“This is a time-consuming and expensive process, and almost no one bothers to go through it. If they did,
            they would quickly realize that most systems are far more complex to analyze, and that there are security
            flaws everywhere,” Schneier continued.



            It’s Not 1999 Anymore

            The now common “security by design” approach was not yet in vogue, even though threat actors and
            cyberattacks were on the rise and recognized as a problem. Security flaws were an accepted part of
            using technology; a cost of doing business. A 1999 article from CNN Sci-Tech on cyberattacks reported
            that financial losses “rose to more than $100 million for the third straight year.” How quaint. Fast forward
            to 2023 and some estimates have the total cost of cybercrime reaching a staggering $8 trillion this year.

            Today’s technologies are far from perfect, but cybersecurity is top of mind for most organizations, and
            the  array of  tools and  services available  to  protect networks and  data  go  far  beyond  the seemingly
            primitive  firewall  and  anti-virus  approach  that  was  common  a  quarter  century  ago.  Still,  complexity
            remains an enemy of security, but not just in the way described by Mr. Schneier.

            Even  if  created  using  the  security  by  design  approach,  and  tested  to  assure  an  absence  of  known
            vulnerabilities, when technology is difficult to use it can cause people to avoid using the product and
            instead find unsecure workarounds, thereby creating more security issues for the organization. At times
            those workarounds manifest as a stubborn refusal to abandon the old processes or, if that is not an
            option, to create a new way to complete whatever task is involved. That’s a natural response to change
            when the new way is (actually or merely perceived as) complicated. And when that happens, complexity’s
            enmity with security will rear its ugly head.



            Workarounds are Anti-Security

            We have seen this far too often in the realm of data transfer. Unfortunately, there is no shortage of easy
            and familiar ways of sending data from one place to another that are far from secure, so when that secure
            but complex process frustrates staff, they may look for an easier solution like email, file sharing utilities,
            or consumer-grade cloud services. These work just fine when you want to send grandma a bunch of
            photos and videos of the kids’ dance recital or the family’s summer trip to the Grand Canyon, but not
            when  sending  business-critical  files.  When  these  are  the  solutions  that  organizations  use  to  send
            sensitive, even regulated, data like personally identifiable information (PII), protected health information
            (PHI),  intellectual  property,  financial  files,  and  data  associated  with  contractual  obligations,  it  puts
            everyone at risk.
            Some organizations believe they can solve the problem themselves by creating an in-house file sharing
            process that combines some existing components, open-source software, and a bit of ingenuity from
            someone on the IT team. Once again, the problem is usually that the resulting solution is a bit convoluted
            which can discourage its use. And roll-your-own tools are rarely ever documented by the person who
            created them, inevitably leading to problems when that person leaves the organization, gets sick, or goes
            on vacation.




                                                                                                              38