The cybersecurity market has become one of the greatest areas for the selling of false promises of any market in history. Hang on. Before you click that little X in the browser and move on from this blog with a “whatever” on your lips, let me explain why that statement is true. And let me explain what you can do to choose to not be part of that continually failing experiment.
The cybersecurity market has not seen any slowing down in its growth over the last decade. While other markets have faltered, manoeuvred, and even failed, cybersecurity has continued on an upward trend. By 2023 the cybersecurity market is expected to grow globally to over 240 billion dollars. In 2004, that’s less than 20 years ago, the global cybersecurity market was estimated to be worth about $3.5 billion — and in 2017, less than 3 years ago, it was expected to only be worth more than $120 billion. That means this market grew by roughly 35X over 13 years. In comparison the global market for healthcare technology has only grown by about 7X over the same time period. That means that technologies that could potentially cure cancer, and keep more people alive longer, have had less than a fifth of the growth that cybersecurity has in general.
Why is that significant? Well in the medical technology field it is typically not a good thing if there’s a massive area of growth and investment and people are still dying from a particular sickness with no real change in the treatment over time. In other words, in no other area could the world basically shove money down the tube to “fix” a problem and receive little, if any, real discernible benefit and expect to see that same market continues to explode in growth. It just doesn’t happen, because it’s bad for everyone. No investor or buyer would throw their money into an area of “innovation” where that “innovation” doesn’t actually address the problems that are core to the failures that were supposed to be being fixed by all that “innovation”. But that is what has happened in cybersecurity. We now have one of the largest markets and fastest areas for growth in the history of industry, with little real fix to the problems we have faced for over 2 decades.
So what? That’s probably not news, but it is certainly worth pointing out. We can’t spend our way to better cybersecurity, at least not by throwing more money down the collective toilet of “innovation” when that “innovation” is not making security better collectively. We have to address the core issues of security and eliminate them from the risk profile to actually change the game. How do we do this? What possible miracle cure is there that can be so fundamentally different that might disrupt this entire space and failure cycle?
Eliminate the password as the means of authentication, that’s how. Pretty simple.
Ok, you might be wondering how that is of so much consequence. Well, let me educate you on some points and data there that validate this thinking.
- Over 50% of people rely on their memory to manage passwords. Of which most people have at least 3 devices, 90 personal accounts and 33 business accounts they must memorise to be effective.
- 50% of people use the same passwords for both work and personal accounts.
- 60% of people who have already admitted to having been scammed in phishing attacks still haven’t changed their passwords.
- 71% of Gen-Z believe they wouldn’t fall for a phishing scam even though only 44% know what “phishing” means.
- A single password is used to access five accounts on average.
- 57% of employees find password management a nuisance that stops them from doing their jobs.
- The password “123456” is still used by 23 million account holders as of January 2020.
- 2.2 billion unique emails and passwords were exposed in the “Collection 1-5” data breach in January 2019.
- Compromised passwords are responsible for 81% of hacking-related breaches, according to the Verizon Data Breach Investigations Report.
Some of those numbers probably aren’t that shocking, passwords are a catastrophe. That’s not news. But also consider this. How does one manage a firewall? How does one manage a micro-segmentation tool? How does an admin control and configure DLP policies? What is used to handle almost all access authorisations for any application?
A password, every time.
So, if that is the case and the password is the most likely weak link in the chain that will lead to a breach, why would you focus elsewhere first? Especially if you are a small or mid-sized enterprise. The point that all of your cybersecurity pivots on, and the point that is the most likely to fail, is the password. Eliminate that and you have substantially increased your cybersecurity posture. And in all likelihood, you have made a wise investment that actually can help your organisation become not only more security, but your employees will be happier as they no longer need to add another password to their already saturated memory banks.
Or, you can continue to buy the sexiest coolest cyber ai powered quantum encryption evasion whatever solution and toss more money into that ever-increasing pit of growth that is this market. But if you really value your security posture, and you want to really improve business and security then you eliminate the password. Anything else done first is just more budget tossed against what isn’t the problem, and it won’t be a fix.