How To Recognize False Claims And Avoid Cybersecurity 'Snake Oil'

Post written by

Scott Petry

Scott Petry Co-Founder and CEO @Authentic8, leading the global go-to-market for Silo, a platform for secure and controlled access to the web

Have you ever been awake at 3 a.m. and looking for something to watch on TV? If so, it's likely you've gone down the rabbit hole of infomercials. Vendors make bold claims about products that can do anything and everything. However, many of these claims are sensationalized or, in some cases, completely fabricated — and from my experience, it's something common with many cybersecurity products as well.

Promising unrealistic results is not new; it's just the modern-day iteration of the proverbial "snake oil" salesman. Most people have a healthy amount of skepticism and enough common sense to not fall for infomercials. Those good senses, it turns out, often don't extend to cybersecurity purchases.

The next-gen blockchain AI cure for what ails you.

If you purchased a new miracle adhesive from a late-night infomercial and found that it actually didn't stick things back together at all, would you double down and spend even more money to buy the next wonder glue that came out?

Probably not. I hope not. Yet that is pretty much the way organizations handle cybersecurity tools. Cybersecurity spending goes up year after year. According to estimates from Gartner, $124 billion is expected to be spent on cybersecurity in 2019 — an 8.7% increase over 2018, and nearly $23 billion more than in 2017.

With all of that spending, you would think the corporate environment would be impervious to cyberattacks and that data breaches should be a thing of the past. At the very least, you would expect that things wouldn't get worse, but they are.

The volume of exploits has been growing constantly, and ransomware attacks are on the rise. According to research conducted by Risk Based Security (via Forbes), 2019 is on track to be the worst year ever, with 4.1 billion records exposed in the first half. All of the money spent on cybersecurity doesn't seem to be working as advertised. On the contrary: A study conducted by the Ponemon Institute (via CSO) found that even with all of the investment in cybersecurity tools, it still takes organizations an average of more than six months to even detect that they've been breached.

Time for a whole new cybersecurity strategy.

The problem with the majority of cybersecurity solutions is that they're reactive. The market assumes that organizations will rely on traditional methods of filtering and analyzing content as it crosses the perimeter and runs on the endpoint. It is a flawed strategy that reveals a cognitive dissonance.

If we succumb to an all-around unhealthy lifestyle, just activating one more diet and fitness app subscription on our smartphone will not solve our health issues. The focus needs to be on prevention instead.

Kill the elephant in the room.

Today, business revolves around the web. Employees use the web for everything, whether work-related or personal. That makes the web browser the most used application. It is also the least vetted and most vulnerable application.

Attackers understand this, which makes the browser one of the most targeted applications. According to the Defense Information Systems Agency (via C4ISRNET), as many as 70% of cyberattacks come through browsers.

Most security teams give little thought to the web browser itself. It comes free with the operating system. Some may install a different free browser. Either way, the web browser is a third-party application that exposes the business to risk. The standard approach to "secure" it is to pile on layers of security: firewalls, intrusion detection systems (IDS), endpoint security, security information and event management (SIEM) systems and more.

In the end, the web browser is still vulnerable, and the cybersecurity tools deployed around it are still reactive. This security patchwork doesn't instill confidence or peace of mind, and it's reflective of a gamble most organizations will eventually lose.

Don't react; prevent.

Traditional web browsers have become the primary gateway for malware infiltration because, by design, they fetch, store and indiscriminately execute code from the internet on the local computer or mobile device. Any practical prevention strategy needs to address this inherent security weakness to be effective.

Starting with the person handling customer, HR, financial, intellectual property or other sensitive information in your organization, take these five steps to reduce or eliminate the risk of browser-related data breaches:

• Implement web use policies without expecting miracles. Reputable websites spread malware infections, too. "Blacklisting" or "whitelisting" web resources can provide only limited protection.

• Conduct awareness training to empower employees to use their browser responsibly.

• Use script blockers and ad-blocking extensions for improved protection of regular browsers against exploits based on JavaScript, plug-ins such as Java or Flash, or web ads that carry hidden malicious code ("malvertising").

• Connect through a virtual private network (VPN) when on public Wi-Fi or working from home. VPN encrypts online traffic to prevent eavesdropping and theft of sensitive data.

• Insulate your team from web-borne risk by shifting selected or all browsing to a cloud-based isolation provider, where a remote browser handles all web content securely off-site.

I understand why the infomercials and the snake oil claims work. They claim to solve a legitimate issue, and human nature has a built-in bias for the quick fix. We throw money at the problem and hope the miracle cure will work as advertised because it sounds quick and simple.

Unfortunately, that isn't how things work in the real world. Staying healthy requires more than merely adding another fitness app to your library; you have to eat right and exercise. In the real world of cybersecurity, you need to identify how and why you're exposed to risk and find ways to proactively remove the risk. By removing risk, you minimize — or even eliminate — the possibility of attacks.

