(A Critical Part of) The Solution – Part 3

Today I want to provide a very important part of the solution to security problems: Realize that bad things will still occur despite all efforts to prevent them.

That may sound strange. How can it be a solution to say that we can’t come up with a solution that will keep bad things from happening? I will get to that in a moment.

But first, I want address the idea that we can stop bad things from happening.

We buy antivirus software in the hope that it will keep us free from viruses. It won’t. It will detect and stop a lot of viruses. But it won’t catch them all. Sorry about that.

We buy security software to protect us and keep our computers safe. If the software we choose is good, it will help. But it won’t protect us from everything.

When I say that, you may realize that is true. You know that, logically, there is probably some way our computer can be affected in a way we don’t want even with that software. But, at the same time, when we go looking for solutions, we have the hope that, maybe, it will actually keep us safe. We even believe that, once we have installed it (and if we keep it updated), we will be protected and it will keep all the bad stuff from happening.

We feel confident that our computer is free of viruses when we run a scan and our software says that no problems were detected. Or maybe it found something and eliminated it and now we feel we are safe.

We want to believe we are safe and secure and we allow ourselves to forget that perfect safety is not possible.

Let’s stop to consider safety in the physical world. We want to keep our home safe from people that might want to break in and steal our valuables. So, we put a deadbolt on the door and take other measures to be safe. We trim back the bushes and make sure we have good lighting. We may install a spotlight with a built-in motion detector that will turn on at night if movement is detected. And we install an alarm system on our house. Now, we feel safer.

But a determined criminal could still break in if they were really motivated.

Suppose we went to great extremes. Allow me to get carried away for a minute. We put iron grates over our windows and install impact-resistant windows. We replace the wood door with a heavy steel door, along with a heavy bar that secures it. We ignore homeowner assocation rules and erect a heavy concrete wall around our house, topped with barbed wire. Then we get attack dogs and hire armed guards. Nobody is going to get our valuables!

But, if for some reason, a group of criminals really wanted to get into our house badly enough, I believe they could still do it. Although this is a rather ridiculous scenario for our home, a group of criminals could assemble an assault team armed with heavy munitions and explosives and force their way in. They could defeat the wall, the dogs, the guards, the steel door, and the alarm system. They could even utilize an aerial assault and blow a hole through the roof to gain entrance. Likely? No. But possible, if they were desperate enough.

image of fortified castle, with attackers descending upon it by using parachutes

But there is an easier way. They could wait for us to leave our home and follow us with two or three vehicles. They could force us off the road and take us hostage, or do so when we stopped at a destination, or even a traffic light. They could demand that we deliver our valuables to them. If we refuse, they will murder us and our family. Most of us would deliver those valuables we tried so hard to protect if our refusal meant our life and that of our family.

For a determined opponent, there is always a way in.

The same is true in the cyber world. Only, it becomes more difficult, because it’s not just a matter of locking our computer in a secure room. Even if we do lock it up in a secure room, there are ways to steal the computer and there are also ways to gain access to it without entering the room. Furthermore, there are so many pieces involved in our computer systems and what we do on the Internet, many of which involve a lot of complexity, that there is always going to be some way that a really determined attacker will gain access. As a last resort, they could always threaten us unless we turned over to them what they wanted.

But they usually don’t need to resort to those measures. And they can sometimes accomplish what they want without our ever even finding out.

I’ve reported previously something that you may have heard on a news report or documentary, that some intelligence officials and security experts say there are two kinds of companies: those that have been hacked and those that don’t yet realize they’ve been hacked. Although there might be an exception or two, it is certainly the case that, if an attacker is determined to gain access, they will succeed.

There are numerous accounts of companies that tell a security consultant that nobody can break into their system. The security consultant proves them wrong. I have several of my friends who have told me numerous stories describing variations of this exact situation. The client claims they are secure. They are sure the security consultant won’t get it. The result? The consultant never fails to find a way in! And it usually doesn’t take very long.

I am not saying that we shouldn’t take measures to protect ourselves. We absolutely should. What I am saying is that, despite the measures we take, we can never attain 100% protection from bad things happening. We need to give up the hope and belief that we can and recognize the truth. There is ALWAYS some risk, no matter how much we do.

image of hacker displaying stolen credit card

So, lets’ move on to why this is such an important part of the solution to security problems.

