For a sentient species, humans, in general, have curious ideas when it comes to reckoning and responding to risk. For example, studies show using seat belts when driving in automobiles save lives. Studies also show when cyclists use helmets more cyclists’ lives are saved. This research drives prolific seat belt and helmet use among auto users and cyclists, respectively. An Australian study went on to reveal that a mandatory helmet law for automobile drivers and passengers has the potential to save people from death by head injury at a rate 17 times higher than a helmet law for cyclists. Yet even with this data in hand, unless you are a pro racer you very likely do not wear a helmet in automobiles. It is odd that we vigorously mitigate one risk and effectively ignore another that has the potential to bring an identical consequence. There are plenty of examples like this and cybersecurity is not immune to this phenomenon. In too many instances, organizational leadership expects security teams to engage in “checking off boxes” using traditional efforts, leading to a false sense of security. How much of what your organization does actually protects your applications and data and how much of it is “cybersecurity theater”?
In this post, we’ll identify five areas where you may think you are delivering cybersecurity but in reality, your efforts may be wholly insufficient.
1. Cloud security. You’d be remiss if you didn’t ask your cloud-native service provider “what about security?” What do you think when your vendor says, “we guarantee a secure architecture”? If your next thought isn’t “what about my data?” then you are performing “cybersecurity theater”, because data security is your responsibility. Cloud architectures are secure because they were purpose-built to be so. The risks start to pick up momentum when organizations move workloads to the cloud quickly and lose track of where their sensitive data resides. You need a good data catalog, know where copies are, where snapshots may be, etc. You must have access control policies around sensitive data. You must have audit trails, the ability to run data through forensics if needed, the ability to validate what entitlements are and reduce them, and check for vulnerabilities from a surface area perspective. These aren’t new practices; what’s new are the cloud environments.
2. Perimeter security. My colleague Elad Erez wrote, after studying 27,000 on-premises databases, Imperva Research Labs determined one out of every two on-premises databases globally has at least one vulnerability. This research proves that the way data is being secured today simply isn’t working. For years, organizations have prioritized and invested in perimeter and endpoint security tools, assuming the protection of the systems or network around the data would be enough. However, that approach is not working as this is an expansive and global problem. Organizations need to rethink the way they secure data and ensure that their strategy genuinely protects the data itself.
3. Data privacy. Until recently, organizations regarded data privacy as a compliance issue; a box to be checked for auditors. Traditional data logging and monitoring covered a very small part of an organization’s data estate and left most sensitive data exposed to insider and outsider threats. Virtually all organizations whose sensitive data has been stolen were in compliance, yet 54% of companies have reported not knowing where their sensitive data is stored. Organizations today must take a data-centric approach to protect the sensitive data they manage. There is a long way to go. Recent data collected by the Cloud Security Alliance reveals only eight percent of enterprises have a fully implemented privacy-by-design strategy with nearly two-thirds currently in the building or planning stages.
4. API security. Application Programming Interface (API) is a software intermediary that enables applications to communicate with one another. A recent SlashData survey showed that by the end of 2020, nearly 90% of developers were using APIs. As developers continue to rely more on microservices and open source tools to accelerate digital transformation, APIs have become the main drivers of digital business innovation and organizations must have a reliable system to protect them. While having web application firewalls and DDoS protection are essential to an overall cybersecurity posture, they are not enough to stop cybercriminals that are leveraging developers’ reliance on APIs and deliberately seeking out new attack vectors and exploits. Organizations must safeguard on-premises and multi-cloud applications by blocking critical API security attacks, providing a positive security model built from OpenAPI specifications, integrating security into API lifecycle management, and delivering a unified solution for website and API security.
5. Employees’ security awareness. PWC reported that 30 percent of companies say their own employees are their greatest source of security risks. The reasons provided for this are poor training, poor security policies, and poor communication of policies. Simply put, if your approach to employees’ security awareness is little more than a static set of guidelines included in a handbook that you hope people read, you are performing cybersecurity theater. CSO Online reported 94% of malware is delivered by email and phishing attacks account for more than 80% of reported security incidents. More than a quarter of US employees admit to having problems in identifying a phishing email. Security teams must provide continuing education on best practices as threat vectors change and exercises like simulated phishing attacks are essential elements of this effort.
Returning to the seat belt and helmet analogy, there are many reasons people don’t wear helmets in the car. As a society, for whatever the reasons, we are willing to reckon with the additional risk. Cybersecurity professionals don’t share that luxury when it comes to managing other people’s sensitive data. As the threat landscape grows and the stakes of failure increase, executive teams, and the public have lost patience with “cybersecurity theater.” It is time to do better.
Try Imperva for Free
Protect your business for 30 days on Imperva.