Security Nihilism is Right About Some Things (But Not Everything)

Cybersecurity can be overwhelming. There are so many things to keep track of and so many ways an attacker can get to you – many of which you have very little control over. And the criminals always seem to have the upper hand . Whether you’re trying to secure a business or just keep yourself safe in the modern world, it can feel impossible to keep on top of everything. This constant feeling of being behind and unprepared for the latest threat can lead people to the viewpoint of security nihilism. But while it’s right about some things, wholeheartedly buying into it is dangerous. Security nihilism is the idea that there’s no point to security, so you shouldn’t waste your time on it. Perfect security is impossible. There’s no security measure criminals can’t break, and even if you managed to get there, evolving tech means it wouldn’t stay that way. And those who don’t feel like putting in the effort to crack your systems can just use social engineering to hack you. Attackers can leverage new technology without concerns about regulations or morals, and that means they’re always ahead. If you’re talking about businesses, security nihilism believes defense is a losing game. If criminals want in, they’ll get in. Your employees can be phished or social engineered – and sometimes they themselves are the threats . Any sufficiently persistent attacker will get in eventually. It’s not a matter of if you become victim a breach or attack, it’s a matter of when. On the individual side, you don’t have a company’s cybersecurity budget, so you’re already behind. And there’s the issue of privacy. When it comes to your privacy, you’re already burned. Drones are watching you from the sky. Advertisers don’t even need cookies to track your online activity. Other people can reveal your information, too. If you want real privacy, you’d have to take extreme measures – which come with extreme costs and still aren’t a guarantee. As depressing as that belief sounds, security nihilism is right about some things. There is no such thing as perfect security. We’re always in a cat-and-mouse game with criminals. And even if we reach the elusive “perfect” security that criminals really can’t penetrate, sooner or later, technology will evolve enough that they can find a way in. From a business perspective, it is true that any sufficiently motivated criminal will eventually find a way in. It’s also true that your employees are almost always the weakest link, whether that’s because they were tricked into doing something they shouldn’t have or because they decide to use their access to your company for nefarious purposes. For an individual, it’s also true that a lot of your data is already out there. Facebook will build a shadow profiles on you if you don’t have an account. Surveillance cameras are everywhere. License plate readers track your driving. Your phone is always tracking your location data even if you’ve turned your location off. Everyone’s tracking you online for a variety of purposes. And even if you don’t put it out there, someone else could. If a friend posts a photo of you or a relative does DNA testing , that’s a risk to you, too. In that way, the essential premise of security nihilism is correct. For businesses, it’s just a matter of time until you have an incident. And for individuals, you’re already exposed and there’s no disappearing now. But! After all of that, there is one thing that security nihilism is majorly wrong about. And that’s the part where it claims security is both hopeless and pointless. Yes, security is a struggle in a lot of ways, and perfect security is impossible. But that doesn’t make every security effort a waste of time. Perfect security isn’t the point. You’ll note earlier that we said any “sufficiently persistent” attacker will always find a way in. But for the most part, criminals just want a payday. They don’t want to get at you or your company specifically. If it takes too much time or effort to get money out of you, that reduces their profits. Chances are good that at that point, they’ll give up and move on. It’s like that old joke about the two hikers discussing getting attacked by a bear and one says that he doesn’t have to be faster than the bear, just faster than the other guy. Your security doesn’t have to be completely impenetrable. It just has to be strong enough that the criminals go for someone easier. The idea that no security is perfect is supposed to remind you not to get too comfortable, not make you think all effort is pointless. For businesses, there’s no excuse for ignoring security. You have a business duty to keep an attacker from taking you out, an ethical duty to protect your customers’ data, and often a legal requirement to make an effort. And as an individual, giving up is a great way to make sure you’re attacked – and those attacks are more successful. Even a little effort can help. Security nihilism may be right about some of the facts, but it’s wrong about the conclusions. Just because security can be hard and being unattackable is impossible doesn’t make it hopeless. There are things you can do. Just making the effort is immensely valuable. As a business, remember that criminals just want an easy payday. You don’t have to be perfect. The 80/20 principle applies here, too – you can deter 80% of attacks with 20% effort. Put in the security foundations . Implement a company-wide antivirus . Have strong security policies. Train your people on those policies and about phishing and social engineering . Consider a managed security solution. The basics go a long way. For individuals, cybersecurity basics also go a long way. You don’t have to be hackproof, just enough of a pain that criminals go somewhere else. Use unique, long, strong, random passwords and store them in a password manager . Turn on two-factor authentication . Avoid clicking links when you can. Be aware of phishing and social engineering. All of this will help you stay safe. And if you’re worried about tracking, the true key to security isn’t about disappearing , it’s lacking patterns. Leave your phone at home or at work sometimes.  Switch up your commute – drive a different way, park somewhere else and walk a bit, take public transit instead. Tools like AdNauseaum mix a huge volume of junk data into your real data to disguise it. The harder you can be to predict, the harder it is for advertisers , the government , or anyone else tracking you to find anything useful in your data. Security nihilism is right that you will never have perfect security or privacy. But taking steps can be good enough. Something like our Cybersecurity Awareness Checklist can help you get started. And using the right tools can help you stay safer and deter the majority of attacks. Here are some tools that we recommend. Better online security also requires some behavioral changes. Be careful what you post online. Check the privacy settings of all your apps and accounts to make sure they’re at a level you’re comfortable with. Be less predictable in your habits. All of this will keep you, not perfectly safe, but significantly safer.