How they never listen to the experts (cyber sustainability)

November 24, 2016

Sustainability in cyber-security may seem like a made up notion, but it isn’t. We stumbled upon it in CSO Online’s article on how DDoS Dyn attacks could have been prevented. When putting things into perspective, cyber sustainability makes a lot of sense. Especially in cyber-security.

But let’s extrapolate.

Demo exploits and research papers – ignored

Probably not a day goes by without the cyber-security experts releasing yet another report, demo exploit or prediction. Experts continuously warn technology users, of all shapes and sizes, on the latent threats and possible risks from various operations and devices. It’s their job.

In a somehow ironic twist, the ones that pay attention to all this ongoing discovery activities and releases are hackers, or cyber-criminals. After they have put into practice such theoretical discoveries or their derivatives, the cyber-security authors became increasingly discrete. Important conclusions come in carefully pre-plucked materials or are available only partially.

What is amazing is that the real beneficiaries of such activities, professionals and decision-makers inside important companies, seem to continue not to pay attention to what experts are saying. The older, detailed reports did not stimulate the so much needed effervescent results. The current, less technical and more advisory ones continue to receive the same attitude.

The current state of cyber-security

Where did the above-mentioned attitude take all those that have to work with cyber incidents-prone technology? The various 2016 data breaches, culminating with the IoT DDoS cyber-attacks pointed out that things are not fit for the full-on deployment of ubiquitous connectivity.

There is a cyber-security skills shortage. Malicious entities up their game every time data protection solutions bask in the hope of infallibility. Take for example machine learning. There are currently many projects that explore the way it can strengthen cyber-defense. Yet, somewhere in their lairs, cyber-attackers are probably perfecting their own algorithms. AI versus AI, algorithm level. Are we about to witness this confrontation next? Can businesses afford to take the bystander position while waiting to see who wins?

Cyber-security needs an upgrade. There is talk of digital security replacing the current paradigm. There are more and more tools to choose from, tailored on companies’ needs. However, there are few guarantees, even with the most recent tools. Cyber insurance may cover the financial damages, but it is always better to not have been breached, than to have subsided data loss and loose clients.

What would cyber sustainability mean?

Joining the two notions might seem confusing. Nevertheless, specialists approached the integrated concept as early 2013, perhaps even earlier.

An academic paper that tackled “Applying Lessons from the Green Movement to Managing Cyber Attacks” considered it all a matter of approach. In the author’s view “organizations should treat cybersecurity as a matter of corporate social responsibility to safeguard their customers and the public”.

The same idea, although more materialized, appears in another 2013 piece. Clearly, companies are the active factors in making cyber-security sustainable. By acknowledging the large-scale effects of their insider strategies, organizations tailor comprehensive policies. They also include a careful approach that includes outside-the-company environment scenarios.

Who might be affected by a data breach that primarily affects a certain company? What are the post-event outcomes? What are the real damages and overall costs? Such preliminary questions might determine different, enforced cyber-security policies. In consequence, cyber sustainability could show its presence in a satisfactory way.

In short, cyber sustainability means having complete awareness of the new-generation connectivity and organizations’ interdependence, one that generate stronger defense strategies. Companies would invest a bit more in the critical field of cyber-defense. Nevertheless, this would pay off in the future, since this way each business contributes in reinforcing the common stronghold.

How upsetting might cyber sustainability be?

If correctly implemented, cyber sustainability would indeed upset cyber-malfeasants. Once weak entry points in a connected business system become scarce, the cyber attackers’ activities are hindered. Let’s remember the cases where malicious entities accessed bigger systems via one small, low level security partner company. Or the repeated warning that believing that your business is of no interest for any cyber attackers is an extremely dangerous mindset.

Unfortunately, cyber sustainability might easily upset those who aim for maximal financial efficiency. As in other defense tools, it is hard to prove how the absence of occurring incidents is actually the result of previous investments. In order to enhance cyber protection and go sustainable, companies would ave to invest money in extra defense measures. The ROI would be hard to quantify. But isn’t risk management working precisely with this kind of equations?

It’s a matter of choice. Nevertheless, there might soon be a case of choice under pressure. When isolated as a company, deciding whether to take into account the cyber-security warnings might seem completely autonomous. But no company is isolated in this connected world. When more and more organizations go cyber sustainable, they would avoid partnerships with those who do not modernize their approach. The pressure is simple yet strong. All those who go to extra limits to protect them, their customers and their partners are valued above those who don’t.