Are you sure your personal information hasn’t been leaked? One more question: Do you feel secure in that simply because the breaches that have been reported publicly didn’t apply to you?
The Canadian government is planning to make it mandatory for companies to report to authorities and individuals if their personal data has been compromised—but right now, most organizations have the option to decide not to report security breaches. It’s a positive development, but the question remains if this regulation will ultimately make businesses and/or end users care about printer security, Internet of Things (IoT) security, or data security.
Uproot user ignorance (easier said than done)
Canada isn’t the first jurisdiction to explore mandatory notification; the European Union’s pretty big on mandatory disclosure of data breaches. The sad fact is the economics of mandatory reporting don’t favour success, and is reflected in trends for IT security statistics all over the EU. Let me simplify: Audits don’t differentiate between concealment and ignorance when it comes to reporting breaches.
User ignorance of IT security issues has been an ongoing problem for some time, despite numerous previous regulatory regimes attempting to address the issue. Survey after survey shows that people care about their privacy, but are doing less and less to protect themselves. A report from EMC found that 77 percent of consumers ranked it very important for companies to notify them of breaches—and 65 percent of those that didn’t prioritize it blamed inability to stop fraud or identity theft was the top reason.
Compliance regulation doesn’t seem to make a significant difference in how most organizations approach security. The 2016 HIMSS Cybersecurity Survey found that IT security practitioners generally have a good understanding of their vulnerabilities, but aren’t confident in their abilities to prevent attacks.
Here’s a hot take: A survey of Chief Information Security Officers (CISOs) conducted by Bromium found that end users see security as a hurdle to innovation—and a roadblock for productivity. If your skin’s crawling a bit, we get it; this is basically the exact opposite of what we want our dream users to think about security.
But the facts are the facts, and this leads many organizations to view security investments as tossing time and money into a black hole. There’s no return on investment and no guarantee that the time or money spent will ultimately prevent the security event it was meant to.
While there are concrete steps that individuals and organizations can take towards bettering their IT security, there aren’t any magical solutions. Engaging in compliance efforts is generally a good way to try for even footing. Compliance with regulatory regimes can’t guarantee IT security, but 80 percent of SANS survey respondents felt that becoming compliant helped them improve their risk posture.
Invest in self-healing endpoints
The most important thing that companies and individuals can do to address IT security is actually to stop looking for quick fixes to the problem. Consider, for example, printer security.
Preventing printers from accessing the internet used to be enough to keep your environment sound (at least as far as endpoints go). Today, the traditional security perimeter is gone. IPv6 gives devices publicly addressable IP addresses, and printers have increased in capability, complexity, and attack surface. Proper printer security involves isolation of the devices, advanced firewalling techniques, ongoing monitoring for malicious activity, and regular updates—assuming that the printer vendor issues updates in the first place.
Defending a single modern printer today requires more digital security knowledge than defending an entire network did at the turn of the millennium. This is knowledge most organizations don’t have, let alone end users. Fortunately, this is knowledge that can be gained:
- Focus on preventing security breaches and accept that they are inevitable. Traditional preventative IT security tools like firewalls and anti-malware solutions won’t prevent compromise. They’re useful for reducing the frequency of compromise, but they’re not enough alone.
- Enforce a system that focuses on detection, mitigation, and automating incident response. It understands that user mistakes are part of life, and assumes that vendors won’t patch everything on time, every time.
- Invest in endpoints like multifunction printers that self-heal and focus on getting back up if you’re faced with a breach, big or small.
Until the day comes where vendors invest in more secure devices across the board and governments buy into digital security education, risk minimization is the name of the game. Augmenting IT security prevention tools with a focus on detection, mitigation, and automation of incident response will help organizations keep security threats at bay. Now you can focus on getting back up when breaches inevitably do happen.