The security poverty line broadly defines a divide between the organizations that have the means and resources to achieve and maintain mature security postures to protect data, and those that do not. It was first coined by cybersecurity expert Wendy Nather in 2011, and the concept is just as relevant today as it was then (if not more so). It has widely become the benchmark for acceptable cybersecurity, often associated with factors such as company size, sector and disposable income, but also know-how and appetite for recognizing and addressing security inadequacies.
Generally (but not always), those “above” the security poverty line are larger, private-sector businesses with the money, talent pool, and durability required to meet basic but highly important cybersecurity standards. Below it are typically small, young businesses or those that operate in cash- and resource-strapped sectors (though this is not a universal fact).
Being below the security poverty line is unenviable for any organization, because it not only means they are likely to either lack the assets to keep data effectively secure or do not have the ability or inclination to do so, but they can also be prime targets for attackers and cybercriminals. “I see the cybersecurity poverty line as a mechanism for a reality check in all our industry conversations,” Fernando Montenegro, senior principal analyst at Omdia, tells CSO. “From practitioners to vendors, service providers, investors, analysts – all of us need to keep in mind that many organizations have, for a variety of reasons, limitations on how they do cybersecurity. This has profound downstream effects on everything from public policy to contract terms, hiring, and more.”
Cybersecurity poverty line a security “rock bottom”
Cyjax CISO Ian Thornton-Trump sees the cybersecurity poverty line as the point where the cybersecurity philosophy of “doing more with less” manifests into “can’t do anything because we have nothing.” It’s a point where legacy technical debt, lack of engagement or even understanding of the business strategy and generally hostility from nearly all departments eclipse any desire on the part of the security team to improve the situation, he tells CSO. “Security team morale is non-existent, and the only thing being updated is LinkedIn profiles – that’s the poverty line. What I’m describing is more of an emotional state, a rock bottom of a cybersecurity program in general and, like most things, the cybersecurity poverty line in 2023 is when the cybersecurity leadership has abjectly failed.”
James Bore, security hygienist and consultant, is careful to avoid defining the cybersecurity poverty line as simply where organizations are unable to purchase and use “essential” security controls, as “essential” varies wildly among organizations, he tells CSO. “I much prefer to define it by the expertise available to an organization, since one with an appropriate level of expertise either in-house or available can usually find a way to build appropriate security to their own needs,” Bore says.
For Will Dixon, global head of cybersecurity consultancy and investment vehicle ISTARI, the cybersecurity poverty line represents the public safety trigger point where governments and other institutions might need to step in to support organizations and ensure they, and those that interact with them, are not harmed.
“It is a vicious circle where cybersecurity poverty leads to further and wider elimination of resources that could be invested in cybersecurity, thus leading more organizations below the cybersecurity line and a consequent increase in compromises,” adds Dr. Vasileios Karagiannopoulos, director, Cybercrime Awareness Clinic, Portsmouth University. “The intensification of cybersecurity poverty is bound to result in significant and more widespread compromises that will affect not just other businesses, but consumers and everyday users as well.”
The cybersecurity poverty line in 2023
Karagiannopoulos tells CSO that the cybersecurity poverty line concept has become more crucial in the last year or so, as the world continues to gradually exit the COVID-19 pandemic and start to work in a more challenging hybrid environment, which poses new and wider cybersecurity challenges for organizations and employees. “At the same time, the war in Ukraine has generated even more concerns regarding novel cybersecurity threats originating from the conflicting countries and their allies, hacktivist collectives and nationalistic hacker groups,” he says. These developments, alongside the consequent energy crisis and the supply chain challenges, are intensifying concerns regarding the capacity of those under the poverty line to eventually make it to the other side, despite government and corporate efforts to bring the topic of cybersecurity more to the fore and even offer free support guidance and tools, he adds.
Chad McDonald, CISO at Radiant Logic, echoes similar sentiments. “As we verge on the edge of recession, the cybersecurity poverty line will only grow in 2023. It is a rather unique time for the IT landscape and one that past generations have never experienced.” He predicts that the cybersecurity poverty line will be defined along three major axes moving forward – ongoing digital transformation, continued migration to the cloud, and the movement towards zero trust. “Security teams’ success will be defined by the forward movement on each of these projects, and whether these environments are properly secured,” he adds.
Who’s below the cybersecurity poverty line?
All types of businesses and sectors can fall below the cybersecurity poverty line for different reasons, but generally, healthcare, start-ups, small- and medium-size enterprises (SMEs), education, local governments, and industrial companies all tend to struggle the most with cybersecurity poverty, says Alex Applegate, senior threat researcher at DNSFilter. “Typically, each of them has very limited budgets, besides additional factors that affect each in different ways.” These include wide, cumbersome, and outdated networks in healthcare, small IT departments and immature IT processes in smaller companies/start-ups, vast network requirements in educational institutions, statutory obligations and limitations on budget use in local governments, and custom software built around specific functionality and configurations in industrial businesses, he adds. Critical National Infrastructure (CNI) firms and charities also commonly find themselves below the cybersecurity poverty line, for similar reasons.
