Security seems to be the one area that each year we spend more money than we did the previous year to stay one step ahead of the threat. Yet, every year there seem to be more and more significant security breaches!

So, we ask for more money again, and the cycle repeats like a bad case of deja vu or is it just a “glitch in the Matrix”.

As with many things in life, it is not enough to know the rules, you need to understand how to play the game if you are to be successful. A famous quote from Bill Shankly sums it up entirely “The trouble with referees is that they know the rules, but they do not know the game.” So what does this have to do with Security?

There are a lot of organisations that believe that Compliance equals Security. This couldn’t be further from the truth, and before I get flamed about this statement, let me clarify why. Compliance is a point in time assertion against a “specific set of security requirements”. Those standards from organisations such as NIST and ISO are an excellent starting point, and many of these standards have become a benchmark for industry best practices. Therefore, if these are best practices, then why does this not this equal Security? The main reason is the depth of the rules. They aren’t prescriptive enough and nor can they be given the rapid rate of change with technology and the types of attacks. While closing this argument out, look at some of the most significant security breaches in the last few years, and they have all been certified to one standard or the other.

In recent months we have undergone massive changes in how we live and work as a result of Covid-19. As a result, we have seen an enormous uptake in cybercrime such as:

  • Malicious Domains - The interest in Covid-19 has spawned a mass uptake in domain names that contain “coronavirus”, “covid19” etc. While some are legitimate, cybercriminals are creating thousands of new sites to carry out spam campaigns, phishing or to spread malware.

  • Malware - Widespread global communications related to the coronavirus are being used to mask criminal activities. Malware, spyware and Trojans have been found embedded in interactive coronavirus maps and websites. Spam emails are also tricking users into clicking on links which download malware to their computers or mobile devices.

  • Ransomware - Attacks against Hospitals and other agencies on the frontline during the pandemic as they are more likely to pay as they can’t afford to be offline.

There are several correlations between physical and cybersecurity and, having spent several years in the Military we used to have a term called “soft targets” and “hard targets”. Cybercriminals, regardless of how determined are also opportunists who are seeking out easy victims. They are looking for “soft targets” who are:

  • Accessible - If you’re easily accessible, your odds of being a victim increase.

  • Predictable - If you do the same thing and respond the same to all types of events, you make the attackers job simple.

  • Complacent - A soft target is unaware of their surroundings, not vigilant to potential threats and not assertive about self-protection.

Remember, it is not enough to know the rules you need to play the game, and with cybersecurity, it is about striving to be a “hard target” that is:

  • Inaccessible - You keep the attack surface as small as possible

  • Unpredictable - You don’t offer patterns or routines that an attacker can use

  • Vigilant - You monitor your environment and take active steps to protect yourself. In short, you make it evident that you are paying attention and respond accordingly.

If you have finished reading this and think, “I don’t have any data worth stealing” then think again. One of the most sought after and most profitable items in the black market are social media credentials, IDs, passports, utility bills etc. So what makes the above so valuable? The more you understand a person’s life and behaviour, the easier it is for the threat actor to impersonate them. This opens up a multitude of other attack vectors such as phishing or worse, identity theft and fraud.

“The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: “Cybersecurity is much more than an IT topic.” - Stephane Nappo.