Reflections on Digital Security Awareness: Why Availability is Not the Same Thing as Accessibility

Every October, we recognize Cybersecurity Awareness month.

While October has now passed, recognizing the threat of cyber-attacks is (thanks to the continued rise in data breaches and ransomware attacks) something that is closer to the front of mind for business leaders across industries. There is also no shortage of activity among cybersecurity professionals, advocates, and the federal government to inform the broader community of best practices.

But awareness, while a critical first step, is not action. And the reality is that, particularly across the healthcare industry, consistent, holistic, and dynamic integration of cybersecurity controls and defenses still lags well behind what is necessary to ensure the security, accessibility, and integrity of our collective health infrastructure.

So, as October ended, this led me to ask myself: when it comes to integrating security practices and controls, is it a problem of awareness, or is it truly an issue of the accessibility (and affordability) of solutions?

Put another way, is the lack of consistent (and holistic) integration of security controls in business operations a problem because cybersecurity best practices are not adequately valued? Or are the available understandable (awareness) solutions for business owners inaccessible, unaffordable, or otherwise unfeasible?

I would say the latter. Security comes at a cost. As I have come to appreciate working with smaller to mid-sized businesses, ranging from health providers or support services, security isn’t accessible to everyone.

As a security professional, October (and all the months before and after) is less about speaking and more about listening and understanding the barriers between awareness and implementation. To effectively implement security controls and practices tailored to an organization, a security professional must understand the organization, its processes, people, and (of course) its technology. What are the pain points for staff? How can the business improve security awareness and operational processes so that integrated security is an easier ‘default’? The result should provide a security plan and processes that align with those people, operations, and technologies.

But this presumes that the security controls and resources recommended, including (for example) insurance, adequate endpoint protection, and access controls are not only available to organizations but affordable and “suited for purpose.” Therefore, we must consider not only the availability of security assets but also their accessibility to business leaders.

Accessibility is defined as “the quality of being usable, reachable, obtainable.” To be accessible is something more than just being “available” – it denotes ease and feasibility of use for the end user. Accessibility suggests suitability. Availability carries no such assurance. Just because a security solution is available on the market does not mean it is accessible to all businesses.

How Food Deserts Illustrate the Difference Between Availability and Accessibility

ACCESS TO SECURITY MATTERS

No one can dispute that access to (affordable, healthy) food matters. Digital security is just as important when it comes to an organization’s “health” and its ability to continue operations in a digital world. Unfortunately, in recent years I have observed a shift across the technology industry, which increasingly sees security as a (pricey) commodity, as opposed to a baseline component of services and products or a utility shared across the digital ecosystem.

For example, almost a decade ago, I listened to an executive at Microsoft tell a large audience of staff that security is not a feature. It is not something marketed as an add-on but something inherent to the products and services Microsoft provides to empower every person and every organization on the planet to achieve more. Microsoft, as an example, produces a wide variety of products and services across several supported platforms to help people achieve more, but this month I became aware of something that made me realize that Microsoft no longer seems to view security as an inherent component of their products, and instead sees it as an “upgradable” feature.

Let’s break down the cost of Microsoft’s 3 tiers of service for the Microsoft 365 licenses: Basic, Standard, and Premium.

• Basic – $6.00
• Standard – $12.50
• Premium (Enterprise-Level Security) – $22.00

With a Basic License users receive “Standard” (undefined) security features. It isn’t until a user purchases the Premium Service that users have any specific and defined security protections or protocols. In fact, the primary selling point between Premium services and the lower tier Basic and Standard Services is the availability of security controls and protections (Premium Service is also marketed as “Enterprise-Level Security”).

Above is a chart showing the price increase between each tier. From Basic to Standard, it’s a – 108% cost increase, and for Standard to Premium, 76%. To go from a Basic to a Premium tier would cause the cost of a single license per user per month to increase by 267%!

Microsoft Defender is a capable endpoint security service subscription that Microsoft promotes to defend endpoints from malware and other threats. To access or utilize Microsoft Defender, a user must have a premium license (note, in addition to this advanced IT support access is recommended). Never mind if you’re up-to-date on the latest tech and understand the basics of security; if you don’t have access to advanced IT support, you probably won’t be successful in deployment or the support necessary to maintain.

