INVITATION TO CYBERSECURITY 98 not a viable option in today’s world—our economy depends on cyberspace and computers and networks are essential for business competitiveness. There is no going back to the “good old days” before cyberspace; getting rid of computers means going out of business. Another axiom of cybersecurity is that security is not free—it always costs something. The costs of cybersecurity are more than just the monetary costs of purchasing cyber-related technology. Cybersecurity costs include personnel who are paid to research, implement, and maintain the technology. Costs include the time spent creating cybersecurity policies and training employees to follow them. Perhaps easiest to overlook, costs also include the inefficiencies introduced by cybersecurity technology and policies. These inefficiencies may be individually small, but they might impact every employee every day, so collectively they can add up quickly. The end result is less business productivity, and this is a real cybersecurity-related cost for organizations. Implementing cybersecurity for any organization is a cost center. A cost center is a part of a business that is not revenue producing. Even for a business that provides cybersecurity services to other companies, managing their own cybersecurity is a cost center. In a perfect world, no money would need to be spent on cybersecurity, but as we saw in Chapters 3 and 4, that is definitely not the world we live in. Therefore, money and resources spent on cybersecurity are money and resources that could have been saved or spent elsewhere. One way to illustrate the tradeoffs involved in cybersecurity is by charting cybersecurity against costs as Figure 5.1 illustrates. In general, the better cybersecurity, the higher costs. It is fairly easy to come up with solutions in the lower-left (low cost and weak cybersecurity) and upper-right (high cost and strong cybersecurity) quadrants. Take, for example, one core concern of cybersecurity: authenticating users (more on authentication in Chapter 8). Allowing employees to use simple passwords is in the lower-left quadrant of the figure. This solution has low costs of implementation and maintenance because simple passwords are easy for people to use. However, simple passwords are a weak form of authentication and put organizations at higher risk of cybersecurity incidents. Forcing employees to use long passwords and to do an iris scan to login would improve cybersecurity. Multi-factor authentication (MFA) creates a strong security posture, but long passwords and the biometric iris scanners are expensive and a nuisance for employees (see Section 9.2.1.3). Plus, these measures can lead to frustrations and delays when things go wrong, like when the iris scanner has technical issues and users forget their passwords. Therefore, this option is in the upper-right quadrant. The goal is to implement solutions in the upper-left quadrant when they can be found. Many would consider reasonable password requirements and MFA with a phone app to be in this quadrant. This solution provides strong security, moderate implementation and maintenance costs, and only a small amount of extra work for employees.
RkJQdWJsaXNoZXIy MTM4ODY=