Cybersecurity is a curious subject. The more you know about it, the more you feel you know too little. It is remotely easy to comprehend. That’s why many get caught up in misconceptions and wrong assumptions.
Such is the case when it comes to VPNs, cyber risk assessment, and compliance with security standards. You probably think you sufficiently understand these security terms but end up wondering if you really know them well enough.
The use of VPNs: Not a Cybersecurity measure
VPN service marketing is partly to blame for this. Many tend to bear the misconception that using a VPN automatically equates to complete privacy and protection from hackers. It does not help that social media influencers or content creators who partner with VPN companies spew out hype as they attempt to integrate VPN promotions in their content. The top VPN services offer a wide range of features, but they are usually not mainly created for cybersecurity.
Not all VPNs guarantee anonymity for users. Some are only intended to enable access to blocked websites. Virtual private networks work by routing and encrypting traffic through a server with which connections are usually encrypted. This setup, however, does not provide protection from websites that are not secure or those that lack security certificates. It does not address the possibility of getting infected by malware or falling prey to phishing and other social engineering attacks.
Worse, in the case of many free VPNs, data theft is quite common. They are not built to be sufficiently secure, so they are prone to data breaches. Sometimes, the free VPN providers themselves could be the ones stealing user data to be sold in black markets. As a post on Security Boulevard writes, “Not every VPN will necessarily protect you and some actively compromise your privacy.”
Cyber risk assessment: Zero attack vulnerability only an ideal
While the ideal result of a cyber risk assessment is having zero or no attacks, it is not realistic. Cybersecurity providers that promise impenetrable defenses after implementing their solutions will surely be unable to deliver on their promise. Credible security companies offer solutions such as continuous security testing and repeated automated assessments, but they would never promise the absolute eradication of threats.
Consulting and technology firm Crowe says that it is unlikely for any amount of security investment to translate to foolproof security. “And if it (a company) invests too heavily in this area, it might start to approach a negative ROI, with outlays exceeding the amount of financial damage that could be reasonably expected from cyberattacks,” the firm says. The key to achieving a dependable cybersecurity system is a well-balanced approach that involves multiple layers of security.
McKinsey uses the term risk appetite in its risk-based approach to cybersecurity. The phrase refers to a certain level of risk an organization is ready to deal with as it pursues its objectives. Prudent organizations are highly unlikely to set a risk appetite of zero. “In most cases, it is impossible to stop all cyberattacks, so sometimes controls can be developed that tolerate some incidents,” McKinsey says.
Instead of aiming for complete eradication of the probability of threats, the more sensible way to achieve reliable cybersecurity is to optimize identification, prevention, detection, and response measures. Arriving at a zero-attack level after numerous cyber risk assessments and security system tweaks is essentially wishful thinking. Believing that it is possible to achieve it might only lead to having a relatively relaxed system that lacks contingency mechanisms and proper isolation and remediation responses in case an attacker manages to penetrate.
Security standards: Compliance is not enough
Security standards are helpful in building the cybersecurity infrastructure of an organization. However, faithfully following such standards does not guarantee adequate protection. These only layout the minimum levels of protection for organizations to implement. They do not provide the optimum solution or configuration of security measures that suit best the specific needs of a company.
As Monique Magalhaes, a data protection and information governance facilitator at Galaxkey succinctly points out: “Compliance is necessary and it is important, but it only validates that you have met the requirements for a specific standard, which often equates to the acceptable minimum level of security for that standard.”
Cyber threats ceaselessly evolve and cybercriminals are relentless in their attempt to defeat cybersecurity defenses. It is important to remember that standards are often set by government regulatory bodies or industry associations. They cannot be expected to update their standards every so often.
Take the case of NIST SP 800-53 or the NIST Special Publication catalog of security and privacy controls. It provides sensible guidelines in keeping organizations secure and protecting the privacy of everyone in the organization and those interacting with it. However, the guidelines actually suggest that control should be left to the enterprise. It does not provide specific mandates on how to go about with this control function.
The same goes for the HIPAA HITECH standards. These standards invoke a multitude of security resources. However, upon reading its guidelines, many will likely be confused or fail to have a straightforward understanding of the mandate. “This very resource-intensive mandate leaves room for interpretation,” says Sol Cates, Chief Security Officer at Vormetric. The guidelines also reference the National Institute of Standards and Technology (NIST) handbook, which means that to understand HIPAA HITECH, it is a must to also get acquainted with the NIST security standards.
The point in all of these is not to discourage anyone from learning more about cybersecurity. The topic may have intricacies that are not too easy to comprehend, but they are not impossible to understand. Business managers and the stakeholders of organizations that often become targets of cyber attacks can come up with more competent decisions when it comes to security by getting better acquainted with cybersecurity ideas. Clarifying the misconceptions involving VPNs, cyber risk assessment, and security standards is a good start.