Cybersecurity: Is good enough really good enough?
Cybersecurity has always been an important part of our everyday lives, whether it’s for businesses or individuals. Bad cybersecurity practice leads to a higher risk of catastrophic events.
So, what would be considered good enough cybersecurity practice? Would installing cybersecurity software be enough? Or hiring a dedicated IT team? Or do we need to all write out cybersecurity requirements for a business and comply with them? Even with meeting well-written cybersecurity requirements or standards or certificates, is that enough?
IT industry is growing fast, so are the hackers’ approaches
With this considered, it is clear that installing cybersecurity software but not updating it frequently would already put your IT system at risk. And despite qualifying for a cybersecurity certificate reduces the risk, to think this would be enough may be paving the way for hackers to try their luck at your system. The requirements on how to qualify for certain cybersecurity standards are relatively easy for the public to obtain. And if a business isn’t doing more than obtaining certain cybersecurity certificates, the hackers know exactly what you’ve done to be cyber-threat proof, and therefore what you haven’t done!
Furthermore, any certificates would have their requirements laid out and without major updates for some years. That is certainly slower than how fast the motivated hackers learn and improve their approaches.
So, it is worth thinking more about how to achieve better than just good enough cybersecurity practice!
New tech is much more likely to be scrutinized under cybersecurity lenses than old tech. But old tech isn’t necessarily harder to break!
I have heard more times than I can count how people question the security of storing data on a cloud platform of major IT companies. But I haven’t seen the same public scrutiny on storing the same sensitive information on USB drives, CDs/DVDs, and in file formats of Excel or Word. The approaches we don’t scrutinize are approaches that have been around for much longer. And they just about never need even a password to open and view all the information. Cloud computing asks for passwords, and provides end-to-end data encryption, and storage location backups.
Do you want to guess which approaches will easily fly under the radar and pass cybersecurity requirements written 2 or 5 years ago? Or even protocols written more recently than that?
I still see major companies’ tender documents stating user manual in CD/DVD format as a requirement.
How about other loopholes?
Here’s a fun and classic example: A company opens a tender process to procure a new system to implement. For this example’s sake, let’s say a system that measures weather conditions in remote areas. A provider specialized in data communication systems for remote areas goes around the market, taking in various weather sensors, feeding data to their communication system, and submits an application to the customer’s tender.
The data communication supplier may have all the cybersecurity certificates for their data communication systems in place, but the additional equipment (sensors and their own data platforms) from different suppliers may not qualify for cybersecurity certificates. This creates cybersecurity weak links. In this case, when the customer asks for cybersecurity certifications, they find proposals that tick the requirements on paper but still end up putting their system and data at higher risk.
So, are we totally doomed, since nothing seems good enough for cyber security anyway?
Instead of thinking that way, it is better to think about how to continuously minimize cyber threats. Because what works today probably won’t be great in a year!
Implementing cybersecurity software, having a dedicated IT team, and cybersecurity certificates are all important and essential. But beyond that, subscription-based contracts from suppliers who continuously update their cybersecurity procedures can make sure you don’t end up with products with outdated cyber defense mechanisms. And further important to have not just your main or tier 1 suppliers, but their subsequent chain of equipment suppliers, to also have proper up-to-date cybersecurity procedures.
Find out more about the Miros Cloud Solution for secure offshore operations.
If you would like to discuss further, please don’t hesitate to get in touch!