I like to believe that one of my skills is distilling complex technical concepts into something more consumable. At the risk of indulging in hubris, I like to believe I’m pretty good at it.
Now, this is a skill I use on my children all the time. So perhaps it shouldn’t have been such a surprise when I recently ended up on the receiving end of this skill.
We were discussing risk versus threat with our youngest, and I asked him to explain the two concepts to me. He did not hesitate when he provided his perspective:
“Risk is something you accept to take; a threat is something that comes from someone or something else.”
Well, that ended the conversation because while he left out the relationship between risk and threat, he wasn’t wrong. As I think about security today and the need for organizations to better understand the difference between threat and risk, his explanation came up because, as it turns out, he's only mostly right.
Today the risks of a presence on the Internet are much the same as they have been since the 20th century. The risk of a breach is still the exfiltration of data, disruption of services, poisoning of the well with trojans, backdoors, and malware, and today, the possibility of losing access to ransomware.
The risk of these events is something every business accepts to take. It’s the entry fee to doing business on the Internet, of becoming a digital business.
Threats generally come from outside. Attacks threaten to increase the risk of a breach all the time. They ebb and flow, of course, often following disclosure of a new vulnerability or technique that opens a window of opportunity for bad actors to exploit.
Today, with many more users demanding remote access, the threat from outside is definitely growing.
But so is the threat from inside. That is, the threats coming from development and lines of business who are all frantically trying to keep up with the pace of digital transformation.
It turns out that the “someone or something” might be ourselves.
Microservices. SaaS. Cloud. Mobile apps. As organizations rush to modernize applications, they are pushing past security guardrails to get out there as fast as possible. For some, it's to gain a first-mover competitive advantage. For others, it's an attempt to catch up after COVID caught them at a standstill in their digital transformation.
Whatever the reason, organizations are tacitly agreeing to accept greater risk by moving quickly without equal attention to security. The new normal we heard so much about throughout the pandemic is apparently “insecure by default.”
A few points to prove out this claim:
- An IDC survey found "more than one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months."
- An HP report noted that 91% of IT professionals felt pressure to compromise security for business continuity.
- Thycotic’s Global Employee Survey reports that smaller organizations are least likely to have implemented any of these [VPN, MFA, training, RBAC), whilst larger are more likely to have done so.
- Unit 42 Cloud Threat Report found that “enterprises quickly scaled their cloud spend in the third quarter of 2020 with an increase of 28% from the same quarter in 2019. In the second quarter of 2020, cloud security incidents:
- Increased by 188% overall
- Grew by 402% in retail
- Grew by 230% in manufacturing
- Grew by 205% in government.”
None of this is acceptable. Building your house on shifting sand is a bad idea and basing the foundations of an emerging digital business on insecure practices and security approaches is also a bad idea.
We’ve been heads down, driving digital transformation for nearly two years now. And as organizations begin to make the shift from focusing on modernizing user experiences to modernizing the business, it’s a good time to stop, take a deep breath, and take stock of what’s going right – and what’s not.
With "64% of employees are now able to work from home, and two-fifths actually are working from home," analyst firm Gartner recommends “a total reboot of policies and tools and approved machines to better mitigate the risks.”
And while remote work is definitely an area for concern and attention, it’s not the only area we must consider. Increasing use of microservices and integration with payment ecosystems, marketplaces, and SaaS-based products leave us with more APIs and applications to operate, monitor, and – one would hope - secure.
It’s time to stop and take stock of where you are right now and, in light of the momentum behind digital transformation, where you are going. Then look at how to securely move forward at scale – before the biggest risk business accepts is that it is its biggest threat.
Slow down and stay safe.