Why Should You Bother with Information Security? Isn’t Everything Hackable Anyway?

With the ever-increasing flow of large-scale hacks, many seem resigned to the fact that its only a matter of time before they get hit too. Security and its challenges have fully penetrated mainstream thought. Everyone knows that the CIA, the FBI, Russia, and even the hacker next door can break into your computer or phone, hijack your router, intercept your traffic, and take over your life.

In response, there has been a huge cry for better training, more secure software, secure email and secure texting. Basically, security everywhere. But if the hackers and agencies are really this powerful, why should you bother?

Are security services and products worth anything these days? Do they actually provide any protection? Or are they the emperor’s new bullet-proof-vest? It is surprising how many people have come to accept a complete lack of security. Some seem to use this as an excuse to avoid technologies that could benefit both their personal and business lives.

A great example comes from a dentist who was interested in sending notices to his patients via text, but resigned himself to “not bothering” as there is “no way to secure these things, anyway.” While that may be true in an absolute sense, it is not true practically.

In this article we will examine the reasons why we should bother with security and how it can help us in our personal and business lives.

Why Should You Bother Locking Your House?

Lets start the discussion with an example we are all familiar with, our homes. No matter how much we secure them, if a group has enough resources and motivation, they will be able to break in and steal anything they want. Why should we bother to lock our doors at all?

The answer to this question is simple: Locking your doors is a great way to keep out crimes of opportunity, such as if a criminal walks past and notices that the door isn’t secured. Many thieves wouldn’t bother if the doors were locked, because it would be more difficult to break in and there would be a greater risk of getting caught.

Most people lock their doors if they think there might be any risks from strangers. Should you bother to put in an alarm system as well? How much money and effort should you invest in the security of your home? How far should you go?

You could:

1. Lock your doors
2. Lock your windows
3. Put deadbolt locks on your doors
4. Put bars on your windows
5. Install a simple alarm system
6. Install an alarm system that alerts the police
7. Install an alarm system with a battery backup and a cellphone connection so it can alert the police even if your phone lines are cut
8. Get an attack dog (or several)
9. Install security cameras with on-site and off-site video recording
10. Install hidden safes and/or rooms in your home
11. Hire a 24/7 armed security guard
12. Put up a perimeter fence
13. Hire multiple guards
14. Put in real-time monitored security cameras and add satellite surveillance
15. Design the premises without ground-level windows and with multiple reinforced doors, guards and biometric access

Obviously, this list could go on and on until your house turns into an expensive military outpost. But even a military outpost can be broken into by force or by subterfuge – we’ve all watched enough movies to imagine many interesting scenarios!

One of the biggest questions is where do you stop? It all depends on what you are afraid of and what you are protecting. If you only fear common criminals, then maybe you would stop somewhere between levels 2 and 8. If you are rich and have expensive artwork, information, or other valuable items in your house, then maybe you go up to somewhere between 9 and 12. If you are afraid of a domestic or international government crashing through your doors and hauling you or your valuables away, then maybe you should go even further – up through 15 and beyond!

So, should you bother locking you house? It all depends on what have to protect and who you are protecting it from.

How Does This Apply to Internet Security?

“Should I lock my house?” is essentially the same as “Should I bother to with information security?” If you don’t bother, then the opportunity is there for anyone to take your information with impunity and near-zero risk of being caught. If you feel like you have nothing to hide and you could post everything on Facebook, then maybe you don’t need encryption. But would you mind if someone impersonated you on Facebook? Encryption could help to prevent that as well.

Just like the home example from above, a certain base-level of security will stop the majority of opportunistic threats on the internet. This basic-level of personal security includes:

1. Using passwords that are strong and that can’t be guessed
2. Using a different password for your computer, your phone, and each website or application that you interact with
3. Using firewalls on your computers and networks
4. Using antivirus on your computers
5. Using full-disk encryption on your phones, tablets, laptops, and computers
6. Ensuring that your phones, tablets, and computers are always updated with the latest versions of their operating systems and applications
7. Being vigilant online: look out for phishing schemes, malicious email links, pop-ups, website threats and illegitimate downloads
8. Do not open email attachments that you are not expecting.
9. Perform regular backups (ransomware is a growing threat)

Doing these things will not make you 100% safe, but they will provide you with a basic layer of protection that makes you a much harder target than the majority of internet users. It’s like locking your doors at night while the neighbors leave theirs wide open. If you were a thief, who would you target?

