ITWNET Bubble Gum, Duct Tape and Cybersecurity

Blog Information

  • BLOG_POSTED_BY: mirka tzilivakis
  • BLOG_POSTED_ON: Jan 03, 2018
  • Views : 4315
  • Category : News Center
  • Description : Cybersecurity: vulnerabilities and the human factor. Training and knowledge against cyber threats need to be addressed in order to protect the enterprise.



    Cybersecurity threats and attacks have been around since the beginning of the internet. Hackers are beyond tech savvy, they will zing for every zag you put in front of them. Yes, security infrastructure and systems are vital but global security spend trends indicate that organizations have underestimated the biggest obstacle to cyber threats.

    Organizations continue to fight against cyber threats using an antiquated silo based "bubble gum" approach to address vulnerabilities instead of holistic enterprise wide "duct tape" solutions that can drastically reduce their vulnerabilities.

    One quick look at the Norse Attack Map, shows the multitude of cyber-attacks on a daily basis.

    Organizations have stepped up and invested significantly on cybersecurity infrastructure to prevent and mitigate their vulnerabilities to threats.

    Gartner, Inc. estimates the global cybersecurity spend; information security products and services at $86.4 billion in 2017, (7% increase over 2016) and is expected to reach $93 billion in 2018.

    But technology and infrastructure alone are not enough as they do not address the real vulnerabilities that hackers are exploiting.

    The Black Hat 2017 Thycotic survey of 250+ hackers provides valuable insight and strongly supports a comprehensive and holistic approach to cybersecurity that goes beyond systems and hardware.

    73% of survey respondents identified traditional perimeter security firewalls and antivirus as irrelevant or obsolete.

    • 43% considered anti-virus and anti-malware the “least effective and easiest to get past” security technologies.
    • 30% cited firewalls as the easiest security technology to get past.

    Organisations have already acknowledged this and are doing their due diligence by adding layers of threat protection such as Multi-Factor Authentication, Encryption, endpoint protection and intrusion protection. According to the survey, the toughest securities to get through are:

    • 38% Multi-Factor Authentication
    • 32% Encryption


    In contrast, 85% of Black Hat survey responders identified human factor as being largely responsible for security breaches. Only 5% cited insufficient security technology as vulnerability.

    When asked “What entry point gives you easiest/fastest access to sensitive data?”

    • 31% Access to Privileged Accounts
    • 27% Access to an Email Account
    • 21% Access to a User’s Endpoint (eg. Laptop, Desktop)
    • 9% Access to a Network

    With hackers focusing on gaining access to privileged accounts and email passwords, it is easy to see the weak link is human behaviour. Changing human behaviour has become essential.

    Cyber security needs to move away from the silo based approach of labelling it a “tech” problem. It is impossible to place the onus of protection solely onto a security department that scrambles to patch and plug holes the rest of the organization is opening. This bubble gum patching approach is not effective and does not address today’s vulnerabilities.

    Slow change is coming. The security awareness training market is valued at $1 billion+ in annual revenue according to Garter, Inc., and is expected to grow by approximately 13% annually as organizations address the human factor in security vulnerability.

    Although it is moving in the right direction with spend increasing, there still seems to be a disconnection between the budget’s allocations. Right now, just over 10% of the cyber security budget is being spent on addressing 85% of the problem.  Moving forward the number does not get much better.

    Enterprise wide cybersecurity training, best practices, and knowledge sharing are keys to reducing risk. Organizations need to start formally implementing a dynamic and adaptable cyber risk policy that is in line with the constantly changing nature of security threats. All employees need to be part of the solution and need to understand and implement the fundamentals of cyber security. Knowledge is like duct tape here, everyone needs their own piece, and need to know how to tape over a hole.