Is cybersecurity really being as neglected as this subreddit makes it seem ?

is-cybersecurity-really-being-as-neglected-as-this-subreddit-makes-it-seem-?

Have you considered that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

I don't work in cyber security directly, I'm a sysadmin. However, I've worked at enough (American) businesses of many industries and been exposed to a lot of cybersecurity policy and also have to implement a lot of said policies. I've worked in automotive, retail, banking, insurance, and even done some moonlighting in medical.

I think in highly regulated industries like finance/insurance/medicine theres a big push for better cybersecurity and in that sense it isn't being neglected. However, they are normally pretty behind on basic security measures. You'd be surprised how many banks/insurance companies have just started to implement MFA , routine patching, and basic network hardening. It's promising though, I feel like in the last 8 years its gotten more and more prevalent and taken more seriously. Not as worried about neglect in these industries.

The real problem is all the ancillary industries that have access to the same PII that these organizations do who don't give a damn about cybersec or infosec. If a bank has all the cybersecurity measures in the world, it doesn't matter if the car dealership down the road doesn't give a shit. Person comes in to buy a car, signs a loan originating from the "protected bank", said bank sends back all that info for the dealerships records. Customers are putting down all the same info the bank is protecting, but it's still beings stored unprotected on some file server or desktop loaded with malware.

The organizations with the biggest influence on how seriously companies take cybersecurity end up being Cybersecurity insurance providers. Since many companies either don't have the resources or don't care to invest in their own security, they end up going with an insurance policy instead. I've had to implement a number of changes for clients so they meet the requirements to get said policies, and a lot of the requirements have been pretty good. For example :

  1. Multifactor authentication for most devices (many have excluded SMS as an option)

  2. Audit of the clients Active Directory/Directory Service environment, with clear delineation between domain user, domain admin, and enterprise admin

  3. Policies implemented to disable or highly restrict local admin/root on machines

  4. Security hardening on critical infrastructure on Domain Controllers, File Servers, etc. These changes are normally pretty byzantine to me so I'm not sure how effective or important they are.

  5. Explanation of patching frequency, products used, and operating system updates. No ESXi 5.0 for you, buddy

There's more, but that's just the stuff in my purview.

TL;DR

Some industries and bigger companies have been taking cybersecurity more seriously now than ever. However, smaller companies and unregulated industries are still neglecting cybersec and infosec to a degree that undermines the security push from bigger companies and regulated industries. Cybersecurity insurance providers could close the gap by implementing solid requirements before offering a policy.

After all of that camDown and I can tell your mother would feel the same.