Why Security Change is Hard

Doing the Basics

It’s weird, isn’t it. Year after year, report after report concludes that most cyber incidents could be prevented though basic hygiene. I mean, it’s not weird that the reports come to that conclusion. But it is weird that it’s still being reported.

Source: Microsoft Digital Defence Report 2023

In 2021 the Irish National Health Service suffered a ransomware attack. When the dust had settled, they asked PwC to take a look at what had gone wrong. PwC’s key points being: there was no-one with overall responsibility for security; there was nobody to investigate the alerts that were being raised; and there had been little to no patching (tens of thousands of machines were running an unsupported version of Windows, and the antivirus signatures were a year out of date).

Similar story when the Electoral Commission got hacked in 2021. They’d failed a Cyber Essentials audit at about the same time, with the same sorts of issues – unpatched and unpatchable devices and operating systems, together with a lack of monitoring. Most sources point out that by 2023, when the breach was announced, the Commission still hadn’t re-applied.

Enough said. This isn’t rocket science, and at a rough guess it wouldn’t cost a fortune to implement. But it’s not happening – the 2022 DCMS security breaches survey reported that only 6% of businesses taking part had achieved certification under Cyber Essentials, and only 1% at Cyber Essentials Plus.

And here’s something odd. The 2024 survey reported that although many businesses had measures in place in all five of the areas covered by Cyber Essentials, they still weren’t seeking certification.

Almost as though voluntary certification had no business value for them.

Like I said, weird.

Reasons for Investing

If you asked twenty people why companies aren’t even doing the basics, you’ll probably get twenty different answers; so instead, it might be more productive to ask those that do buy cyber, why they buy.

That was the research question in a study by Cavusoglu et al., who examined the relative impact of mimetic pressure (following what other people are doing), coercive pressure (meeting the needs of industry partners or regulatory bodies), and normative pressure (following best practice).

It’s a detailed and valuable study, and I don’t mean to do it an injustice, but my take-aways were… Nobody invests in cyber just because they see their competitors doing it. And investing to meet regulatory pressures is generally seen as a no-brainer. No business case required. Although, if you want to invest to follow best practice, you’ll need to provide a formal justification. Bottom line, organisations seem to be happy to invest when they have to demonstrate compliance. The idea of spending money on improving security for its own sake however, tends to be met with a less enthusiastic response.

The Benefits of Compliance

The obvious answer then, would be to enact new legislation forcing people to do the basics. The existing requirement for Cyber Essentials as a baseline for certain types of UK Government contract for example, could be applied more widely and more stringently.

Seems like a good idea. Or is it?

A Gartner report in 2020 looked at these issues. Again, a really interesting study. The central point is summed up as below:

“Executives believe that compliance will save them. Many of them know or sense the reality that compliance does not equal protection, but the regulators give them no choice. At worst, compliance forces us to spend money where we don’t need it and keeps us from investing where we should.”

An industry body report in 2020 interviewed over one hundred business leaders, asking whether or not their investments in cyber had led to any benefit. The adoption of a compliance-based approach against primarily technical standards was a common theme. Ninety percent of respondents agreed that security technology often doesn’t work as promised, a situation which they said “compromises defences and is partially responsible for the continued success of attackers”.

Looks as though forcing people into compliance carries with it a number of unexpected side effects. Such as not actually working.

Docherty and Fulford took two groups of companies, one with a documented security policy and one without. The researchers expected to see a statistically significant difference between the two groups, in terms of the numbers of security incidents and/or their severity. After all, a security policy indicates a commitment, right? Well, apparently not. There was no significant difference between the two groups. Having a policy in place doesn’t imply greater levels of protection.

Nevertheless, enforced compliance remains at the heart of the burgeoning array of EU cyber legislation. Under the current UK version of the Network and Information Security Directive for example, the National Authority can impose fines for non-compliance (up to £17M), and can also impose fines for non-reporting of near misses (i.e. the non-reporting of an incident that didn’t actually take place). I can see the point, but it depends critically on each party’s interpretation of “near”. Anecdotally, the ICO saw a huge increase in workload when GDPR came in, because people were reporting anything and everything, just to be on the safe side; to the extent that actual breaches became lost in the noise.

The Cost of Compliance

The first version of the NIS Directive was the subject of an impact analysis in the UK, which estimated that the implementation costs over a 10 year timeframe would be about £400M. It also noted that “a 5% reduction” in the number of companies suffering a breach would be a reasonable outcome.

There were 422 large companies deemed to be essential service providers within scope for NIS1. The contemporary (2017) DCMS survey estimated that the mean cost of breaches affecting large companies was around £19,600. Assuming that all of those 422 companies would have had a breach in a normal year (and that’s a bit pessimistic), the savings come to about £400k per year. That’s £4M over the ten years, assuming every year is a normal year. In case you haven’t got your calculator to hand, that’s a return of about one percent of the cost of implementation. I suppose, rough figures, that would equate to about a 100 year payback period.

