The ‘cybersecurity poverty line’ was a term coined over ten years ago by a Cisco security leader, Wendy Nather. We often hear it described as the resource “threshold” for adequate cyber protection. The companies beneath the line lack the budget, resources and skills to properly protect themselves from ongoing threats posed by cybercriminals. Those above the line have the resources and expertise to reasonably protect themselves. They include the largest organisations with the most mature IT environments – think financial services, healthcare and defence.
Not surprisingly, small businesses are the ones below the poverty line, and suffering for it. According to Accenture, 43% of cyberattacks target small businesses, yet only 14% have the capabilities to protect themselves. Cybercriminals see small organisations as low hanging fruit due to their lack of resources and expertise; as a result, they are more likely to be attacked, and the attacks are (more often than not) successful. Sometimes a ransomware attack on these small companies can demand such minimal and relatively affordable ransom payments, it becomes far easier for them to quickly and quietly pay up. In this environment, smaller businesses will always be on the back foot unless something changes.
Skills, tools and insurance
The cybersecurity poverty line is set by the many challenges of hiring talented people, retaining these people, and the costs of tools, insurance and more. This problem seems to only be growing.
It’s no secret that competition for skilled team members is steep. Those organisations without the resources to invest heavily in recruiting and retaining staff are losing out to the larger and better funded organisations that can afford top tier talent and have the mature security programs that interest prospective employees. It’s a similar situation with cybersecurity tools, which can be expensive to acquire and difficult to implement in an effective manner.
At the same time, soaring cyber insurance premiums show no sign of slowing. Again, smaller companies are priced out and become more vulnerable to cyberattacks as a result. In some cases, those below the poverty line may not even recognise the extent of this problem.
It’s important to remember that the cybersecurity poverty line affects all organisations, regardless of whether they are above or below the threshold. These smaller companies are often part of wider supply chains with bigger, more mature organisations. They’re part of IT ecosystems in which data is being transferred across enterprise applications. Those companies below the threshold can become the penetrable backdoor that criminals use to breach and exploit those above the poverty line. Therefore, this problem affects everyone, sooner or later.
But it doesn’t require vast resources or expertise to significantly improve an organisation’s cybersecurity posture, regardless of size.
Excellence in the essentials
The key is to approach cybersecurity with the mindset of “excellence in the essentials,” which emphasises doing the basics well, consistently and at scale. While the cyber landscape is a complex mix of varied threats, with myriad solutions to manage, we need to look at how we solve the most basic problems first and do this well, consistently.
The basics, as it turns out, is where most of the progress is made anyways (for all organisations). We know from years of incident and breach data (as noted in Verizon’s Data Breach Investigations Report, among others) that most cyberattacks exploit known vulnerabilities for which there are known solutions (i.e., patches), as well as misconfigurations of common operating systems and applications, and mismanagement of basic security controls.
For resource-constrained organisations, focusing on essential cyber hygiene is the most effective way to improve their security posture in a meaningful way.
A good place to start is with prioritised security controls identified in reputable frameworks. The Centre for Internet Security for example, has organised their Critical Security Controls by Implementation Groups, beginning with Group 1: Essential Cyber Hygiene. By implementing essential controls in this manner, organisations can take a more productive, focused, and incremental approach to improving their defensive posture. NIST also regularly releases guidebooks on building a better security culture, to support its framework for ensuring organisations can understand, assess, prioritise, and communicate their cybersecurity efforts.
The National Initiative for Cybersecurity Education (NICE), a program of NIST, has provided guidance on enabling the ‘everyday employee’ to contribute to their organisation’s cybersecurity posture. Security must be a shared responsibility, implemented as a community of collaborating professionals.
This includes routine security awareness training across a business, and teaching everyone that interacts with corporate devices, or corporate information on personal devices, the basics of data management. Today’s organisations store far too much data that should be regularly sanitised and erased once it’s no longer needed, another area for shared implementation of security controls. Understanding best practices around data privacy and protection can have a huge impact on cybersecurity at a minimal cost to an organisation.
Preparing for the worst
We can’t expect every organisation to have the best cyber expertise. However, like basic first aid and CPR, broad implementation of essential skills and actions can have a big impact (yes, we need the highly trained paramedics to show up in an emergency when someone has a heart attack, but there are certainly things you can do while you’re waiting for them to arrive that could make all the difference).
It’s this essential cyber hygiene that can significantly improve the state of protection for those below the cybersecurity poverty line. From supporting the everyday employee, to understanding effective data management, bringing it back to the basics is a realistic approach to security for organisations that will continue to struggle with limited resources and expertise. Addressing this issue will be vital to boosting the cyber resilience of entire industries – not just the smaller players.
Ad