What Do You Actually Get?

While the feature comparison page means to show you the value you receive as you increase in price, I noticed something interesting under the hood of a “Standard” Microsoft 365 business license. Looking at the Security Admin Center, Microsoft is kind enough to provide a secure score or representation of your organization’s security posture (and how it compares to others of similar size) and your opportunity to improve it.

Of the 58 recommended actions, it presented to an organization with less than 10 users and Microsoft 365 business standard licenses, 28 actions, or 48.3%, required additional licensing at an additional cost.

This leaves me with two questions:

1. If 48% of the security recommendations aren’t available with what I have, is this really the “Standard” that Microsoft represents?
2. If I sell you cans of food but tell you that the only way to make the contents accessible to you will cost you an additional 76% on top of what you’re already paying, doesn’t that seem to align with behavior scrutinized as “protection rackets?”

Are you seeing the Food Desert now?

MINIMUM CYBERSECURITY GUIDELINES

When we think of healthcare, it’s easy to think of the huge (enterprise) hospital brands, and it’s all too easy to immediately discount or dismiss small (SMB) community practices and safety net providers like community health centers.

Compliance plays a major role in healthcare, and everyone sees that healthcare is struggling to meet the cybersecurity needs to protect patient health, sensitive personal information, timely treatment, and ultimately protect against increased suffering and death.

We heard in October that New cybersecurity standards for Healthcare were coming from the White House “to put in place minimum cybersecurity guidelines.” Standardizing (and enforcing) minimum requirements or “rules of the road” is a critical first step in shifting from the commoditization of security – to recognizing security (just like the healthcare infrastructure) as a utility.

The Deputy National Security Advisor for Cyber has said, “The US is “pretty much last in the race” when it comes to putting in place minimum security standards for critical infrastructure compared to peer countries.”

But how do dollars impact minimum security needs in healthcare? Senator Mark Warner provides some insight into this with a new Policy Options report released just days ago:

While over the last few years, we have certainly seen a number of large-scale hospital attacks, it shouldn’t be surprising to see a shift from attackers toward small hospitals, clinics, and specialty practices.

If organizations like the one discussed here as an example set the bar for the cost of “minimum security” standards at a premium, aren’t they, in effect, making the decision of who is too big to fail and too small to win?

CAN WE AFFORD “ACCESSIBLE” SECURITY?

Early in October, I challenged people to momentarily recall the price of a gallon of milk. Not knowing doesn’t make you a lesser person, but the cost may not be as important to you as it is to others that have to make their money go the distance and #commoncentsmatter. I’ve read stories this year of people making critical choices on purchasing groceries to feed their families or gas so they can get to work. It’s easy to think of Fortune 1000 organizations when we think about businesses and “enterprise ready.” But small startups, or those that have to measure every dollar and cent in complicated excel spreadsheets. All to ensure their livelihood survives the next month, the next quarter, and the next year, are faced with the choice of paying a staff member or paying for security, which will matter to them more?

While the Microsoft 365 example above presents some reasonable questions, they are far from the only concerning example when it comes to making security accessible. For example, single Sign-On, technology that mixes several application logins into one, continues to be a tax on organizations large and small, with the cost of standard access vs. a plan that supports a standard business practice being anywhere from 15% to well over 500% more!

Remember how households in areas identified as food deserts often have low incomes, face unemployment, and with inadequate access to public transportation are more likely to feel the impact? Think about those households as Small to Medium Businesses (SMBs). Larger, more established, and profitable businesses may operate in the same area. Still, those with financial means may have other means (a vehicle to travel further, delivery services, etc.) to acquire food – possibly at a higher, less impactful price point, or in this case access to the means to address their security needs.

Organization size doesn’t matter to the adversaries indiscriminately targeting them, and neither does the need to meet regulatory compliance or insurance requirements. Large organizations like Microsoft know this.

October was another month seeing all too many people blame the end user for the lack of awareness and with it, a lack of action to defend the enterprise. Access to nutrition is vital for our physical health and survival. Likewise, access to security tools and services means the survival of our people, customers, data, and our economy. Until we start thinking about access to standard business practices in the same way we think about access to a gallon of milk, bread, and fruits and vegetables, the cost and impact of awareness and breaches will be too high.