Sam Curry, CSO at Cybereason, explains how technology startups can prepare and deal with cyber attacks.
Advances in technology are usually discussed in optimistic terms that speak of progress – just look at the cloud, with its surrounding language around freedom and opportunity. The exception to the rule is cybersecurity, which tends to be very negative, with an emphasis on the worst-case scenarios of major cyber attacks.
The negativity surrounding security is a classic example of FUD – Fear, Uncertainty and Doubt. FUD as a sales strategy involves providing prospective customers with negative information to influence their decisions.
In the early days of the tech industry, leading organisations would purposefully spread negative information about rival products to create doubt. In the cybersecurity world, the FUD instead comes from focusing on the potential for a major cyber attack that could cripple an organisation at any moment.
The problem with FUD – on both sides of the fence
It’s not surprising the security industry has embraced FUD, as having potential buyers worried about the threat of a catastrophic attack seems like an obvious way of prompting them to spend more on the latest security solutions. Even non-commercial bodies such as governmental and not-for-profit organisations tend to rely the negative aspect to raise awareness, as seen with the focus on the potential fines from the upcoming EU GDPR over more constructive areas.
While it might seem like a solid sales strategy, FUD is actually a very damaging tactic for the cybersecurity industry to rely on. The constant barrage of warnings and use of overblown language like “weapons of mass (cyber) destruction” does not help decision makers to take useful action, but rather pushes them in the wrong direction.
In some cases, the FUD factor will inspire an organisation to spend more on cyber, but it tends to be a very unfocused effort and will be wasted on whatever the technology of the day is, rather than a more practical effort. More likely though, the company will just start to ignore the warnings. As per the ‘Boy Who Cried Wolf‘, dire warnings only have an impact for so long before they become background noise or even lead to scorn.
Aside from the security vendors, the overabundance of FUD is also bad for enterprises themselves. If an organisation took all the warnings to heart, none of them would ever invest in new technology or take any risks again. Fast-growing startups and scaleups in particular are under threat of having their ambitions squashed by buying into the FUD. They cannot afford to absorb a hit like larger firms can, but also cannot afford to be too cautious if they are to grow and seize new opportunities.
Of course, it’s also true that there are very real cyber threats out there, and companies do need to prepare themselves for an attack that could come seemingly out of nowhere. Smaller firms and those in the midst of scaling up are particularly vulnerable, as cyber criminals know they have fewer resources to defend themselves. The British Chamber of Commerce recently reported that 20 % of SME’s had been hit by a cyber attack in the previous twelve months, while insurance firm Zurich found that one in 10 SME’s sustained a loss of more than £50,000 during the same time period.
Approaching security without FUD
While all firms need to invest in security as a standard, they need to ignore the idea perpetuated by FUD that everything is at risk and every breach will be the end of the world. Instead, organisations should focus on the most likely risks and how they can protect against them in the most practical way. The priority should be ensuring confidentiality, integrity and availability for their systems and data.
Tied to this is the idea of SPOF – single points of failure. These are the elements of a system that will cause the entire thing to go down if anything happens to them. Prioritising these areas by building redundancies and other preparations will give a firm the best chance of withstanding an attack and continuing to function.
Once critical systems are accounted for, organisations can build outwards to cover the most likely avenues of attack. Startups lacking in the resources of larger firms should explore the growing array of free and low-cost options geared specifically towards SMEs, which can enable them to protect themselves against common but hard-hitting threats like ransomware.
Rather than getting caught up in FUD, security vendors and enterprises both should look to take a more positive approach. Just as the cloud is regarded as a tool for enabling growth, by granting more freedom and flexibility, cybersecurity should be seen as creating more opportunities for the business by protecting it while it grows and thrives.