Cybersecurity Propaganda: Sorting Fact from Fiction

According to the World Economic Forum, as reported in this article by Cybernews, cybercrime has grown to rival global economies such as the US and China. With cyber-crime on the rise, a wealth of information has sprung up from a variety of unexpected sources, many making wild claims. In perusing some recent news feeds, headlines such as “Automation is no longer the future of cybersecurity: It’s the present” and “Cybersecurity: Don’t assume you have better defenses than bad actors, data protection company says” lead the charge. At a glance, these headlines seem to imply one new tool or behavioral change will fix all your security woes.

As it turns out, much of the information being published about cybersecurity is actually marketing material from one vendor or another hawking a particular product or service. Look closely at the source of the material. Is it sponsored, and if so, by whom? Or does it come from an industry vendor that sells a related product or service?

This blog is an example of self-sponsored material, though we expressly pledge NOT to hawk our products or services in the articles we publish. Regardless, knowing much of the reading material available on the Internet is sponsored might help to shed light on the unbelievable headlines and unrealistic claims being made. These are just thinly veiled attempts at enticing the reader to stick around long enough to get to the punch line about their product, or at least cough up some personal data to be used for a later contact or cold call. If nothing else, it should encourage readers to view the material with a more critical lens, challenging unbelievable claims and assertions.

Some vendors do provide relevant information as part of their sales pitch. In these cases, is it really such a bad thing if a company ends up educating users while trying to sell their products? The simple answer is that it depends.

The truth is, like most things, cybersecurity is a complex topic. There is no one single tool, service or strategy that will fit all needs across the spectrum. And what works for personal security strategies may not work for business. Even seemingly similar problems may call for different tools or strategies when examined more closely. If any vendor pledges to solve all of your cyber security troubles, run away. You will probably have the same amount of success if you bought some snake oil instead from a seedy salesman who also sells Rolex watches for $50 each on the subway. 

To illustrate this point let’s look at the topic of password management. A personal password strategy that allows for uniqueness using a rotation or substitution scheme for a single individual’s accounts and passwords may be a marginally acceptable strategy for protecting sensitive login data on a personal scale. That same strategy would never scale for even the smallest of businesses with more than one employee. There are just too many passwords needed to ensure uniqueness. Not to mention, it would most likely enable all employees knowing or being able to guess most of the company’s important passwords.

Another good example illustrating differences between personal and business security strategies would be using a free DNS filtering service to help block malware. Although a good idea for personal or home use, such products often expressly forbid commercial use without a paid subscription. In this instance, what works for an individual would in fact result in legal issues and financial penalties if used on a business scale. These examples clearly highlight the need for separate business and personal security strategies. But, what other factors should be considered when evaluating the trustworthiness of security news, products, and business services?

A second factor to consider as part of cyber media consumption is the concept of propaganda as a marketing strategy.  When evaluating a particular piece of information or marketing material, first assess the problem it purports to solve or the claim it makes.  Is this a real problem?  Seek facts from non-vendor sources to confirm.  Once confirmed, determine if your business has that particular problem.  And most importantly, determine if the problem causes operational pain or monetary loss for your business.

Some vendors employ a common strategy of weaponizing fear, uncertainty and doubt (FUD) in the cyber security industry in order to persuade a customer to buy their products. They make wild claims and share a myriad of facts or statistics, in an attempt to convince customers to buy their product or imply only their product can solve a particular problem. Their goal is to convince the buyer they have a specific problem and the only way to solve it is with the vendor’s product or service.

As with most things in information technology, it’s rarely true that there’s only one solution or a single vendor that can solve a particular problem. And even if that is true today, it is unlikely to remain true for very long given the rapid rate of change in the IT industry. In this example, although the vendor may share relevant statistics or facts about cybersecurity, the harm is in convincing the user that only one tool or service is the answer. In these cases of propaganda as a sales technique, buyer beware.

A final factor to consider when consuming cybersecurity information and marketing materials is the credibility of the source. Is a specific author cited in the article or blog post or is the content attributable only to an entire company? If a specific author is cited, does this person have a reputation in the industry as a credible source (i.e. do they even work in the cyber industry)? Is this a real person or is it a fake person with content generated by a bot? What are other sources saying about the topic and are those other sources credible or are they in fact derivatives of the original source? In short, take a critical approach to reviewing material and claims made. If they hold up to a little scrutiny and fact checking, they are much more likely to be reasonable sources.

As illustrated, navigating the landscape of cybersecurity media is filled with pitfalls and land mines, with vendors pushing products along the way. But, armed with a healthy dose of skepticism, even the most naïve reader should be able to discern fact from fiction and pull out the relevant nuggets of information if they know what to look for. So, the next time you read an article or news brief about cybersecurity, even mine, take a moment to step back and look at the information with a critical lens to determine if it is worth the time to read it.

Related Posts