Avoiding Cybersecurity Placebos in Your Business

Avoiding Cybersecurity Placebos in Your Business

By John Newcomb, June 24, 2020

When it comes to your business, especially its technology, some of the buzzwords you hear sound pretty convincing. Unfortunately, like most buzzwords, many are aggrandized beyond their worth to the average small-to-medium-sized business. Let’s look at how these word placebos can impact a business’ perception of its cybersecurity, as well as examine the reality behind these terms.

We start by examining a phrase—“security theater”—coined in the early 2000s by cybersecurity technologist Bruce Schneier.

What is “Security Theater?”

Security theater is simple shorthand for any effort to implement security but do little beyond conveying misplaced peace of mind, generally at considerable cost. The rationale underlying “security theater”? Security exists as both a reality grounded in science and as perception based on emotion.

In a 2007 blog article, Schneier cited a personal anecdote describing a hospital maternity ward fitting an RFID tag to a friend’s newborn. The idea was to deter infant abduction. However, infant abduction rates are astoundingly low. In his post, Schneier posits that these bracelets were a form of security theater, meant more to appease parents than to help prevent the rare event of infant abduction.

While security theater may have perceived benefits, Schneier says, real concerns come with its associated costs.

Let’s return to his account of tracking tags on newborns. Since infant abduction is extremely rare, there’s hardly any risk of a kidnapper abducting a child from a hospital. However, as low-cost RFID bracelets comforted parents when their baby wasn’t with them, hospitals found this investment to be worthwhile.

Another example Schneier cites is the introduction of tamper-resistant packaging on over-the-counter drugs in the 1980s. With lurid press coverage of ongoing Tylenol poisonings, tamper-resistant packaging allayed consumers’ concerns.

No matter the statistical likelihood of an adulterated drug was negligible or that tamper-resistant packaging is ineffective. The theater of tamper-resistant packaging aligned the perceived threat with the practical odds of poisoning.

The Trade-Offs

However, security theater becomes detrimental when security investment (real or perceived) generates negative returns—in short, when your security measures make you less secure.

A glaring example of security theater occurred in 2013 when cybercriminals hacked Target. The retailer’s security team failed to recognize that their “failsafe” protocols were inadequate and those effective safeguards in place were ignored.

Continuing with the theater metaphor, let’s examine how your practice might be “overacting” concerning basic cybersecurity practices.

Excessive Password Updates

Forcing your employees to update their passwords each month has long been established as a counterproductive security measure. This practice only encourages them to adopt other behaviors that directly undermine cybersecurity resiliency. Perhaps these passwords become embarrassingly predictable or your users resort to writing them down to keep track of them. Instead, use other methods of reinforcing cybersecurity such as multi-factor authentication (MFA) or single sign-on solutions, paired with a moderated password policy.

That said, we don’t advocate that you never change passwords. But frequent password changes encourage lax security practices. These bad habits are much worse than the benefits of mandatory password changes.

Alert Overload

A never-ending barrage of security notifications can cause negative repercussions with your users. Naturally, their workflows suffer from consistent interruptions, but there is also the likelihood that your staff will eventually tune out these notifications. Hence, when a real issue eventually occurs, it is more likely to be ignored. An MSP’s services keep your network’s users focused. In most cases, they’ll never be interrupted by IT issues.

Lacking User Awareness

Consider when last you held a cybersecurity training session for your staff. Was the general format primarily a lecture or were your employees involved and engaged in the process? When was your last training initiative?

Many companies believe that these seminar-style sessions are productive. However, a more effective means of instilling good cybersecurity training is through shorter, more frequent, and (most importantly) more interactive efforts.

Experience How Great IT Feels

With Digicom Healthcare Solutions, your practice receives far more than just security theater. We deliver IT solutions that protect your networks from intrusion while safeguarding patient data. Find out how we can help; contact us here or call 800-777-8089 today!

You’ll love our bedside manner! Call (707) 536-9173.