Security

This Cybersecurity Medicine Might Be Tough To Swallow

Comment

Padlocked iron gates.
Image Credits: Matthias Ripp (opens in a new window) / Flickr (opens in a new window) under a CC BY 2.0 (opens in a new window) license.

Imagine you’re the CEO of a thriving company and you’ve been horrified by the news of the Sony hack, the Target breach and the litany of security issues that have plagued big companies in recent years. You swear you’re going to do whatever’s necessary to make sure it won’t happen to your company. But do you realize what that really means?

At a holiday party, a guy starts chatting you up while you’re working on your fourth martini. And he speaks directly to your fears. He knows someone who could help you out with your security problems — make it so that you would never suffer the fate of those poor suckers at those other companies. You have to admit, you’re intrigued because you never want to be in the position of explaining to your board of directors why you were the latest victim.

You get the name and run a background check and find out she’s good. Very good. Her experience includes stints with military intelligence, the NSA and a number of successful security startups. You’re ready to write the check just to hear her pearls of wisdom.

The day finally arrives and your assistant shows the consultant into your office where she quickly takes a seat, takes a speck of dust off her pants and looks you in the eye.

“You’re really willing to do whatever I say?” she asks.

You tell her that if she has a plan, you’ll follow it. You wait anxiously to hear what she’s going to say.

The first thing you need to do, she tells you, is disconnect from the Internet. Before you can object, she holds up a hand and asks that you let her finish. You start to sweat, and she keeps going.

You’ll need to take away all of the laptops. There will be no smartphones or tablets allowed in the building. You’ll use desktop computers without USB ports or DVD drives. There should be no way that you can save to an external device. Everything will be connected on a highly secure, completely private internal network accessible with two-factor authentication.

You won’t use any cloud services and there will be absolutely no mobile apps. If you run a website, you will keep it simple and with very little information. Contact information will be through a form and you won’t have an address for the company beyond a post office box.

You will hire highly skilled security personnel. Everyone will leave their phones at the door on the way into the building — including you. Everyone will be searched entering and leaving the building — including you. No exceptions. You will put cameras everywhere and you will have your security staff monitor them in a control room to make sure nobody is doing anything suspicious.

Anyone caught with a prohibited device will be fired immediately.

You will keep partnerships to a minimum, and all guests, including customers, will be subjected to the same strict security regimen, and no one will be allowed to carry any devices of any kind inside.

“I couldn’t possibly do that,” you say to her wide-eyed. “I would be sacrificing my entire business, handicapping and harassing my employees and my customers, all in the name of protecting my company.”

“So it seems you wouldn’t do whatever it takes, would you?”

Playing Security Chess

So if you can’t lock down your company, what can you do?

You have to give up the notion of complete security and place your bets on things you can control because there is an organized effort to attack your networks. And depending on your type of business, the more determined these parties might be.

Yet it seems that the further we advance technologically, the less secure we become. David Cowan a partner with venture capital firm Bessemer Ventures says one of the reasons for that is because technology has become so intertwined in our lives.

“Broadly speaking we are adopting technology that’s becoming more and more pervasive in our lives and jobs. The opportunities for cybercrime, mischief and [mayhem] has grown over the years and there is more motivation to do so,” he told me.

As Cowan explained, back in the 90s, hacking was about ego, but over time it has evolved to include fraud, identity theft and other criminal activity — and more recently nation-states partaking in surveillance and organized cyber-mayhem.

But as one security startup CEO told me recently, we are doing better than we think. You may find that hard to believe if you’re a CEO trying desperately to avoid being tomorrow’s headline. But he described a giant chess match between the people trying to get into our computer systems and those trying to keep them out.

As bad as it seems today, this security executive says if it weren’t for the checks and balances that security companies have put in place, it would be far worse and we couldn’t be using the internet to conduct business the way we do.

Walking the Security Tightrope

So we are left with a balancing act: We can’t be stupid, but neither can we sacrifice the business in the name of protecting it. As Cowan explains, security isn’t your highest priority as an organization. Being a good company is your first priority, and security should be part of that.

“Job one should be providing functionality your users need to get jobs done and have good experience. For most of the interesting applications in the world, trust is an integral part of good user experience,” he said. And if you want to be trusted, security needs to be at least an important component.

From a broader perspective, you cannot have a completely secure company that has been stripped of internal freedom, precisely for the same reason you cannot have a democratic society that is safe from any attack and maintain anything approaching privacy. If you decide, as our example above highlights, that you will do anything to be secure, you end up with a company so locked down that it will not be able to maintain a staff, let alone a staff that you would want to work with.

Surely there is always a tradeoff between security and privacy, and everyone has their own tolerance level regarding which side of this they should fall on. In the end, you have to ask yourself how much you squeeze the individual factor out of the equation. Can you honestly turn your workers into drones incapable of malicious activity, let alone honest mistakes?

When it comes down to it, you would no doubt agree with the CEO in our example that you cannot prioritize security over the company itself. No CEO would. You just have to be able to reconcile the fact that you could experience a breach — and that’s the tricky part.

Alex Wilhelm contributed to this post.

More TechCrunch

Zen Educate, an online marketplace that connects schools with teachers, has raised $37 million in a Series B round of funding. The raise comes amid a growing teacher shortage crisis…

Zen Educate raises $37M and acquires Aquinas Education as it tries to address the teacher shortage

“When I heard the released demo, I was shocked, angered and in disbelief that Mr. Altman would pursue a voice that sounded so eerily similar to mine.”

Scarlett Johansson says that OpenAI approached her to use her voice

A new self-driving truck — manufactured by Volvo and loaded with autonomous vehicle tech developed by Aurora Innovation — could be on public highways as early as this summer.  The…

Aurora and Volvo unveil self-driving truck designed for a driverless future

The European venture capital firm raised its fourth fund as fund as climate tech “comes of age.”

ETF Partners raises €284M for climate startups that will be effective quickly — not 20 years down the road

Copilot, Microsoft’s brand of generative AI, will soon be far more deeply integrated into the Windows 11 experience.

Microsoft wants to make Windows an AI operating system, launches Copilot+ PCs

Hello and welcome back to TechCrunch Space. For those who haven’t heard, the first crewed launch of Boeing’s Starliner capsule has been pushed back yet again to no earlier than…

TechCrunch Space: Star(side)liner

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

2 days ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’