Well, Happy Saturday everybody!!!  We are now coming into the last quarter of 2020, and as  mentioned last week, it is so hard to believe as to how fast the time has gone by, even with all of the COVID19 stuff that has been happening since March of this year. 

It no doubt has changed the Cyber Threat Landscape and the work environment to degrees and levels that we have never imagined before could happen.  But it has transpired, and now we have to deal with the new norm.

This will for sure be echoed this month of October as well. The reason for this?  Well, it is Cybersecurity Awareness Month.  So as you peruse through all of the news headlines like I do on a daily basis, you will see many articles, blogs, etc. on this issue.  There are a lot of hot button topics in this regard, ranging from the IoT to the Remote Workforce to Phishing to Security Training, you name it. 

As for me, I won’t be writing every day on these topics; rather, I am going to find those topics that are not really covered and bring them to you.  After all, even you can use Google to find out these headlines as well.  So what is my angle today, you may be asking? 

Well, it is the mindset that you will never become a victim of a Cyberattack.  In other words, if it has not happened to you, your line of thought is that it will never happen.

For example, consider some of these statistics, according to a recent report from Trend Micro:

*In spite of 72% of employees claiming that they have received better Cybersecurity Awareness training, an astonishing 56% of them have openly stated that they use non authorized software applications (also known as “Shadow Management”) in order to conduct their daily job tasks;

*66% of them have openly stated that they have uploaded confidential company information and data onto these non-authorized apps;

*39% of them have claimed that they purposely and willfully go against their company’s Security Policy;

*Even worst yet, 29% of them have blatantly stated their employer’s Security Rules are completely meaningless. 

More details on this survey can be found here at this link:

https://www.trendmicro.com/en_us/research/20/g/head-in-the-clouds-why-nuanced-security-training-is-essential-to-remote-working-success.html

These feelings of a very complacent sentiment are also found yet in another survey that was conducted by Dtex Systems:

*48% of the respondents felt no level responsibility whatsoever for the devices that have been issued by their company;

*43% of them thought that they could never become at all;

*34% of remote employees do not even care about Cybersecurity;

*48% of them do not even care if they have become a victim of a Phishing attack.

More details about this survey can be downloaded here:

https://www.cnbc.com/2018/03/16/only-13-percent-of-government-employees-take-personal-responsibility-for-cybersecurity-survey-finds.html

Yes, these numbers are quite startling, if not extremely eye opening.  What are some of the reasons for this?  Here is what has been discovered thus far:

*The IoT:

There are a lot of things in our daily lives, both on the virtual and physical levels, that are interconnected with another. Because of this, information and data can be very easily shared amongst one another, especially on Social Media, without knowing if Personal Identifiable Information (PII) datasets are safe. Because of this, nobody really (especially the younger generation) cares about this; rather, they put quick and easy access to all of this well over Cybersecurity.  In other words, as long as they know when the next party is, they don’t really seem to care if their passwords get hacked into, which is really sad.

*It is getting too complicated:

The technologies that are meant to secure us have become even more advanced and complicated in their use.  Although the vendors of these solutions claim that they are easy to install, this is far from the truth.  They are simply assuming that you are taking the hardware out of the box, and just deploying it somewhere.  While you can certainly do this, it defeats the purpose of protecting your lines of defense.  Rather, you need to adjust the thresholds on those products to meet your exact security requirements.  You simply cannot rely upon the vendor settings, as they will serve you no good.  It can take a lot of time to do all of this, especially if you have a lot of security tools out there.  This can be overwhelming to an IT Security team.  Even the employees will get just as much frustrated or even more, as they will have to learn a new way of getting authenticated.  This will only out up more resistance and the circumvention of your Security Policies even more.  And in today’s Remote Workforce environment, who has the time to do all of this?  This is a feeling that has been echoed in all corners of Corporate America.

*It is just a waste of time:

Given the pressures that everybody is under today, well quite bluntly put, Cybersecurity is viewed as just as a sheer waste  of time and is a drain on productivity.  For example, while remote employees are trying to deal with connectivity issues with an overburdened Internet, the thought of having an antivirus package quarantining a file that you so badly need to send out on time can be extremely aggravating.  And with many businesses now thinking of implementing a Zero Trust Framework, the thought of even going through more layers of authentication can be viewed as holding back worker productivity.  In fact, according to a recent survey by Dell, an overwhelming 91% of remote workers feel that extra Cybersecurity measures are simply a drain on their work productivity.

More details on this survey can be found at this link:

https://software.dell.com/whitepaper/get-the-balance-right-security-vs-user-productivity890533

My Thoughts On This

This is definitely a vicious circle.  Cyberattackers are getting more sophisticated, businesses are trying to amp it up to protect themselves with the side effect being that of burnt out IT Security Teams and employees whose level of concern for their own security is fast dissipating.  How can this be fixed?  There are different ways of course, such as by implementing the right plans, having more employee training, deploying more advanced security technologies, etc.  But the only way to truly break this chain comes directly from the top, which is the C-Suite. 

More often than not, they simply do not care about Cybersecurity.  At this level, the only person that really cares is the CIO and/or CISO.  Do you think the CEO, CFO, COO, etc.  really care?  Probably not.  They have this same mentality of thinking that if nothing has happened to them yet, then nothing will.  This then transcends all the way down the ranks and files of all of the employees.

But guess what:  We all are at risk of becoming a victim!!!  The only thing that an individual or business can truthfully do is in mitigating that level of risk.  By adopting this kind of belief, a proactive mindset will then set in, in which everybody at the company will take Cybersecurity seriously.

But once again, it all comes from the top.  If the C-Suite takes it seriously, so will then everybody else.  So when will this happen?  Only time will tell, which unfortunately is a very scarce commodity right now.