There’s a prevailing mindset that suggests if organizations ban all the things that pose risks to overall cybersecurity, they’re taking the most effective approach to make their organizations secure.
Initially, that line of thinking seems sensible in some regards. After all, if the aspects that threaten cybersecurity aren’t allowed at all, the problems they pose could never crop up.
But, that belief is far too simplistic. Other interventions must occur to make cybersecurity a priority, whether it’s for specific websites or entire establishments.
1. Bans Could Limit or Prevent Access to Technology
Officials associated with the U.S. government are aiming to block Huawei components from entering the country’s marketplace if they’re used on communications equipment. The argument is that those parts compromise the nation’s security.
But, it’s a short-sighted approach since all the nation’s telecommunications providers already depend on equipment from Chinese manufacturers. Instituting a ban on goods for Huawei could prevent companies from getting federal funding that increases access to technology in communities with limited internet access.
Moreover, the economical prices associated with Huawei equipment make the items fit the budgets of small carriers that cannot afford pricier goods. If telecommunications providers no longer have the option to buy and use Huawei merchandise, the households and businesses in rural areas may have no means for getting internet access.
Instead of focusing on individual companies and prohibiting those from selling goods to companies in the U.S., it’s preferable for the country to develop a comprehensive national security strategy that’s not brand dependent.
2. Existing Cybersecurity Plans Generally Fall Short
A report from the U.S. State Department warned that it’s still easy to find cybersecurity vulnerabilities at public and private organizations despite increased investments meant to protect the respective networks.
A plan that only involves banning specific software titles or manufacturers isn’t robust enough because it’s not all-encompassing. Instead, organizations need to carry out intensive security audits and identify all the weak points in the networks and proactively try to minimize them.
In many cases, they can do this by implementing some of the most promising technological strategies. For example, context-based authentication and authorization use analytic data to calculate a risk score that determines whether to grant, deny or challenge a person’s access attempts.
Plus, if organizations attempt to ban software on workplace computers, that step might not be sufficient because so many people use mobile devices and apps to access workplace content from home, and their employers likely don’t know it’s happening.
3. Risks Are Not Always Apparent
It could take weeks or even months before organizations realize certain kinds of software may be detrimental to their overall cybersecurity strategies. That’s especially true because such findings are often discovered by diligent independent researchers who sound the alarm for the benefit of the public.
The Amazon Echo is one example of a gadget with software that’s had some gaping holes. In one instance, researchers illuminated an issue that could allow hackers to listen to, transcribe and transmit things people said after they used an Alexa skill that seemed legitimate.
Amazon quickly responded to the incident and fixed the problem. However, this case study proves it’s not always possible to tell whether software is risky or safe. People use Alexa daily without problems, but that doesn’t mean the software is trouble-free, nor that companies should rush to ban it.
If companies are too quick to disallow some kinds of software, they could prevent employees from accessing things at their workplaces that are genuinely helpful. In short, there is not a straightforward, fail-safe method for determining if a piece of software is safe or problematic. Even the most well-built software can have shortcomings.
4. We’re Living in a Global Economy
Wayne Jones, the chief information officer at the National Nuclear Security Administration, points out that instead of enforcing bans, the better approach to take is to figure out how to use software in ways that protect a company’s information.
He also brought up how we’re all living in a global economy, and that’s another reason why software bans don’t have the intended effect of bolstering cybersecurity.
The people who develop software and work on other tech-related projects often originate from foreign nations.
If the U.S. made a federal decision not to use equipment made by Huawei, would that ruling eventually progress to prevent anyone with past ties to the company from working for a United States business, then bar people from certain nations from taking tech-related jobs in the U.S?
If so, the United States could find its tech development efforts substantially hindered, not to mention spend a significant amount of time determining which equipment features parts manufactured by countries on a theoretical “banned” list.
A Proactive Stance Is Essential
One thing people must remember is that cybercriminals tend to find ways to infiltrate systems even when doing so means overcoming obstacles. That means an outright ban on software — or anything else that might compromise cybersecurity — isn’t advisable.
Instead, organizations of all sizes must show proactiveness and learn to monitor for threats, counteract infiltration attempts and tighten their infrastructures when necessary.
Image by Pixabay
About the Author:
(Security Affairs – Smart Speakers, IoT)
The post Why Banning Risks to Cybersecurity Doesn’t Actually Improve Cybersecurity appeared first on Security Affairs.