The cybersecurity poverty line is a term that can help companies understand security gaps and build better awareness. Learn more about it and how it applies to your organization.
As a system administrator, cybersecurity has been especially prominent on my mind for the past year as my organization has exclusively engaged in remote work. I’m actually seriously considering a career transition into this field and speaking more with cybersecurity experts about it to familiarize myself with related terms.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
One interesting concept that has come up as of late is the “cybersecurity poverty line,” and I reached out to a couple of insiders to discuss it: John Hammond, senior security researcher at Huntress, a cybersecurity provider; and Sivan Tehila, cybersecurity strategist at Perimeter 81, a cloud and network security provider.
Scott Matteson: What is the cybersecurity poverty line?
John Hammond: The cybersecurity poverty line is the umbrella term for teams that need to level up and enhance their security posture. It can also be referred to as a threshold for what’s considered the lowest line of defense.
Sivan Tehila: The cybersecurity poverty line signifies the fact that companies and CISOs have much less control and visibility into their networks and user activity. This is one of the main issues and reasons for the devastating breaches we are seeing today. This poverty line highlights the need for CISOs to invest more into training and awareness programs that specifically address our new remote work reality. For example, training company employees on new and emerging phishing tactics, what to look for, or how to verify illegitimate messages and communications, is the responsibility of the CISO and can help significantly raise cybersecurity awareness and education.
Scott Matteson: Where are the strengths and weaknesses of education and awareness to combat cyber threats and security risks?
SEE: Security incident response policy (TechRepublic Premium)
John Hammond: As cliche as it sounds, the strengths of education and awareness to combat cyber threats and security risks are that it’s the best option we have to prevent attacks and breaches. A major weakness in this approach is that it’s hard to prioritize your time in doing it. Since most IT and security practitioners are usually tapped with many other priorities, oftentimes education and awareness can fall to the wayside.
Sivan Tehila: Cybersecurity education and awareness programs can help keep cybersecurity best practices top of mind for employees and consistently help to remind people what to look out for. However, no program is 100% foolproof because we are human. Even when employees have received hands-on education, they will sometimes make mistakes. Phishing attacks are particularly difficult to prevent for this very reason.
Scott Matteson: What should IT departments be doing to address this?
John Hammond: We tend to parallel this to a real-world example, as odd as it sounds, but consider the world’s fisheries. There are only so many fish in the sea. In an effort to preserve this market, we designate “no-fishing zones,” or protected marine areas, where, temporarily, no fishing is allowed so that the population can grow and recover. While one area is preserved and it cannot have resources extracted, the other areas can be put to use. Modern IT departments should follow this same practice: While one team of workers should be temporarily set aside to train, research, educate themselves and improve personnel security, the other teams can continue to perform business operations. As needed, these groups can rotate so the strength of the team can continue to grow, while the company can still function as it needs to.
Sivan Tehila: IT departments need to consider three main principles: people, processes and technology. It’s not just about educating people, but also about establishing the right processes and then supporting these processes with the relevant security technology.
Scott Matteson: How can vendors step in and assist?
John Hammond: The onus is on the industry to jump in and share as much information as possible. Vendors typically have the resources and bandwidth to conduct more thorough and sophisticated research, and it’s critical to share with the larger community so that we can work together to better defend against attackers. We know that attackers are collaborating and sharing threat intel, so the industry should, too.
Sivan Tehila: Vendors can assist by creating technologies that are user-friendly, intuitive and easy for end-users to incorporate in their day-to-day. An unused security tool offers no value. Vendors can also help by working hand-in-hand with their customers to establish smooth onboardings and implementations, ensuring the best cybersecurity posture possible in a quicker timeline.
Scott Matteson: How can the security community overall assist?
John Hammond: Keep sharing. It really takes a village to make progress. It’s important for the community to share what they find, indicators of compromise, threat intel, etc., so that others can learn from the greater group.
Sivan Tehila: CISOs often talk about sharing knowledge and experience, but in truth, this industry could benefit from more transparency. There are so many organizations and security teams navigating similar issues or utilizing the same software, the broader security community would benefit greatly from better information and knowledge sharing.
SEE: How scalper bots profit by buying and reselling Sony PS5 and Xbox consoles (TechRepublic)
The US-CERT is an excellent example of this type of ideal knowledge sharing as they aggregate information from many different companies and industries in order to provide a holistic view of recent and relevant vulnerabilities in different security solutions.
The SolarWinds hack, for example, was certainly not a problem that was isolated to the vendor itself, and we are seeing the fallout in real-time. It affected many other companies and to this day, it’s not clear what the outcomes will be. This is definitely a broader community issue, and as a community, we can learn a great deal from what occurred.
Scott Matteson: What advice do you recommend for IT departments in 2021?
John Hammond: Be aware and get ahead. Whether it’s monitoring your own network, staying up to date on the latest peer/industry research or continuing to up-skill your role, all of these will help security practitioners gain greater awareness of the latest threats out there and arm them with the tools to get ahead of them.
Sivan Tehila: We are living in a new, remote work reality. IT departments should seek out unified solutions that offer adequate control, visibility, and security management for non-traditional work environments. It’s also important for IT to adopt seamless, user-centric solutions that are not too complicated for the end-users to grasp and provide full monitoring and visibility in order to identify any anomalies or suspicious activity.
Scott Matteson: Any advice for end users or C-level execs for 2021?
John Hammond: Don’t neglect your security training. If we want our teams to be aware and get ahead, we need to arm our teams with the right security training and awareness education. Because every single endpoint, credential and device is an entry point for attackers, individuals need and have to be their own line of defense. If everyone becomes a little more skeptical of their inbox, takes an extra minute to follow best practices or listens a little more during training, it can make a huge impact. Teams have to be proactive and not just assume the IT department has it covered. Leadership needs to put words into action, too. No longer can executives only be concerned about security health until something goes down. As we continue to see, being proactive about the health of your security can significantly save both a reputation and financial stability. Security is a long-game—you might put in a lot of time and energy into training and tuning, but the outcome far outweighs the alternative approach.
Sivan Tehila: Security should be a part of every employee’s routine. It’s often the small things that can make the biggest impact. Security measures like multi-factor authentication and single sign-on are easy to explain to the end-user and don’t require as much from them. The same goes for selecting remote access or VPN alternative solutions—find tools that integrate the basic security standards in a seamless way.