As cybersecurity services proliferate, it’s important to recognize the snake oil amongst the authentic and avoid it like the plague.
Data breaches make headlines as governments update their policies and compliance standards change, and Gartner predicts that global spending on information security and risk management will grow 11.3% to reach more than $188 billion in 2023.
All cybersecurity services are not equal, nor do they necessarily meet the needs of businesses. Enterprises that jump into the next malware fix without background checks bolster the cybersecurity snake oil cycle.
What is “Snake Oil” in cybersecurity?
Cyber snake oil salespeople have been operating for a long time. That person who claims to be able to fix all of your security gaps with yet another magical product. But instead, peddles band-aid fixes, empty promises, questionable advice, and a shower of “must-haves” that clog up your network perimeter more densely than a pre-COVID peak traffic jam—offering little more than grandiose words and a gallon of hot air.
People and companies advertising that they can solve your cybersecurity challenges without even taking a closer look at “under the hood” are dangerous.
After a cyber-attack or even a near miss, emotions run high, and panic can lead to business leaders reaching for a quick fix to layer on top of existing infrastructure. A quick fix with no guarantee for protection against the next data breach – and that is what snake oil sales are all about. They are creating opportunities to keep selling more and more security products to the uninformed every time disaster strikes. It keeps snake oil sales in business to the detriment of all.
How to spot snake oil salespeople
A good rule of thumb to follow is: if it sounds too good to be true, it probably is.
In the world of cybersecurity snake oil, there are a few common denominators and terms to take note of:
- The ‘military grade’ term doesn’t qualify for any service grade. It is often used as a marketing gimmick to describe the “highest-level security” to the not particularly tech-savvy.
- Quick fixes and promotion of services as salvation from hacker attacks without auditing the existing security system. A good cyber-service provider wouldn’t assume what your existing infrastructure and setup look like. They would look at what you have, how it could be improved, and ensure you fully understand how it works before investing in yet another security product.
- The term ‘must have’ to protect against viruses and other threats.
- ‘Compensating’ for vulnerabilities in the basic IT architecture.
- ‘Unbreakable, Secret’ algorithm, technique or device – if they don’t want to show you how it works, it’s a big red flag.
- Overuse of technospeak – a good way for snake oil salespeople to build false credibility as many business leaders wouldn’t have extensive knowledge on the subject.
- The term ‘100 percent’ accurate/secure/input – as we know, nothing in tech, or in the world for that matter, is 100 percent certain. Anyone claiming as such is hoisting another big shiny red flag.
Looking at these points, it seems pretty apparent that they are all bogus claims, but they offer relief during a time of crisis. This is when the cybersecurity snake oil peddlers try their luck and exploit your enterprise risk profile.
How to spot authentic cybersecurity salespeople
You are sold a cybersecurity service, not another add-on product.
- A strategy is presented that helps you understand and address the threats, in all their forms, today and in the years ahead.
- Clear articulation of the value of the cyber defense service or solution being offered, engaging all stakeholders to ensure appropriate support and decision-making.
- Alignment of the cybersecurity strategy with the business strategy because not all assets need the same controls.
- Insight on important data assets associated with each part of the business value chain, the systems they reside in, the controls being applied, and the trade-offs associated with protecting higher-priority assets versus lower-priority ones, with a cost transparent execution plan.
- Support for ISO 14001, 27001 and GDPR compliance training to create staff awareness of their responsibilities.
- The tools used to deliver the service have been verified.
Questions when onboarding a new cyber partner
- Is the service/tool plugging a gap in my existing infrastructure? If so, what is the gap and how did it materialize?
- Is there any other tool in my current security portfolio that can do this already?
- How will a new tool /service integrate with other security tools I have in place without creating further gaps in the future?
- Can the service identify what is working and what isn’t and what has failed during breaches or threats.
- Will testing and training be done to educate on the use of tools to ensure staff knows their role and responsibility to good cybersecurity practice.
Good cybersecurity creates extra time
There’s a good chance your existing security tools are working already and all that is needed is more efficient use as threats and risks evolve.
With a focus on products over process, it can often be the case that you’re dumping so-called value-adding products into your security landscape, complicating your overall security posture over time. The result – breaches or security threats due to gaps in the system.
A full circle security service suite
Reactive systems are good, but the truth is that most security products compensate for vulnerabilities in technology infrastructure, an infrastructure that was never designed to be latched onto as breaches occur.
A billion-dollar industry has emerged by treating symptoms rather than addressing causes.
ENHALO looks at the entire picture, works holistically with your existing cybersecurity security setup, and will ensure peace of mind about any additional services or tools – are they essential, and will they add actual value?
CREST certified and ISO 27001 accredited, ENHALO takes care of all the complexity and security concerns you and your company have – from rapid Darkweb Breach Detection, Emergency Cyber Response, Exploitable Device Detection, and SOC services – for a bullet-proof shield to cybercrime.
Finally, good cybersecurity occurs when you aren’t looking. It automatically gives you back valuable time and allows you to invest resources where it counts – on your business and your customers.
