Is Poor Security Worse Than No Security?

As Lead Systems Engineer (EMEA) at Tripwire, I’ve had the pleasure of sitting down with and talking to many prospective customers about their security needs. I always ask about their existing digital capabilities during our talks. When I do, I usually get the following response: “We have lots of different tools but these solutions are either misconfigured or not used often.” I can’t tell you how many times a prospective customer has told me something along these lines. After hearing it over and over again, I couldn’t help but wonder: is no security possibly better than a state of poor security where you falsely believe that you are in fact adequately protected by existing tools that might be misconfigured or rarely used? Is this false sense of security worse than no security, in other words? As I see it, there are two sides to the argument. On the one hand, it’s better to have something than to have nothing. When something goes wrong, you’ll, therefore, have forensic evidence of where it went wrong and what you can use to try and mitigate it the next time it happens. On the other hand, the damage is already done at that point. The company’s sensitive data is compromised. Its intellectual property exposed. Its reputation tarnished. There’s nothing that can be done to spare the organization from the consequences of the already successful security incident besides saying, “We’ll do better next time,” and implementing changes that will hopefully help you keep your word. But propping up a system with more technology that won’t be frequently used or correctly configured does not make for a meaningful post-data breach security upgrade. More than that, it’s not smart from a financial standpoint. Your organization can’t afford to keep throwing thousands if not millions of dollars at solutions that aren’t used. Neither can it endure the burden of continually hiring more and more professionals to manage and efficiently interact with those tools. (That is if they can even find skilled personnel in the first place.) Budgets are limited, and there’s usually not enough resources to fuel such a frenzied digital defense strategy.

So, what should organizations' security look like?

It makes a lot more sense for organizations to ditch all of the unused, misconfigured security solutions. Instead, they should spend their money on a single tool and dedicate their resources to getting it working properly, so that they can extract tangible evidence. They can then use those findings to assign teams who can deal with a security process at hand and make measured changes according to their employers’ evolving business needs. Think of all of the pain and suffering an approach like this could spare an organization! Indeed, when you think about leveraging underused or misconfigured tools, it’s most often the case that an organization isn’t doing what they’re supposed to be doing. Such negligence (when exposed) commonly results in someone getting into trouble. For instance, C-Suite executives could single out a team, a manager or employee and blame them for the whole incident. In the context of GDPR, the ramifications could be even more serious. An organization could incur serious penalties that could limit its ability to conduct business going forward. By contrast, the act of embracing a single solution and using it to assign teams creates more accountability for everyone in the organization. More accountability means fewer opportunities for people to renege on their individual responsibilities and more chances for employees to support one another in the context of the organization’s digital security culture. This is what happens when there is less confusion and not so many security tools deployed. Of course, not any security solution will do. Organizations need one that specifically focuses in on foundational controls like asset discovery, vulnerability management and secure configuration management. Travis Smith, principal security researcher at Tripwire, tells us why it’s important that such a solution should focus on these basic security measures:

"Foundational controls really do work. Just implementing the first five controls can prevent 85% of the most common cyber attacks. Implementing all 20 controls will prevent 97% of the most common cyber attacks, all by following guidelines that are at your disposal."

Those are some impressive numbers! Clearly, it’s in organizations’ best interest to find a solution that integrates as many of these security controls as possible. Learn how Tripwire covers 14 of those top 20 controls.