A Walk Along the Cyber Security Poverty Line

The cyber security poverty line is a concept devised by Cisco’s Head of Advisory CISOs, Wendy Nather. It was coined as a way of separating the ‘haves’ and ‘have-nots’ when it comes to what we class as ‘acceptable’ levels of cyber security services. 

We can think of the cyber security poverty line as a threshold, one which divides organisations into two categories: those that are able to implement essential cyber security measures effectively – this includes maintaining their security posture and protecting data – and those that, well… can’t.  

Largely, the companies operating beneath the cyber security poverty line (and, indeed, those at cyber security ‘rock bottom’, as it were) lack the resources, skills, and budget to implement and maintain essential security measures. This can involve dealing with crippling legacy technical debt, a general lack of engagement or, possibly, understanding, concerning effective security practices and tools, and the consequent lack of morale (and even dangerous apathy) coming from the IT/security team themselves in the wake of cyber poverty.

Speaking on organisations working at or under the cyber security poverty line, Cyjax CISO, Ian Thornton-Trump, describes circumstances as “more of an emotional state” wherein “cyber security leadership has abjectly failed.”

We can understand this insight since cyber security poverty is, indeed, a vicious cycle. Much like financial or social poverty, it involves a downward spiral which can further limit access to helpful resources, resulting in organisations feeling overwhelmed and unable to make decisions. After all, as security resources become more and more insufficient, risk grows, and security compromises and disruptions to service frustratingly increase.

Ultimately, cyber security poverty results in already scarce resources (that could have been invested in cyber security) being devoured – it’s a constant battle against the security tide.

So, what constitutes ‘acceptable’ cyber security?

We’ve discussed what can happen beneath the cyber security poverty line, but what do we need to do to walk above it?

The concept of a cyber poverty line is nebulous; it may allow us to identify a minimal, ‘acceptable’, level of resource for adequate protection from cyber threats and adherence to compliance regulations, but we must also be careful not to define the line as simply where organisations are able, or not able, to purchase and use ‘essential’ security controls.

This is because ‘essential’ can vary incredibly between different companies. For a cloud-native SaaS company requiring to secure data and workloads in the cloud, ‘essential’ will look very different to an SME, young business, or even a public sector organisation, for example.

It might make sense instead, then, to think of the security poverty line as a divide between those organisations that have access to the cyber security expertise they need through either being able to support this function in-house or else engaging with an external cyber security service provider. And those who cannot access the necessary skills to implement appropriate and tailored security measures.

Think of it this way, the constantly evolving nature of security threats and vulnerabilities, not to mention the increasing complexity of modern software systems, requires that organisations constantly upskill and train their security teams on the latest developments, approaches and tools. To stay operating above the cyber security poverty line, then, requires ongoing and constant access to new skills and resources, as well an understanding of what’s needed, what’s available, and what’s appropriate for the organisation in question.

Is this a shared responsibility?

The 2023 Microsoft Digital Defense Report (MDDR) underlined the imperative of partnership in cyber security, asking about the cyber security poverty line “who is below it and how can we work together to support them to rise above it?”

It’s an interesting question, and one which seems to indicate that the security poverty line could act as a trigger point for organisations, or even governments, to step in and support those they interact with to ensure safety and protect people.

It really does no one (or no business) any good to have others operating below the cyber security poverty line – after all, it only takes one supplier, one employee, or one unsecured device to provide an entry-point for malicious actors. In this sense, ensuring all businesses operate above the cyber poverty line is everyone’s business. From technology and software manufacturers building safer devices and applications, to security leaders sharing intelligence and collaborating to innovate inside the security space. This also includes organisations such as the National Cyber Security Centre (NCSC) setting common standards and measures of cyber security best practice, e.g., the Cyber Assessment Framework (CAF).

I think the MDDR said it best, “as much as any individual company’s shareholders would like it to be so, no one technology company can solve or overcome every cyber security challenge. Partnerships across the technology community are an absolute necessity to ensure organisations of all types and sizes, in every industry and region, can protect themselves.”

What if your organisation is suffering cyber poverty?

If you are worried about your organisation walking, or even falling beneath, the cyber security poverty line, it is best to act fast and consider your options. There are actions you can take, even with limited resources, to develop a healthier security posture. These may include:

[textframe]

Investing – yes, I understand this might be difficult if finances are tight, however, as revenue grows (or with what revenue you have), it makes sense to prioritise cyber security, allocating a portion of the budget to safeguard your data and infrastructure. Even small steps can make a big difference, e.g., consider mandating multi-factor authentication and least privilege access controls.

Educating employees – user education helps to inform and empower employees, imparting the knowledge they need to recognise and protect themselves in the event of an attempted cyber attack. Ensure you provide training on how to spot common attacks, including deploying simulated, defanged phishing attacks to test the susceptibility of users to falling victim to a phishing scam. Further training can then be quickly deployed to any employees that need it.

Adopting user-friendly tools – it’s easier to manage security with a unified software platform rather than through a large stack of different solutions. A unified endpoint management (UEM) platform such as Microsoft Intune provides one place from which admins can protect data, manage end user access, and support end users.

Unite processes and people – beating cyber security poverty isn’t all about money. Although it can help, one of the most important things organisations can do to get on top of security is to define clear processes for behaviours and actions of users. A strong culture of security education and teamwork underpins a robust security posture and uniting people, processes and technology can help you establish cyber resilience.

Instill zero trust – zero trust networking is a security model used by infrastructure teams to mitigate the risks associated with unauthorised network access. Just as it sounds, inside a zero trust network, trust is never a given (even for those who work inside the company that owns the network) but is continuously verified, offering improved security and reduced risk.

[/textframe]

If you’re worried about beating the cyber security poverty line – or just want to implement more effective, proactive cyber security – please get in touch with our specialist team using the get in touch button on this page.