Vacuum cleaners and cybersecurity
The other day I was vacuuming the flat. Naturally, as one does, my mind was wandering various places to keep myself entertained whilst doing an otherwise autopilot task - one can only be present for so long whilst cleaning the house. Suddenly, my thoughts were rudely interrupted when the vacuum cleaner failed to pick up a sunflower seed from the floor. I ran hopefully over the offending seed several times, each time with increased disappointment when realising it was still on the floor.
At this point, I started a debate with myself. Have vacuum cleaners actually improved in the last 10 years or so? As I bent down to pick up the sunflower seed I noticed the vacuum cleaner was blocked. Despte emptying it before starting, it had blocked itself with, get this, dust and fluff. How, after thousands of years, have we still not managed to create a vacuum cleaner which effectively picks up weightless dust and bits of fluff. I also noticed when inspecting the device closer, the spinning brush had clogged up with hair.
Fascinatingly, humans still have hair and that hair still ends up on the floor. When this vacuum cleaner was sold to me, the sales person was convinced it was going to change my life. He was very excited about the Pro Turbo Brush and Cyclone System. Even the name sounds sexy: Crossback 29.6 Lithium.
As we can see, experience has taught me otherwise.
That got me thinking about cybersecurity. The similarities are beautiful. The security industry has created thousands of technology solutions for thousands of problems, some of which I truly think were made up. The majority of so-called threat intelligence and dark web monitoring is about as appropriate as using a vacuum cleaner in the garden.
That said, some security technology solutions invented over the last years are brilliant and absolutely necessary. Tools such as password managers, multi-factor authentication and honeypots are low cost, low effort and highly effective at protecting organisations from the most common types of data breaches.
But a lot of solutions are only relevant for the 1% of organisations, those with thousands of employees, devices, and technological complexity. Yet those solutions are often branded as solutions to all problems, and needed by all organisations. Worse still, many of them tend to use fear marketing to sell. This makes me sad.
It is worrying that, like the humble vacuum cleaner, the security industry is spending time, money and talent creating the next model, the next piece of software. One could argue that a much cheaper, smaller, simpler and more environmentally friendly option is more effective and efficient than a vacuum cleaner. A solution which helped witches fly since 1453.
The humble broom. It’s beautifully simple. Not only does it survive without being charged (underappreciated these days), it also helps us exercise our backs. It costs 10% of a vacuum cleaner, lasts longer and probably isn’t shipped from China.
Moving this back to security. Over the last 10 years, the vast majority of data breaches have been caused by just three things:
Errors (e.g. sending emails to the wrong people and not protecting websites and data storage)
Phishing / scams (such as those which claim to represent your bank in order to steal your money, or claim to have a parcel for you)
Poor passwords (such as monkey123, password2023, ProTurboBrush)
Software bugs (aka vulnerabilities)
Yet, the vast majority of solutions focus on niche issues which aren’t related to those 4 long-standing problems. Things haven’t changed much. Breaches are increasing, costs of breaches are increasing, cyber criminals are still a few steps ahead. For the most part, we don’t need to reinvent the wheel. And that applies to all the new technological advances we are starting to see. AI, blockchain, smart toasters, you name it.
For most of us, especially smaller organisations (1-100 employees), we just have to start with the basics. There are broom equivalents of healthy practices which don’t cost the earth and aren’t complicated.
So, if you take anything away from this rant of today’s vacuum cleaners, it is this, use the security equivalent of a broom to secure your organisation.
Give all employees access to a password manager (and teach them how to use it well)
Train them (empathetically, engagingly and entertainingly) on the latest security threats and how to act if they see something suspicious or if they clicked on something bad
Regularly update your software
Measure how secure you are today before spending more time and money on “cordless, next generation suction” security technology.
On that last point. You can’t manage (well) what you don’t measure. We have a 5 min, simple quiz which will give you a score out of 100.
These practices are effective, low cost and reliable methods to prevent data breaches. They are also proven with facts and data.
Sure, there are many more things to do. But start with a broom.
Vacuums suck, and sometimes they don’t even do that.