At the end of last week Dr Ian Levy, technical director of the UK's National Cyber Security Centre, launched a tirade against security companies. "We are allowing massively incentivised companies to define the public perception of the problem," The Register reported him saying. “It’s medieval witchcraft, it’s genuinely medieval witchcraft.”
The business space may be a somewhat different kettle of fish from the consumer one, but it is still hard to avoid the fact that the overwhelming majority of information around security does indeed come from security companies. You can’t ignore the fact these organisations do make a living out of flogging security solutions but, on the flip side, they do also spend an awful lot of time analysing breach material and tracking the threat landscape. And in some ways is quite hard to share this kind of information in a useful way – as opposed to an inflammatory one – especially once the marketing department get their hands on it.
Of course, a lot of the information produced by security companies is genuinely outstanding. Much of it is created by the true boffins who really know their stuff. It is peer reviewed and critiqued like academia, and provides invaluable technical insight into the security landscape. Yet this kind of highly specialist information is not available to everyone, which in turn fuels the publication of a lot of other security reports, of varying degrees of quality. Here it is impossible to ignore the vast piles of dross created purely for the purpose of shouty headlines and to ramp up the fear.
My own inbox rapidly fills up each week with a tide of security reports yelling about the problem in a wash of ever more extreme (and sometimes dubious) stats, until after a while you’re either totally inured to it all, or drowning in the ever more terrifyingly-hyped-up numbers. And it is because of this overarching trend that I took some interest in Verizon’s latest Data Breach Digest released earlier this morning which takes a slightly different approach.
This report aims to tell the stories behind Verizon’s more numbers-driven Breach Investigations Report (which has run annually for a decade now). It is targeted at a variety of different security stakeholders who are not necessarily technical – like HR – and forms part of the growing emphasis on educating senior individuals without bamboozling them with too much technical information.
Broken down into four sections, it provides real-life examples that the Verizon threat team has encountered over the last year. Each of the 16 stories is given a (very marketing) code name like ‘the Secret Squirrel’ and ‘the Panda Monium’ and some are labelled as ‘Prevalent’ – like disgruntled employees – others as ‘Lethal’ – like hacktivist attacks. The advice provided is general and aims to be useful.
The fact this report is running for only its second year may be significant, because while there are certainly other similar ‘story with advice’ reports out there, this 100-page effort suggests a need to find new useful ways to actually educate a wider variety of audiences. This is obviously true in the consumer space but it is equally true in the enterprise space where the people who pay the bills and make wider decision are not au fait with the intricate technicalities of what’s going on and never will be.
First board level cyber training due to launch in Feb
What will the ‘mega security breach’ of the future look like?
What will be the single biggest security threat of 2017?
Fleeting strategic importance? 2016, the year of the CISO
Adrian Schofield sheds light on tech in South Africa
Mark Chillingworth on IT leadership