Checking Boxes vs. Proactive Security

While it is true that new vulnerabilities receive the most media attention, these issues are quite rare compared to well-known vulnerabilities. So, are our leaders focused on the security risks that actually matter?

First Published 27th October 2017

Checking Boxes vs. Proactive Security

Hey everybody - we are now 100% secure! This guy from Corporate says so.

4 min read  |  Reflare Research Team

Almost all of the high-profile data breaches that happened in 2017 were ultimately caused by either human error or known vulnerabilities that had been left unpatched for several months. This is counter-intuitive to many people, as new unknown vulnerabilities (“zero-day vulnerabilities”) receive the most attention in the media.

In this briefing, we will have a look at why large organizational networks are vulnerable to attacks that seem to be easy to defend against.


To make a useful oversimplification, preventable breaches due to human error or old unpatched vulnerabilities are caused by a lack of awareness. Staff that either don’t know about social engineering, malware and phishing, or they don’t consider these issues to be dangerous.

Likewise, management and technical teams with lower awareness of 'the impact of security vulnerabilities' are more likely to either ignore them or schedule them to be fixed during routine update cycles.

Yet awareness in general, and information security awareness in particular, are buzzwords across all major industries. How can there be such a focus on the concept of awareness and so little actual awareness at the same time?

Checking Boxes

While the answer to this question is complex, one major factor in play is the culture of checking boxes. Awareness programs are often delegated to general middle management. Thus, the people in charge of creating awareness for security issues are often not well informed on these topics themselves.

When tasked to create a program, they fall back on existing information security awareness frameworks such as those included in the PCI-DSS and ISO27001 standards or those released by independent security organizations such as OWASP. And while these frameworks are excellent and well thought through, they do require careful adaptation to fit them to the specific organization. Unfortunately, without in-depth knowledge of information security, adapting these general frameworks to a company becomes all but impossible and the included sample checklists are often implemented as-is.

This in turn leads to what is called “blind compliance”, where trainees believe at least half of the elements included in awareness training won't apply to them, and therefore will be ignored. Because of this negative bias, the elements that are important are given less consideration, which in turn creates the perception that the training is not relevant to everyday operations.

In the end, the organization ends up checking all the boxes on the awareness list, but remaining as vulnerable and un-aware as ever since the checkboxes were never adapted to fit the real-world conditions. Just because you are compliant on paper does not mean you are secure.

Proactive Security

The solution to the problem of blind compliance is proactive security. That means hiring qualified staff to handle security roles, creating a custom policy and awareness training that fits your organization - ideally based on one of the major standards - and enforcing that all staff (including management) is adequately trained and aware of the elements of the policy that apply to them. Such training should be repeated in regular intervals to prevent standards from dropping off over time.

While doing all of this correctly does not guarantee that there won’t be any breaches, it significantly raises the bar for attacks and makes breaches due to old unpatched vulnerabilities and human error much more unlikely.

Subscribe by email