Buried in David Hitz' book How to Castrate a Bull: Unexpected Lessons on Risk, Growth and Success in Business is a short interlude that illustrates the problem with using news headlines to drive risk analysis processes. Just because something is in the news does not mean that is it a big risk; it simply means that it is out of the ordinary and has been deemed “newsworthy”. Conversely, something that doesn't make the news might be a significant security risk. The point being, we shouldn't rely on news headlines to drive risk analysis.
As an example, you may remember recent headlines about the World Health Organization announcing that processed meats are likely causes of cancer. Many of the headlines might have had you believing that eating bacon increases your risk of cancer by 18%. However, if you dig deeper, the research indicated that processed meats may increase your relative risk of specific types of cancer by 18%. Meaning, that if your initial risk of getting that type of cancer is 5%, eating processed meats could increase that risk to 5.9%. While the headlines might be mostly true, they don't always tell the whole story.
It is not hard to find attention grabbing headlines about the importance of selecting strong passwords. As a result, secure password selection is typically the first topic in most security awareness training. While having a weak password isn't recommended, it might not be the biggest security weakness, depending on the the level of access the account is granted and whether or not the account can be used for remote access. In contrast, software vulnerabilities rarely make front page news. Java is often installed on systems where it isn't necessary and is commonly the most poorly patched software on the network. The Cisco 2014 Annual Security Report states that Java comprises 91% of all web vulnerabilities. If exploited, several of the vulnerabilities may give an attacker remote access to the network without knowing a single password.
Annual security reports released by technology industry leaders (e.g. Symantec, Cisco, etc.) that summarize real-world security statistics and trends might be a better source of information. Reviews and discussions of these, or similar, reports could highlight potential gaps in your information security program. In fact, these types of reports often go as far as listing areas of biggest concern on a per industry basis. How often have reports like these been discussed in your IT committee or executive meetings? A far more common agenda item is “recent cybersecurity-related news”. While conversations about the latest breach are more entertaining and easier to discuss, they may shift focus away from the highest risks within your organization. Even worse, they may result in complacency or a false sense of security.
While it is important to keep tabs on recent cybersecurity-related news, it shouldn't be used as the sole driver for risk mitigation. Objectivity is critical to risk mitigation. It is important, but sometimes really difficult, for us to take a minute and attempt to remove any emotions or hype before making a decision. Assessing risk based on what is in the news isn't only retroactive, it might lead you to addressing an issue that isn't a significant risk on your network, while ignoring the issue that does pose a significant risk.
Hitz sums it up perfectly, “Don't plan your risk reduction strategy after reading the newspaper. It's like going to the grocery store when you are hungry. In both cases, you will make bad decisions.”
Craig Schurr is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program.