Since it was first conceived in 2011, the idea of a cybersecurity poverty line has been used to define the “haves” and “have nots” of information security. But much like economic poverty, elements of the concept are relative to individual circumstances. Yes, there is a breaking point that’s common to all: homelessness/hunger and going out of business due to a breach. But even companies teetering on the edge of the cybersecurity poverty line can get by if they’re self-aware and intelligent about the resources they do have.
Origins of the Term
Wendy Nather, security researcher and former CISO, was the first to talk about the “security poverty line,” as she called it, back in 2011. As an industry thought leader, Nather was interested in identifying who fell below the line because these companies represented an addressable market for the products and services that her companies provided. But Nather knew, from the beginning, that solving security poverty wasn’t just about lowering prices–it was about right-sizing solutions to the needs of individual businesses.
Before we can understand the concept, we need to look closely at the word “poverty.” Poverty is not always about money. Yes, it can mean being extremely poor financially. But it can also be defined as “the state of being inferior in quality or insufficient in amount.” A lack of finances can lead to a lack of cybersecurity infrastructure. But even companies with plenty of money can be poor in cybersecurity. Let’s look at how this can happen.
Who Is at Risk?
While any organization can be at risk of falling below the cybersecurity poverty line, there are some that are more likely to land there. One of the biggest risk factors for falling below the cybersecurity poverty line is a lack of self-awareness. Organizations need to understand both the value of their assets to attackers and the ease with which attackers can breach their perimeter.
High-value assets exist within the perimeter of healthcare companies, educational entities, local governments, and industrial companies. These are the big fish that are most likely to be targeted by hackers willing to put in the work for a major score. High-risk targets usually know they are high-risk and have committed resources to some kind of cybersecurity solution. But a lack of awareness can lead to money being poorly spent. An expensive off-the-shelf solution can still fail to meet the needs of a specific business.
Other organizations like start-ups, small- and medium-sized business, and charities are alluring to attackers not so much because of their assets, but because they’re easier to get to. These businesses are often stretched thin just trying to make day-to-day operations happen. Cybersecurity solutions often take a backseat to keeping the lights on. Many of these organizations could rise out of cybersecurity poverty by implementing simple best practices.
Surviving Below the Line
It’s a myth that low budget must equal high risk. Security expert Brent Deterding offers a great cybersecurity analogy that we can all relate to. Even on a very low budget, everyone can commit to basic hygiene–whether it’s physical or digital. Brushing your teeth with a cheap manual toothbrush will yield great results, as long as you’re consistent and committed to the process. In the same way, all companies can commit to inexpensive baseline practices to mitigate a large percentage of their risk.
Businesses with modest revenues and smaller profits are often below the cybersecurity poverty line. Security is either too expensive or too technical to feel relevant to them. Often, they assume security responsibilities are being covered by their IT department. The reality is that these teams are tech experts, not security pros. The good news is that these businesses are also often low risk, so they can exist below the poverty line or rise above it with relative ease.
Inexpensive or free ways to help a low risk company mitigate threats include:
- Initiating or strengthening the use of multifactor authentication and VPNs
- Creating a reporting system for cybersecurity issues
- Instituting regular meetings for information sharing and basic training
- Requiring good password management practices
For other businesses below the cybersecurity poverty line, a certain amount of financial investment makes sense. The first step is self-awareness: identify what is causing you to fall short of your needs. It could be long-standing tech debt; lack of management support; or lack of knowledge about cybersecurity in general.
Once you’ve established why you’ve fallen below the line, you need to figure out what existing programs–either in-house or public–can be leveraged to help you rise. Free services to monitor blacklists, warn of new open ports, and perform vulnerability scans (such as the NCSC Early Warning Service in the UK or the NCAS in the States) can help to lock down your external attack surface while you pursue additional solutions.
Any company that has fallen into cybersecurity poverty needs a champion for the cause of rising above the line. Based on your budget, consider promoting, hiring, or contracting someone who can be a compelling storyteller that “sells” the importance of cybersecurity to both executive leadership and employees.
Finally, companies below the line may need to adopt a risk-based approach. Identify your organization’s “crown jewels” and prioritize their protection. Then work outward from there within the unique constraints you’ve been handed.
As we move toward 2024, the definition of the cybersecurity poverty line will continue to change. A key factor in staying above the line will be the ability to remain secure through ongoing digital transformation. Continued migration to the cloud and the move toward zero trust will add new stressors to organizations, tugging them down closer to the line if they are unprepared.
Knowledge is more important than money when it comes to staying at or above the cybersecurity poverty line during times of complex change. Money can buy you disconnected tech and a dangerous level of complacency. Focus on improving your knowledge and your employees’ by continuously upskilling. Training will empower your employees to be a link in the defense chain that raises your organization above the cybersecurity poverty line.