Security Awareness and the Apocalypse
As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.
I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.
Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.
And then it occurred to me – what if the same was true of information security?
I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.
But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:
- With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
- The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.
The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.
And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.