We cyber security types are a dour bunch. Can you blame us? Like a doctor who knows that each day will bring more patients, some of them beyond anyone’s skills to fix, we march glumly on, telling people not to use ‘123456’ or ‘password’ as their password whilst knowing full well both will still top the popularity list at the end of the year, as they do every year.
What can you learn from the cyber security mindset? Well, they do say that pessimists outlive optimists, so perhaps the same is true for businesses—those that take a more pessimistic outlook survive in a cut-throat world where more optimistic ones fall.
A common piece of advice is that one should ‘hope for the best, but plan for the worst’ (occasionally with the third proposal that one should ‘expect to be surprised’). In few places is this as true as in cyber security. Yes, you could continue to use ‘123456’ for all of your passwords, and run entirely outdated software, and just hope that nobody every decides to attack your Internet-facing services. In a best-case scenario, you will be just fine, and you will be able to be very smug about being able to spend all the money you have just saved on fast cars and caviar.
In a worst-case scenario, though, you arrive to the office one day to find that you no longer have a job, or a company, or even any money. Before you can even catch your bearings, the bailiffs are knocking for your cars and caviar.
This ‘prepare for the rainiest day’ mentality affects all aspects of cyber security. The job of a defender is exponentially harder than that of an attacker—the former must block every way into their castle, whilst the attacker only needs to find one. Yes, you could use a piece of software with known vulnerabilities, but why give an attacker a nice, enticing open gate into your network?
Let’s say you’re pretty certain that you’ve blocked every way in. To stop there is to fail to plan for the worst, which is obviously that you have missed something—perhaps a vulnerability that an attacker has discovered, but that hasn’t been made public yet. You do not want your security posture to be such that an attacker who breaches a gate (despite your best efforts) has free reign to cause whatever mayhem they want inside. You need defence-in-depth, with mechanisms to stop or stall an attack, to repel it from within and to record it for later investigation.
With everything you introduce, the worst-case scenario is that it fails. Following this chain of reasoning indefinitely, however, is obviously impossible. Eventually, you will be spending inordinate amounts of time, money and effort for ever-diminishing returns. Different companies will have different risk appetites, and that is a topic for a whole other article, but once you’ve had your fill just remember—for everything else, there’s insurance.