Business Security Needs

Online threats are particularly challenging for businesses. While many of the threats are similar, businesses tend to have much more complex systems, as well as more valuable data. This can make them a large target for cybercriminals.

Just like a bank might have bullet-proof-glass, time-delayed safes and other security measures that most would never bother with in their homes, many businesses will find that they need to implement more significant cybersecurity measures than a personal user would need to.

The needs will depend on the type of business and its scale, but it could involve the measures listed above for personal use, as well as:

1. Having a detailed understanding of the risks to your sensitive data
2. Establishing a comprehensive security policy
3. Using access management software
4. Having strong authentication processes
5. Staff training against security threats
6. Employing experienced security engineers
7. Monitoring your network
8. Keeping your data encrypted at rest and in transit
9. Establishing a firm Bring Your Own Device (BYOD) policy for mobile device use
10. Having an incident response strategy in place
11. Taking out a cyber-insurance policy

If you take the appropriate measures, you make your business’s online security more like a bank. In the same way that these days there are relatively few bank robberies–criminals tend to go for easier targets such as fast food and convenience stores–there are far fewer breaches of businesses that take their online security seriously. All things being equal, hackers will always go for the low-hanging fruit – those that don’t have bullet-proof glass or a time-delay safe.

Taking Care of Compliance

When something bad happens over and over again, governments tend to step in and enforce regulations in an attempt to put an end to it. Online security is no different, and over the years, governments have introduced more and more rules in an attempt to stem the breaches, identity thefts and other cybercrime activities.

If we go back to our first analogy about security for the home, regulation is a lot like forcing people to install deadbolts or put in an alarm, leading to a lower number of burglaries. Becoming compliant with regulations can be a complex burden for businesses to manage, but it also enforces a minimum standard that helps to reduce the total number of incidents. Not only will becoming compliant prevent your business from government penalties, but it can also help to reduce the risks your business faces.

Are Your Services Secure?

Software as a service (SaaS), where you use the services hosted on remote computers located “in the cloud,” has been booming in recent years, partly because it helps business with scaling and flexibility. While there can be a number of benefits to using SaaS and apps, they can also impact your risk profile.

If you are using third-party tools, you need to be aware of how they fit in to your overall security plan. In many cases, SaaS can help to boost your security, but only if you use it properly. Services such as Amazon Web Services (AWS) take care of significant aspects of security, such as infrastructure and the cloud itself.

While using SaaS services, such as email, can really take a load off the shoulders’ of businesses, if they overlook their own responsibilities within the cloud – such as encrypting data and establishing meaningful access management policies – they could be exposing themselves to serious risks.

Who Are You Afraid of?

One of the most critical parts of online security is understanding your threat level. If you are just some guy with $4 in his bank and a Facebook account, then perhaps you aren’t as big of a target as a multinational business that holds the healthcare data of millions of people.

Once you understand the risks that you face and how big of a target you are, you can begin to evaluate which security measures will be necessary. If you lived in a house without much to steal, you wouldn’t bother with satellite surveillance and guards. In the same way, it wouldn’t make any sense for the guy with $4 to employee engineers to monitor his social media accounts 24/7 for hacks.

If you had a couple of Picassos and a garage full of classic cars, you would definitely want to up your level of protection, just as a business that has millions of credit cards on file would want a comprehensive security plan in place. This is because the cost of the security measures is justified by how big of a target they are and how much there is to lose.

Everything is hackable.  Not not everyone can hack everything.  Are you concerned about threats from those with the greatest resources and ability, nation states and large professional hacking organizations?  If so, then you really need to be very careful.  If not, then everything is not hackable … and prudent use of security tools, policies, and measures can go very far in protecting your organization.  In fact it is this eyes-wide-open stance where you know your risks and you take proactive, meaningful measures to mitigate them that compliance, especially HIPAA compliance, is all about.  Your legal, financial and public relations exposure in the event of an actual incident goes down as your proactive security stance goes up.

In the end, you can never be 100% secure anywhere, whether it is online or in your home. This doesn’t mean that we should give up or become despondent, just because an unlikely event might strike us. Instead, we should focus on implementing the appropriate safety measures that significantly reduce our risks of harm. This is what cybersecurity is all about – investing a little bit to reduce the chance and severity of threats, all to save you money in the long run.