Today’s cyber security terminology is cryptic and confusing. Which is exactly what criminals want.
On Friday, 21st of October 2016, a group of cyber-criminals sent out a warning. They flooded some of the world’s largest websites with unprecedented volumes of traffic, rendering platforms such as Twitter, Spotify and SoundCloud temporarily unusable. You’d think, given the ever-increasing risks cyber-criminals now pose, businesses would be taking steps to stay ahead of the game. But in 2015, 90% of the UK’s large businesses (and 74% of their smaller counterparts) experienced some form of security breach – both figures up from the previous year. The cyber-criminals are slowly edging ahead. And, sadly, the cyber security industry may well be (at least partially) at fault…
Cyber security terminology: an example
“If TalkTalk had cryptographically segmented its security system into predefined and clearly understood fragments, the breach would have been more manageable, instead of system-wide,” said Certes Networks’ Paul German in response to TalkTalk’s third data breach of 2015. His words offer an insight into just how cryptic cyber security terminology can be – and German wasn’t the only commentator. Talking in insider-speak, Vectra Networks’ Gunter Ollmann advised businesses use “machine learning” to spot “known and unknown malware and attack vectors”. Delphix’s Jes Breslaw, meanwhile, suggested companies consider “leveraging technologies which allow them to scale data masking such as data virtualisation.” ISO 27001 was mentioned as part of the jargon. SQL injection vulnerabilities and unmasked data and codification were mentioned – and each new comment received applause from industry insiders. For a short while, the cyber security industry had national attention. It was a rare chance to offer plain-English advice. But thanks to the ever-cryptic and ever-confusing cyber security terminology it was a chance that, once again, went sailing past.
An industry unable to talk in simple terms
Here’s what was happening whilst the security parlance was mounting. 157,000 people had had their personal details compromised. Customers were leaving TalkTalk in their thousands. The breach’s financial cost was creeping close to £50m. And businesses large and small were in desperate need of help. But, rather than break the message down, the security industry largely stuck to impenetrable cyber security terminology. People needed plain-English advice. And there was almost none around.
What’s the problem with trying to calculate your own risk?
Let’s think about how you, as a casual onlooker, might react to overhearing some of the above security jargon – bearing in mind TalkTalk’s breach was making front page news. Your company holds the personal information and data of real, individual people. Even a minor compromise could have a devastating effect on the lives of people that trust you to keep their information safe. If you’re anything like most decision makers, you’d have quickly set about re-calculating your risks. And that’s where you’d have run into perhaps your biggest hurdle.
It keeps us sane – but it comes at a price
The fact that you’re reading this suggests you’re human. And that implies you underestimate the risks you face in your day to day life. The human tendency to underestimate risks is pervasive, and in academic circles it’s known as the “optimism bias”. Psychologists generally believe the bias helps keep us sane. And, in most cases, it’s great. But in others, it’s not. This is because the optimism bias is one of the reasons smokers keep smoking. It’s one of the reasons stockbrokers take foolish risks stockbroking. And – because we rarely anticipate becoming victims of crime – it hands cyber-criminals yet another advantage.
You are almost certainly now a target
If that all sounds hard to believe, let’s go back to a statistic we cited earlier on: In 2015, 90% of the UK’s large businesses (and 74% of their smaller counterparts) experienced some form of security breach – both figures up from 2014. That’s from independent PwC research, commissioned by HM Government. Did you dismiss the numbers in a heartbeat when first reading through? Many people do. Whether you’re able to admit it or not, your business is a target. If it’s about time to react, here’s what you can do…
Something simple you can do to shore-up your defences
Given accepted cyber security terminology makes it so tough to understand, you might be unsure of your best course of action. And given the optimism bias, you might be inclined to bury your head in the sand. But there are some simple, basic things you can do to stay ahead of cyber criminals – and here’s the first: Contact decent cyber security specialists and ask them to explain – sans security terminology – how you might be vulnerable and the protections you might be missing. It’s a simple step. But one many of us will no doubt resist. Just as the guys that may have been used to inadvertently facilitate the DDOS attacks involving Twitter, Spotify and SoundCloud may have done. Every cyber-attack we hear about is a warning. Now’s the time to react, before it’s too late.