Take a step back and look at the cybersecurity landscape, and it’s plain to see that malware attacks are on the rise. Symantec reported that malicious PowerShell scripts rose 1,000 percent last year, while new hardware vulnerabilities compromise millions of physical servers.

The IT skills gap continues to widen, according to experts including the World Economic Forum (WEF), frustrating human-led efforts to defend corporate networks. This is happening even as developing technologies such as artificial intelligence (AI) and automation promise a brighter security future — so long as organizations have the capability to integrate these tools across both legacy and cloud-based networks.

It’s therefore no surprise that a “glass-half-empty” attitude has emerged around effective cybersecurity. Help Net Security noted that the majority of chief information security officers (CISOs) are looking for bigger cybersecurity investments next year to help reduce overall risk and enhance their defensive posture, but rapidly increasing IT complexity creates a pervasive, persuasive myth: Overwhelmed by budget requirements, tech investments, employee training and information security talent gaps, enterprises logically conclude that effective cybersecurity is equally complex, perpetuating a kind of infosec ennui that sabotages even solid IT efforts.

Here’s the hard truth: Cybersecurity is still simple — it’s just not easy. The secret to cracking the IT complexity myth is getting back to basics with the three pillars of simple cybersecurity: visibility, vulnerabilities and veracity.

Keep IT Simple to Crack the Complexity Myth

It’s not all that shocking that organizations consider cybersecurity a complex, ever-changing challenge. According to a recent Dynatrace survey, 76 percent of chief information officers (CIOs) are “worried IT complexity will make it impossible to manage performance effectively.” Combine that worry with the continuous news feed of data breaches, code vulnerabilities and evolving attack vectors and it’s easy to see how CISOs and information security professionals become convinced that effective cybersecurity solutions must be as complex as the problems they solve.

In fact, the opposite is true. As renowned security expert Bruce Schneier noted 20 years ago in his 1999 blog entry, “A Plea for Simplicity,” the “worst enemy of security is complexity.” Why? Because the more complex a system or process becomes, the harder it is to visualize how it works, evaluate potential points of failure and ensure it’s working effectively.

It seems counterintuitive, but prioritizing simple security strategies is the best way to defeat evolving security threats.

Start With Visibility

The first line of defense against increasingly complex cyberattacks? Visibility. After all, you can’t protect what you can’t see. From on-premises data centers and private clouds to public offerings and mobile environments, greater visibility always equals better security. Processes that obscure lines of sight — even in the interest of reducing security workloads or combining multiple workflows — introduce elements of risk.

As noted by Dark Reading, getting back to the basic goal of visibility depends on dual technology functions: passive solutions capable of detecting new devices and unexpected processes and active tools that regularly poll network services to discover potential problems. Consider the concept from a physical security standpoint: Passive systems are like alarms that are triggered by specific events, while active solutions leverage technology-equipped personnel to regularly patrol offices and uncover emerging issues.

Understand Your Vulnerabilities

The easiest way for attackers to gain network access is to leverage existing vulnerabilities in applications, services or hardware. Open-source is a common threat vector, since published and newly discovered vulnerabilities can provide threat actors privileged access with minimal effort. As Security Boulevard pointed out, between 58 and 78 percent of all code in enterprise applications is now open-source. Third-party application programming interfaces (APIs) and misconfigured cloud services also ramp up vulnerability risk.

Where are you vulnerable? Why? How do you fix it? Answering these simple questions improves cybersecurity. While finding vulnerabilities across open-source code, third-party APIs and cloud-based solutions used by employees isn’t easy, the concept isn’t complicated: Know where you’re vulnerable to improve your response.

Here, organizations are often best served by outsourcing vulnerability detection to a reputable third-party provider. Given the sheer number of vulnerabilities present across custom-built, cloud-based and open-source applications, attempting to identify, categorize and prioritize them in-house can quickly overwhelm even experienced IT teams.

Ensure Data Veracity

Does all the data match? Are users who they say they are? Are processes legitimate in their intentions and resource calls? Is information reported about endpoints accurate to the staff experience? Here, truth will win out: Verifiable, reliable data significantly reduces the chance of a cybersecurity incident.

As Datanami pointed out, however, 55 percent of organizational data is “dark” — companies either don’t know it exists or aren’t utilizing this information. This also means they have no way to effectively evaluate its accuracy. While Computer Weekly noted that new technologies such as machine learning and artificial intelligence are set to take the world by storm this year, their ability to catalog available data and uncover its dark counterpart does nothing to ensure its veracity.

The solution here is, again, simple but not easy. Effective cybersecurity depends on the very boring practice of asset management — the regular, thorough evaluation of common data sources, their security controls and how users interact with them on a day-to-day basis. They’re not flashy and they’re not always fast, but by using reliable infosec approaches, such as strong encryption, multifactor authentication (MFA) and regular system updates, organizations can enhance data veracity and reduce overall risk.

Complex Threats Call for Simple Solutions

Evolving security threats, expanding skills gaps and emerging technologies conspire to create a culture of IT complexity, which remains the enemy of effective cybersecurity. Organizations should keep IT simple by leveraging better visibility to detect more vulnerabilities and ensuring data veracity to drive improved information security outcomes.

More from Security Services

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read