The University of Portsmouth Cybercrime Awareness Clinic’s work with SMEs for the UK National Cyber Security Centre (NCSC) revealed that cybersecurity was a secondary issue for most micro and small businesses it engaged with, evidence that it is often the smallest companies that find themselves below the poverty line, Karagiannopoulos says. “It was either too expensive to engage with fully or too high level and technical to be relevant to them, particularly when we are talking about businesses that have not traditionally operated with technology to begin with.”
Businesses size is indeed interesting, Bore says, because while most small companies could be considered below the poverty line, the nature of their business may well mean they’re carrying a lot less risk. “The smaller an organization is as a target, the less motivation for attacks and so the more they can rely on basic security hygiene for prevention instead of pouring money into overpriced solutions addressing threats that just do not care about them,” he argues.
Conversely, Bore says he has engaged with companies who have views on security that leave them below the poverty line despite investing huge amounts into solutions at the behest of vendors. “Generally, it’s a lack of understanding of security that leads to this, and an over-reliance on buying in pre-packaged solutions to problems instead of taking the time to work through their own organization, understand its challenges effectively, and decide what to do based on that understanding instead of an external best practice,” he adds. The most damaging are MSPs and suppliers who don’t understand security and so expose all their customers to threats, Bore says.
One incredibly important aspect here is that, just like the discussion on the economic poverty line recognizes regional differences with poverty lines drawn at national levels, we must apply a similar concept in cybersecurity, states Montenegro. “Yes, the internet is a great equalizer, but it’s not enough to derive one single poverty line for all: the ‘necessities of life’ (a term used for poverty line conversations) change significantly from a small bakery taking online orders via a preconfigured shopping cart provider to a Fortune 10 company with businesses around the world.”
Unpredictable times can also have a significant impact on driving businesses below the cybersecurity poverty line, with the hybridization of working because of the COVID-19 pandemic a prime example, Karagiannopoulos says. “This hybridization forced organizations to engage with new technological tools and processes to adapt and survive lockdowns and employee demand for hybrid working conditions.” However, this shift happened almost overnight for many organizations and resulted in forcing them even lower below the cybersecurity poverty line as their cybersecurity needs multiplied, but without their resources or knowledge levels following an equally promising trajectory. “Business survival was prioritized and, even though we know that in many cases cybersecurity can impact on business viability when a breach occurs, more traditional business sectors and smaller businesses and organizations focused more on getting things up and running as soon as possible, with security becoming a secondary concern for them in many cases,” he adds.
Risks of falling below the cybersecurity poverty line
The risks associated with falling below the cybersecurity poverty line are multiple, with some more apparent than others. “That can be everything from falling victim to extortion (ransomware) or fraud (business email compromise) to potentially spending precious resources “doing security” in a way that is ultimately ineffective (in relation to an organization’s true needs) or inefficient,” Montenegro says.
“The most obvious risk? The risk of an attack,” says Applegate. “Many industries and businesses deeply underestimate the threat of an attack because they don’t understand what they have that is of any value. Thus, they don’t believe they will ever be attacked in the first place.” Third-party contractors, often small businesses, are sometimes targeted because of their clients and their weaker security posture is easier to exploit and leverage to move onto the larger, more secure networks, he adds.
“On top of that, alert fatigue is a tremendous problem – even in environments where false positives are largely eliminated,” Applegate says. “There is an endless onslaught of new attacks, vulnerabilities, and threats that are continually evolving. It can make cybersecurity efforts feel fruitless, leading to burnout. While these are risks for all industries, those entities below the cybersecurity poverty line are even more susceptible to them.”
An immediate response to being below the poverty line might be to cut costs, but this can exacerbate the situation, McDonald says. “By retrenching, organizations increase the number of legacy, stale, and over-provisioned accounts and applications within their networks. Usually, these accounts and applications are then left unmonitored by security teams and, ultimately, provide gaps for threat actors to exploit, expanding the attack surface of businesses.”
This technology debt is perhaps the biggest issue when it comes to existing below the cybersecurity poverty line, Applegate concurs. “Many of these decisions are made because of the cost involved, but the longer the problem isn’t addressed, the more it will cost to fix it. Victims of cyberattacks almost always underestimate the cost, both in monetary and reputational terms. They often regret not investing in the first place. Too often, they don’t realize until after the fact the value of the investment to institute proper cybersecurity measures earlier on.”
For businesses with no security processes for prevention and incident response and recovery, a cyberattack could bankrupt them or severely affect their functionality and thus their market reputation, and eventually their success or viability, Karagiannopoulos says.
Another problem is the impact on access to other risk-mitigation measures, particularly cyber insurance, adds Dixon. “Insurers expect organizations to meet certain standards if they want cover, particularly as the cyber insurance market comes under increased strain due to ransomware pay-outs. Without access to cyber insurance organizations are left at an ever-greater disadvantage, as many other un-insureds are in wider society.”