Prevention might just be the miracle cure that works. Is it possible to remove the web risk? It sure is — just stop using that browser that runs on your local device.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
">

Have you ever been awake at 3 a.m. and looking for something to watch on TV? If so, it's likely you've gone down the rabbit hole of infomercials. Vendors make bold claims about products that can do anything and everything. However, many of these claims are sensationalized or, in some cases, completely fabricated — and from my experience, it's something common with many cybersecurity products as well.

Promising unrealistic results is not new; it's just the modern-day iteration of the proverbial "snake oil" salesman. Most people have a healthy amount of skepticism and enough common sense to not fall for infomercials. Those good senses, it turns out, often don't extend to cybersecurity purchases.

The next-gen blockchain AI cure for what ails you.

If you purchased a new miracle adhesive from a late-night infomercial and found that it actually didn't stick things back together at all, would you double down and spend even more money to buy the next wonder glue that came out?

Probably not. I hope not. Yet that is pretty much the way organizations handle cybersecurity tools. Cybersecurity spending goes up year after year. According to estimates from Gartner, $124 billion is expected to be spent on cybersecurity in 2019 — an 8.7% increase over 2018, and nearly $23 billion more than in 2017.

With all of that spending, you would think the corporate environment would be impervious to cyberattacks and that data breaches should be a thing of the past. At the very least, you would expect that things wouldn't get worse, but they are.

The volume of exploits has been growing constantly, and ransomware attacks are on the rise. According to research conducted by Risk Based Security (via Forbes), 2019 is on track to be the worst year ever, with 4.1 billion records exposed in the first half. All of the money spent on cybersecurity doesn't seem to be working as advertised. On the contrary: A study conducted by the Ponemon Institute (via CSO) found that even with all of the investment in cybersecurity tools, it still takes organizations an average of more than six months to even detect that they've been breached.

Time for a whole new cybersecurity strategy.

The problem with the majority of cybersecurity solutions is that they're reactive. The market assumes that organizations will rely on traditional methods of filtering and analyzing content as it crosses the perimeter and runs on the endpoint. It is a flawed strategy that reveals a cognitive dissonance.

If we succumb to an all-around unhealthy lifestyle, just activating one more diet and fitness app subscription on our smartphone will not solve our health issues. The focus needs to be on prevention instead.

Kill the elephant in the room.

Today, business revolves around the web. Employees use the web for everything, whether work-related or personal. That makes the web browser the most used application. It is also the least vetted and most vulnerable application.

Attackers understand this, which makes the browser one of the most targeted applications. According to the Defense Information Systems Agency (via C4ISRNET), as many as 70% of cyberattacks come through browsers.

Most security teams give little thought to the web browser itself. It comes free with the operating system. Some may install a different free browser. Either way, the web browser is a third-party application that exposes the business to risk. The standard approach to "secure" it is to pile on layers of security: firewalls, intrusion detection systems (IDS), endpoint security, security information and event management (SIEM) systems and more.

In the end, the web browser is still vulnerable, and the cybersecurity tools deployed around it are still reactive. This security patchwork doesn't instill confidence or peace of mind, and it's reflective of a gamble most organizations will eventually lose.

Don't react; prevent.

Traditional web browsers have become the primary gateway for malware infiltration because, by design, they fetch, store and indiscriminately execute code from the internet on the local computer or mobile device. Any practical prevention strategy needs to address this inherent security weakness to be effective.

Starting with the person handling customer, HR, financial, intellectual property or other sensitive information in your organization, take these five steps to reduce or eliminate the risk of browser-related data breaches:

• Implement web use policies without expecting miracles. Reputable websites spread malware infections, too. "Blacklisting" or "whitelisting" web resources can provide only limited protection.

• Conduct awareness training to empower employees to use their browser responsibly.

• Use script blockers and ad-blocking extensions for improved protection of regular browsers against exploits based on JavaScript, plug-ins such as Java or Flash, or web ads that carry hidden malicious code ("malvertising").

• Connect through a virtual private network (VPN) when on public Wi-Fi or working from home. VPN encrypts online traffic to prevent eavesdropping and theft of sensitive data.

• Insulate your team from web-borne risk by shifting selected or all browsing to a cloud-based isolation provider, where a remote browser handles all web content securely off-site.

I understand why the infomercials and the snake oil claims work. They claim to solve a legitimate issue, and human nature has a built-in bias for the quick fix. We throw money at the problem and hope the miracle cure will work as advertised because it sounds quick and simple.

Unfortunately, that isn't how things work in the real world. Staying healthy requires more than merely adding another fitness app to your library; you have to eat right and exercise. In the real world of cybersecurity, you need to identify how and why you're exposed to risk and find ways to proactively remove the risk. By removing risk, you minimize — or even eliminate — the possibility of attacks.

Prevention might just be the miracle cure that works. Is it possible to remove the web risk? It sure is — just stop using that browser that runs on your local device.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Scott Petry Co-Founder & CEO @ Authentic8, leading the global go-to-market for Silo, a platform for secure and controlled access to the web....