Take a step back and look at the cybersecurity landscape, and it’s plain to see that malware attacks are on the rise. Symantec reported that malicious PowerShell scripts rose 1,000 percent last year, while new hardware vulnerabilities compromise millions of physical servers.

The IT skills gap continues to widen, according to experts including the World Economic Forum (WEF), frustrating human-led efforts to defend corporate networks. This is happening even as developing technologies such as artificial intelligence (AI) and automation promise a brighter security future — so long as organizations have the capability to integrate these tools across both legacy and cloud-based networks.

It’s therefore no surprise that a “glass-half-empty” attitude has emerged around effective cybersecurity. Help Net Security noted that the majority of chief information security officers (CISOs) are looking for bigger cybersecurity investments next year to help reduce overall risk and enhance their defensive posture, but rapidly increasing IT complexity creates a pervasive, persuasive myth: Overwhelmed by budget requirements, tech investments, employee training and information security talent gaps, enterprises logically conclude that effective cybersecurity is equally complex, perpetuating a kind of infosec ennui that sabotages even solid IT efforts.

Here’s the hard truth: Cybersecurity is still simple — it’s just not easy. The secret to cracking the IT complexity myth is getting back to basics with the three pillars of simple cybersecurity: visibility, vulnerabilities and veracity.

Keep IT Simple to Crack the Complexity Myth

It’s not all that shocking that organizations consider cybersecurity a complex, ever-changing challenge. According to a recent Dynatrace survey, 76 percent of chief information officers (CIOs) are “worried IT complexity will make it impossible to manage performance effectively.” Combine that worry with the continuous news feed of data breaches, code vulnerabilities and evolving attack vectors and it’s easy to see how CISOs and information security professionals become convinced that effective cybersecurity solutions must be as complex as the problems they solve.

In fact, the opposite is true. As renowned security expert Bruce Schneier noted 20 years ago in his 1999 blog entry, “A Plea for Simplicity,” the “worst enemy of security is complexity.” Why? Because the more complex a system or process becomes, the harder it is to visualize how it works, evaluate potential points of failure and ensure it’s working effectively.

It seems counterintuitive, but prioritizing simple security strategies is the best way to defeat evolving security threats.

Start With Visibility

The first line of defense against increasingly complex cyberattacks? Visibility. After all, you can’t protect what you can’t see. From on-premises data centers and private clouds to public offerings and mobile environments, greater visibility always equals better security. Processes that obscure lines of sight — even in the interest of reducing security workloads or combining multiple workflows — introduce elements of risk.

As noted by Dark Reading, getting back to the basic goal of visibility depends on dual technology functions: passive solutions capable of detecting new devices and unexpected processes and active tools that regularly poll network services to discover potential problems. Consider the concept from a physical security standpoint: Passive systems are like alarms that are triggered by specific events, while active solutions leverage technology-equipped personnel to regularly patrol offices and uncover emerging issues.

Understand Your Vulnerabilities

The easiest way for attackers to gain network access is to leverage existing vulnerabilities in applications, services or hardware. Open-source is a common threat vector, since published and newly discovered vulnerabilities can provide threat actors privileged access with minimal effort. As Security Boulevard pointed out, between 58 and 78 percent of all code in enterprise applications is now open-source. Third-party application programming interfaces (APIs) and misconfigured cloud services also ramp up vulnerability risk.

Where are you vulnerable? Why? How do you fix it? Answering these simple questions improves cybersecurity. While finding vulnerabilities across open-source code, third-party APIs and cloud-based solutions used by employees isn’t easy, the concept isn’t complicated: Know where you’re vulnerable to improve your response.

Here, organizations are often best served by outsourcing vulnerability detection to a reputable third-party provider. Given the sheer number of vulnerabilities present across custom-built, cloud-based and open-source applications, attempting to identify, categorize and prioritize them in-house can quickly overwhelm even experienced IT teams.

Ensure Data Veracity

Does all the data match? Are users who they say they are? Are processes legitimate in their intentions and resource calls? Is information reported about endpoints accurate to the staff experience? Here, truth will win out: Verifiable, reliable data significantly reduces the chance of a cybersecurity incident.

As Datanami pointed out, however, 55 percent of organizational data is “dark” — companies either don’t know it exists or aren’t utilizing this information. This also means they have no way to effectively evaluate its accuracy. While Computer Weekly noted that new technologies such as machine learning and artificial intelligence are set to take the world by storm this year, their ability to catalog available data and uncover its dark counterpart does nothing to ensure its veracity.

The solution here is, again, simple but not easy. Effective cybersecurity depends on the very boring practice of asset management — the regular, thorough evaluation of common data sources, their security controls and how users interact with them on a day-to-day basis. They’re not flashy and they’re not always fast, but by using reliable infosec approaches, such as strong encryption, multifactor authentication (MFA) and regular system updates, organizations can enhance data veracity and reduce overall risk.

Complex Threats Call for Simple Solutions

Evolving security threats, expanding skills gaps and emerging technologies conspire to create a culture of IT complexity, which remains the enemy of effective cybersecurity. Organizations should keep IT simple by leveraging better visibility to detect more vulnerabilities and ensuring data veracity to drive improved information security outcomes.

More from Security Services

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Log4j Forever Changed What (Some) Cyber Pros Think About OSS

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services. Nearly anything from popular consumer and enterprise platforms to critical infrastructure and IoT devices was exposed. Over 35,000 Java packages were impacted by Log4j vulnerabilities. That’s over 8% of the Maven Central repository, the world’s largest…