9 Lessons Learned From 10 Crazy Years of Cybersecurity

When it comes to cybersecurity, the 2010s have been a wild ride — a transformative decade.

Technology has gradually entrenched itself further into our lives, becoming indispensable. It helped make the Internet more diverse and widespread, but not without some far-reaching consequences.

To make sure we’re on the same page, the goal of this blog post isn’t to document the decade’s major cybersecurity events — there are plenty of articles of that nature out there. This post aims to provide insights into the implications of those events for our present and future.

As cybersecurity experts, the past ten years have taught us many lessons. Not necessarily tech lessons, but abstract lessons. Lessons that we need to heed if we want to survive what’s yet to come.

While some lessons may be easier to digest than others, they’re all essential parts of the big picture that is the future of cybersecurity.

1. No One’s Safe

A photo with an old, rusty lock indicating lack of safety. Photo by Tim Mossholder on Unsplash
Not with security like this!

One realization that hits particularly hard is that no one’s safe. There are no exceptions to this rule, be it an international mega-corporation or a small local business, a non-profit organization, state-owned enterprise, or healthcare provider.

There’s no escaping the risks that lie out there.

The reason?

Data.

Over the last ten years, it has become glaringly evident that any organization that deals with data has a huge target painted on its back.

Of course, different types of data attract hackers with different motivations and intentions; for example, medical records and social security numbers have different buyers on the black market than email addresses and browsing records. Regardless, the danger is ever lurking.

Now that data is worth more than ever, and there’s more of it, cyberattacks have increased by a whopping 440 percent since 2009, raising valid concerns among businesses, individuals, and governments alike.

2. Trust No One (Maybe A Select Few)

The climbing value of data has made everyone a prime target. But it has also made everyone a suspect. Not to say that cybercriminals are everywhere, disguised as loyal friends, but that anyone you come into contact with can be a vehicle to infiltrate your systems, even unintentionally.

I’m sure you’re fully aware that it’s near impossible nowadays to run a 100 percent self-reliant business. From phone systems and infrastructure to storage and backup servers, hiring a third-party service provider is a must.

But this means granting access — and more endpoints to protect — to your network, which increases your risk of attack. As of 2019, 44 percent of data breaches were through a third-party vendor.

And it only gets worse; only 15 percent of companies were notified by their contractors of the attack early on, preventing the majority of businesses from reacting quickly enough.

This isn’t to say that you shouldn’t rely on any outside service providers; rather, you should be cautious of who you grant access privileges to. Trust is a very fickle thing, especially with hundreds of thousands — and sometimes millions — of dollars on the line.

And no, reading a couple of reviews isn’t enough.

At a minimum, run a background check on third-party vendors that correlates to the access privileges you will need to grant to use their services. This includes anything from past attacks and data breaches, shady business practices, or ambiguous fine print in their Terms of Service (ToS.)

3. One Attack to End it All

A close-up photo of a screen where stock value is dropping. Photo by samxmeg via iStock.com
It all goes downhill from here

The thing you need to understand about cyberattacks and data breaches is that they’re heavy hitters. And you rarely get a second chance to learn from your mistakes.

It’s estimated that 60 percent of small and mid-size companies go out of business less than a year after a cyberattack. But that’s not necessarily because they went bankrupt.

In fact, financial repercussions are the lesser of two evils.

Getting a cyber insurance policy and regularly backing up data to avoid paying a ransom can be enough to significantly reduce financial losses.

It’s the ruined and smeared reputation that’s more likely to destroy an entire company.

People are more aware than ever of the value of their data. They’re also more cautious about who they trust it with.

Reputations are difficult and time-consuming to rebuild, especially when competitors with a clean slate that offer similar services/products, have invested sufficient effort in learning from others’ mistakes.

4. Innovation Sucks

(At least in the wrong hands.)

But that’s the thing about innovation and technological advancements; they’re universal. If you have them, so do those with ill intent.

Unfortunately, technological advancements aren’t just helping hackers break into complex and, presumably, secure systems; they have also created new ways for those with unscrupulous intentions to launch attacks by taking advantage of both the human and technical elements of a network.

The average hackers no longer need special equipment and software that was once ridiculously expensive. They don’t even have to be good at programming to get through.

Social engineering attacks are on the rise and are still as effective as when people had little-to-no cybersecurity awareness. From phishing emails to voice emulators and deepfakes, social engineering plays a crucial role in close to 99 percent of all cyberattacks.

