28th May 2019

Junk risk is the "fake news" of the cyber security world. Sensationalist headlines, alluding to imminent threats of a "cyber-apocolaypse", cause mass hysteria and we are left questioning the safety of our business and personal data. As a result, the distinction between what constitutes genuine and fake risk has never been more crucial. We take a look at how organisations can avoid chasing phantom threats in today's tech-driven society and ultimately, rise above the noise of junk risk.

The 2017 'WannaCry' ransomware attack on the NHS is a prime example of the media throwing the world into panic over cyber security. Undoubtedly, the consequences were serious; 80 of 236 trusts across England suffered disruption, leaving many patients without treatment. But did this cyberattack mark the end of our National Health Service? Contrary to what the press would have us believe, no it did not. In reality, the damage done was nowhere near this scale. Across the NHS, only 1% of diagnostic equipment and 1.2% of appointments were affected, with the issue being resolved within five days. The message here: high-profile cases shouldn't cause organisations to get distracted with low risk vulnerabilities.

Whilst having out-of-date software isn't recommended, it doesn't mean that the user is left automatically open to an attack. According to security ratings company, BitSight, the chances of a security breach triples if over half of an organisation's endpoints are outdated. However, this is only applicable if the specific threat vector that version of software is vulnerable to is exposed - otherwise, it's safe.

Another myth is the idea that upgrading to the latest software protects against 'zero-day' attacks - an exploit directed at an unknown vulnerability. The issue here is that the updated version will likely be just as at risk as the outdated one, as how do you incorporate protective code for something that isn't yet known? Ultimately, most cyberattacks target recognised weaknesses, so organisations should update their software as and when threats to these areas are identified.

Being exposed to a vulnerability doesn't necessarily mean that a cyberattack is imminent. Before action is taken, organisations must determine if there is possible motive for it to be targeted and whether an individual has the offensive security skillset required to carry out an attack. Once these two variables have been considered, the likelihood of the identified vulnerability being exploited drops to almost zero.

As technological advances provide attackers with greater means to exploit rich new targets, it's imperative that organisations can identify genuine risks, in order to focus their time and resources more efficiently. Rising above the noise of junk risk is a fundamental part of this strategy, whether that's achieved through refusing to be distracted by high-profile cyberattacks or accepting not all vulnerabilities will be exploited. We have no doubt the world of cyber security will face both real and serious threats in the future, but we can safely say the cyberpocolaypse isn't here just yet.