The cyber security industry is failing businesses. Cyber criminals are constantly evolving and evading the market’s most sophisticated detection-based security solutions, with government figures showing that 32 per cent of UK businesses have faced a cyber attack or data breach in the past year.
Most security solutions take a “best endeavour” approach to defending against threats – offering little more than 95 per cent protection at best.
We wouldn’t satisfy ourselves with a seatbelt that worked 95 per cent of the time, nor a front-door lock that could be opened five times in 100. Yet in a world where data is the new currency and consumers vote with their feet, the cyber security industry appears to expect its customers to introduce that level of risk into their organisation.
I know the issue first-hand. In a previous role, I had to explain to a US Fortune 30 brand why it had suffered multiple breaches over a three-month period, despite being told that it had the best detection capability that money could buy.
In response, one board member simply said, “Dan, this best endeavour approach to detection gives us unquantifiable business risk – that’s unacceptable to our shareholders”.
He was right – it is unacceptable. Yet most companies seem resigned to accepting this risk for their own business and customers.
As it stands, there is very little incentive for the industry to do better. The cyber security market is expected to reach $300bn by 2024, with providers making a lot of money from selling fallible, sub-par solutions.
That’s not because 100 per cent secure solutions are not possible – indeed, we’ve proven that they are. By moving away from the traditional detection-based approach, new and wholly effective attack-prevention systems can and are being created.
But we will only reach the tipping point where businesses reject the mantra that “95 per cent secure is good enough” when they start to feel the repercussions beyond an initial breach. Insurers and government watchdogs must step away from the culture of “best endeavours” and hold businesses accountable when they are breached due to the use of fallible solutions.
There are plenty of examples of this, going back as far as 2015, when a complaint was filed against California healthcare provider, Cottage Health System, by its cyber insurer, after it was discovered that it hadn’t met the “minimum required practices” when it had been breached.
Insurers and watchdogs must go further and make it clear that they will not pay out when companies have knowingly introduced the unquantifiable risk of sub-par security into their business.
Indeed, only when businesses understand that they are being failed by their security providers, and are being penalised as a result, will there be enough uproar to force the cyber security industry to shift away from improving fallible technology and towards finding novel solutions that truly prevent attacks.