As long as we believe we can put some solution in place and then be safe, we condemn ourselves to the following problems:

1) We rest in peace that we are safe, and don’t take additional measures. Because we believe that the measures we have taken will protect us, we think we don’t need to do anything more (at least until it’s time to buy the next version of the software next year). Because we think we can sit back and forget about it, we leave ourselves open to a lot of threats. We fail to take additional measures that could go a long way towards protecting us.

2) While we are thinking we are safe, we occasionally hear of some new threat. Our bubble of confidence bursts, and we worry that it could happen to us. Or, perhaps that threat affects us personally. We thought we were safe and then discovered that “they” got into our system or got ahold of our information anyway. Now, we worry. We worry about what could happen, or about what to do about what just did happen. We may even get discouraged and feel it is hopeless. We might give up trying. If we don’t give up, we worry that it could happen again. In any case, when we suddenly come to the realization that we aren’t as safe as we thought we were, it throws us into emotional turmoil. Add to that the problem that we don’t know how to fix the problem or how to prevent it from happening again, and our distress increases.

3) A lot of the time, things are working well. Perhaps we haven’t heard about a security problem recently that we think might affect us. We are in good shape. We’re safe. But, most of us still realize at some level, often subconsciously, that we can’t achieve that 100% protection that we hope for. From time to time, we can experience some anxiety because, even though we did everything we thought we should, we realize at some level that something bad could happen. We realize that someone could get our information or mess up our computer, even though we “believe” we’ve done what we should to protect ourselves. And the realization that it could happen causes anxiety. Much of the time, we aren’t even aware of it. But, we have an uneasy feeling that makes us anxious whenever we hear about someone else having an issue. Or perhaps, when we are doing something on our computer and we aren’t quite sure of how to handle it, or we suspect it could possibly be risky, we experience that uneasy feeling.

So, the belief that we can achieve that perfect level of safey causes us to either be too lax about the measures we take, or we end up worrying needlessly and feeling anxious because we recognize that our belief is flawed.

Give up the irrational belief that we can do something to keep all bad things from happening!

 

Why is that so important?

There are two reasons:

1) Once we realize that bad things will still occur, we can stop trying to achieve perfect protection against them happening. We can give up on trying to do EVERYTHING that could possibly be done, and instead focus on only the most important things. To return to the analogy of protecting our home, we can install deadbolts, lock the doors, have good lighting and maybe install an alarm system. We can forget about the wall with barbed wire, the moat, the armed guards, and all the other extreme measures, because we only need reasonable protection. And it is a whole lot cheaper. And a lot easier.

With security for our information and computers, we can apply a few basic solutions. We don’t need to go to extreme measures. We apply the most important measures for our particular situation. Among the most important things are the ways we respond to situations and the things we do/don’t do that can keep us safe. We also must do one other thing: We need to keep informed of new threats and remain alert to other solutions that make sense. This doesn’t have to take a lot of time, but you do need a reliable source of information. (That is why I am developing ways to provide this kind of information.)

2) When you realize that there is always some risk no matter what you do, you can now begin thinking about the situation differently. Instead of wondering how to block every single possible threat, you can begin to consider how you would deal with those bad things that are most likely to occur. In the real world, you don’t need to worry about Martians attacking us and enslaving us. (That is one of the bad things you might worry about if you were trying to protect yourself from EVERY possible problem, no matter how remote.) Instead, you only spend time thinking about the more likely scenarios.

image of a Martian Invader with a ray gun, demanding to be taken to your leader, followed by another image saying that this is an event we don't need to worry about

In the cyber world, instead of worrying about every possible outcome, you should think about how you would handle the most important things that you can’t prevent. You can protect your credit card information and be careful about how you use it, but you can’t prevent breaches from occurring. That is outside your control. So, after taking reasonable measures, accept that a breach could occur and your credit card information could be compromised. Then consider what you can do in case that does happen. There are quite a number of reasonable and easy measures you can take to reduce the negative impact of an event like that. Although you can’t prevent a breach from occurring, if you know what you can do when it happens and you how to assure that the negative impact is minimal, you no longer have any reason to spend much time worrying about it. You now have a basis of feeling confident even though you don’t have control over future events.

Image of hacker crossed out, with statement that we don't have to worry because we have plans that will lower our risk to a low level