
While it may be clear that every business must invest in technical solutions to keep its data secure, the investment in cyber education programs and improving HR’s holistic approach to instilling cyber skills across every (even nontechnical) department don’t always keep pace. And for the cost, this is probably the most significant issue in cybersecurity today.
Cyber education and awareness programs cost a fraction of what it takes to implement a significant technical cyber solution and provide massive dividends in long-term security, not just for your organization but also for the newly empowered cyber ambassadors you have formed.
To change the thinking that cybersecurity is expensive, ROI of cyber awareness initiatives needs to be better connected to long-term cybersecurity goals. While it’s seemingly simple to drop in a technical solution that touts a high level of system protection, it’s a completely different story when you understand that the human element drives the equation more than the toolbox they use.
Myth: Cloud vendors will keep you safe.
After going beyond the perceived structural limitations, from cost to complexity, the other end of the extreme must be addressed: a false sense of security due to the efforts of IT. Just as problematic as assuming cybersecurity is financially unattainable or beyond the technical capabilities of your team, the overreliance on IT security messages can also set your team up for almost certain failure.
Stat: Organizations often struggled to implement proper cloud security, resulting in more than 33 billion records (registration required) being exposed in 2018 and 2019 alone.
Reality: IT is pushed to its max.
The key to resolving this misjudgment in practical defense is by breaking down the barriers of communication and creating employee-focused cyber awareness programming. By providing an avenue that can both teach employees basic cyber skills as well as inform them about what actions their organization is already taking to enhance cybersecurity, everyone becomes better prepared to face cyber risk.
How To Shift Thinking
Changing the perceptions and understanding of risk in cybersecurity is an uphill battle — often achieved with little fanfare or personal appreciation. In practice, the only way to bring greater clarity in cybersecurity is for all players to commit to the cause, look past the perceived burden of investment in time or resources and engage internal IT leaders to chart a course toward enhanced cyber awareness.
Nothing changes overnight, and this is even more so in managing cyber risk. Only through the concerted effort to break down misconceptions and provide tactical solutions can enterprises effectively take on cybersecurity.