Although… 🧐 … the 2022 breach survey noted that only about 11% of businesses suffered incidents that would come under the definition of cybercrime. That’s reported elsewhere on this very website. The same report then discounts no-impact phishing attempts, to arrive at 60-odd instances out of a total sample size of about 2,300 (i.e. only about 2% of businesses suffered a non-zero impact). So the calculation really ought to be: 5% of 2% of 422 companies times £19,600 per company. Take away the number you first thought of, add two, divide by the number of days in January…. you should get to a payback period of about 5,000 years. It’s ok, I can wait…

Two years on, a Post Implementation Review (PIR) looked at how we were doing. It concluded that “… a minimum of 39% of large [service providers] who responded to the survey spent more than the high estimated additional costs per business (£200,000). A minimum of 27% of large [digital service providers] who responded spent more than the high estimated additional costs per business (£50,000)”.

It also found that “… given the nature of cyber breaches and the complex factors involved, it will not be possible to attribute incidents as having been prevented by measures taken under the Regulations” and that “It is also not possible to quantify whether there has been a reduced impact of incidents”.

That is, the level of expenditure was much greater than expected, and there was no way of detecting any consequent benefit. Research looking into the effects of GDPR found a similar picture, with an overall profit reduction of 8% for those companies within scope, mostly due to unexpectedly large levels of expenditure.

Achieving Engagement

Bearing in mind that the revised NIS Directive also makes senior managers personally responsible for the outcomes of the actions taken by their security team, I’ve created a handy infographic which managers may wish to cut out and keep.

The problem with enforced compliance is that it confuses ownership with involvement. Assaf points out that legislation is not the only way Government can work with industry. The options range from e.g. nationalisation of CNI companies at one end, through to leaving everything to market forces at the other. But there are options in the middle, such as regulated self-regulation. Under that approach, industry bodies and Government agree on what security looks like in that sector, and companies are left to implement the requirements as they see fit, with the industry body monitoring adherence to the agreed behaviours. That way, companies are at least engaged in the process. Others have made the same point, saying that anything up to 80% of the CNI is in private hands, so some form of partnership is inevitable. Companies and industry bodies commenting during the NIS2 consultation phase made the same point, loud and clear. There’s a ton of evidence and a very strong argument that collaboration would be more effective.

However, enforced compliance is seen as the way to get people to invest. The problem is, when you teach people that compliance is important, you also teach them that other stuff isn’t important. Such as actually owning security.

Alternatives

At this point, I could wax lyrical and suggest ways in which the global cybersecurity market could be ‘corrected’. Indeed, I’ve seen calls on social media for the cyber industry to get shaken up, to get them to deliver, to stop rinsing the customer. It’s a laudable aim, but misplaced. Given that Governments want a healthy, growing, profitable cyber industry (a vision shared perhaps not surprisingly by the industry itself), nobody’s going to rock the boat. And at the end of the day, customers are getting what they’ve been told they want – compliance.

Personally I’d be happy just to get a more widespread application of the basics. Which is where we get to the subject of the article – why security change is hard. The current situation is very, very stable. Everyone’s getting what they want. Why would any of the parties to the discussion shift their position? For the cyber industry in particular, they create the standards, check you against them (for a fee), and then sell you the kit you need to get there. It’s a sweet deal.

If you want the situation to change, you either have to introduce a new party to the discussion (such as an industry body), or get one of the existing parties to change their position (e.g. customers start asking for something different from the cyber industry). That’s not impossible, but it’s a big ask, mostly because it relies on switching attention away from developing the cyber industry, and towards the idea of achieving protection.

Selected Sources

1. Microsoft Digital Defense Report 2023. Available from: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/10-essential-insights-from-the-microsoft-digital-defense-report/ba-p/4022783
2. Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), 385-400.
3. Proctor, P. Gartner Report: The Urgency to Treat Cybersecurity as a Business Decision. Available from: http://www.gartner.com/en/documents/3980891/the-urgency-to-treat-cybersecurity-as-a-business-decisio
4. Debate Security. Cyber Security Technology Efficacy: Is cybersecurity the new “market for lemons”? Available from: http://www.debatesecurity.com/downloads/Cybersecurity-Technology-Efficacy-Research-Report-V1.0.pdf.
5. Doherty, N.F. and H. Fulford, Do information security policies reduce the incidence of security breaches: an exploratory analysis. Information Resources Management Journal (IRMJ), 2005. 18(4): p. 21-39.
6. NIS Regulations: Impact Assessment. Available from: https://www.gov.uk/government/publications/nis-regulations-impact-assessment.
7. Post-Implementation Review of the Network and Information System Regulations 2018. Available from: https://assets.publishing.service.gov.uk/media/60251d7c8fa8f5038238e996/CCS207_CCS0320329850-001_Network_and_Information_Systems_Regulations_Post-Implementation_Review_Web_V2.pdf.
8. Assaf, D., Models of critical information infrastructure protection. International Journal of Critical Infrastructure Protection, 2008. 1: p. 6-14.

First published 31st May 2024