Benjamin Franklin said that “An ounce of prevention is worth a pound of cure.” Of course, Ben was talking about health, not cyber security. (Then again, he also had gout, perhaps from a little excess of alcohol, so maybe could have done more in the prevention department). But this sage wisdom applies to many fields.
In the world of cyber security, preventive measures vary, but under that heading might be everything from system updates and hardware upgrades, to employee training and protocol design–anything to mitigate threat potential. “Cure” is the response to cyber security breaches. Which is better, and can you even have one without the other? We’ll take a look.
A Difference in Mindset
One common question is, how do systems even have such vulnerabilities? Why don’t software developers just create code that cannot leave a door open for attack? While viruses like WannaCry and NotPetya revealed vulnerabilities that could be exploited and required system patches, they are only one kind of attack. True, such widespread worm-like attacks can be stopped by patching vulnerabilities in code, but other ransomware, cyber threat, attacks to systems (like DDoS attacks) and so on, don’t use the same types of weaknesses at all. Even perfect code would not prevent cyber attack.
That being said, coding versus hacking is a very different mindset. The software developer seeks to create the swiftest and most workable solution to problems–from apps-based systems that users see to the backend programming of cloud storage, development is a form of creating. Copying existing lines of code, building off of existing systems, and utilizing known solutions are all part of the development process. Hacking is the opposite. If coding is building a chain, hacking is looking for the weakest link. You can’t possibly prevent every hack, any more than you can prevent every type of attack.
Effective cyber security solutions, then, doesn’t include perfect code. It does, though, include an assessment of all of those points of the chain that might represent a vulnerability. Some of those weaknesses are a quick fix. WannaCry, Petya, and NotPetya involved NSA-grade hacking tools, but Microsoft had already issued the patches. The problem, as nearly every company now knows, had to do with outdated systems–those utilizing older versions of Microsoft tools were no longer supported.
Eventually, Microsoft also released the patches for the older systems, but using antiquated, unsupported legacy systems is a huge problem in many industries. The cost of upgrading all of those systems is high, but then so was the cost of a viral attack of that magnitude (now estimated in the billions). In this case, prevention and cure were the same solutions–update and patch.
Get Ahead of the Curve
The cure is the patch, the response and, sometimes, outside support for a swift threat mitigation. Such cures can be costly, more so than effective prevention in the first place. And there is where old Ben Franklin’s advice really comes in: cure can be very useful, but prevention safer.
When you apply a cure to a solution, though, and mitigate a current threat, you have measurable results. Anyone whose kitchen is on fire is glad they paid for a fire extinguisher, but it’s harder to justify the cost of the fire extinguishers in the first place. They take regular maintenance. Someone has to be responsible for them.
The prevention against cyber security threat is better planning, better foresight, and less expensive in the long run, but tougher to observe the results. Yet, across the globe, federal governments are moving in the direction of holding individual companies financially responsible for threats spreading, like NotPetya. Get ahead of the curve and prevent.