5. Investing in People is Crucial

Speaking of social engineering — We’re at a time where everything needs to be digitized and automated.

Whatever a skilled worker can do, there’s a device or software that can do it better, faster, and cheaper.

But that’s not the case with cybersecurity.

Unless you plan to operate without a single employee in sight, you need to religiously invest in cybersecurity education.

Technology is evolving at dizzying rates; a 2017 cybersecurity awareness can barely keep an email address safe when faced with the sophisticated scamming techniques of 2020.

Even if you have dedicated in-house security and IT teams, cybersecurity is an all or nothing approach. If one person on your team doesn’t know the proper precautions to take, they can be the downfall of a decade-old business.

Depending on your organization’s needs and size, security education can take multiple forms, anywhere from a monthly seminar to keep staff up to date on the latest news, to regular workshops that explore the ins and outs of the current cybersecurity climate.

Whatever the intensity of training you decide is right for you, it needs to be rolled out on a regular basis with all staff members.

After all, you can invest in the most robust lock ever created, but if you don’t know how to turn the key, you might as well leave the door open.

6. Staying Offline is no Longer an Option

A photo of dozens of manila files cramed inside a drawer. Photo by Ulrike Mai via Pixabay
don’t do this. please.

One way to keep data safe in the good old days was to keep essential files locked in a safe, behind a couple of closed doors.

No sneaky entrances, no hacks, no tricks.

But, for obvious reasons, that’s no longer an option. Sure, you can keep a couple of devices separate from the network and offline 99 percent of the time, but those aren’t the only files that matter.

Clients expect businesses operating within all industries to be available online at all times. Anything less is an inconvenience that could affect client satisfaction and revenue.

The majority of a company’s data needs to be accessible by staff, management, and/or clients from multiple locations. Continually having to go into a locked room to get a file someone needs to update is a colossal waste of time and effort.

These days you have to go online, and you have to keep yourself safe.

No buts.

7. Double-Edged Tech

While some tech evolved in favor of keeping data secure and others helped leak it, others are double-edged — not necessarily neutral.

The Internet of Things (IoT) can be of great benefit to the prosperity of a business. After all, it’s a customizable system that increases staff productivity and efficiency, creating an overall smoother working environment.

But adding all this additional tech to your main network doesn’t come without its share of downsides.

For one, IoT devices are extremely challenging to secure, making them the weaker link in an, otherwise, steel chain. Due to their large numbers, they’re hard to keep track of, and they rarely receive proper maintenance in the form of frequent updates, checkups, and password changes.

This leaves many endpoints within your network vulnerable to exploitation.

8. It’s no Longer a Question of “if” but “when”

While installing the latest antivirus software and using secure passwords was all the rage ten years ago, these approaches are no longer the all-encompassing solutions they once were.

It’s irresponsible to focus the meat of your resources on protection while leaving detection and response with the scraps.

Sure, protection against threats is essential, but you’re more likely to face a data breach than not. And when that happens, you need to be ready.

Being prepared can be roughly split into two categories: detection and response.

Detection is necessary to catch an attack or breach as soon as it occurs. This could be anything from catching a backdoor to dormant ransomware or spyware that lies hidden, waiting for the right moment to strike.

Cyber threat hunting represents one example of a proactive detection approach. It ensures your network gets regularly scanned for any malware, weaknesses, and abnormalities.

The second example is having an Incident Response (IR) plan. An IR plan includes a set of directions for the IT staff to follow to recover from an attack as quickly and efficiently as possible. It includes details about critical aspects such as which devices store the most valuable data and who to contact to share news of the breach — like clients, authorities, and insurance companies.

Having a solid response plan dramatically minimizes the damage incurred as a result of attacks and breaches, making it necessary for all businesses, regardless of size or industry.

9. It’s Never Over

The cyberworld isn’t getting any safer, and criminals are more motivated than ever to get their hands on some easy data money. Zero-day attacks are getting more frequent and more difficult to detect.

Sadly, we’re nowhere near the cyber-utopia we dreamed we’d be in by the futuristic year of 2020, but that doesn’t mean we should stop working toward it.

While things might already feel out of hand even though we’ve only had advanced tech for less than 20 years, its rapid development doesn’t seem to be slowing down anytime soon.

The fight for data security and privacy is one we might never win. We may never emerge triumphant over the black hat hackers of the world. But it’s a fight we can’t afford to lose.