From a technical standpoint, in terms of why bad things happen in IT systems, it’s pretty straight forward: We don’t do a good job of controlling access to accounts and we do not monitor accounts for problems. That’s 90% of the problem. It’s account access control. The reason for this is passwords do not work and efforts to standardize and mandate better access control have been poorly supported.
While cyber security may seem very complicated, this is really just because it is so unfamiliar and has been wrapped in mystery. It is no more complex or perplexing than any other type of security, but it is a relatively small specialty and so there are really only a small number of subject matter experts who have any kind of clear-headed thinking on this one.
For the most part, the problem we have in cyber security is access control. Specifically, we do not have great authentication of remote access control. That’s it. That’s the problem. In most circumstances, most than 90%, in fact, it comes down to not being able to authenticate that a connection is legitimately who it says it is. So, for example, the CEO’s email is being read by a foreign hacker, who stole the CEO’s password.
That might sound like it would not be an insurmountable challenge. I mean, after all, how hard is it to make sure the CEO is who he says he is and not a foreign agent? Surely, we could track the geolocation or the context or use his approved hardware. And you would be correct, it is not insurmountable. In fact, we can close all the holes in access control if we decide to.