The State of the Cybersecurity Threat Landscape
By Don Dixon, Board of Directors, Odyssey Logistics & Technology Corporation & Alberto Yepez, Board of Directors, Coveo
Alberto Yepez and Don Dixon are co-founders and managing directors of Trident Capital Cybersecurity, an early stage venture capital fund focused on investing in new technologies in cybersecurity.
Cyber space has been described as the largest, unregulated, and uncontrolled frontier in the history of mankind. The opportunities to do harm, and the number and range of threat vectors, have multiplied along with the sophistication of the global IT network. This global network includes captive and cloud-computing datacenters, mobile devices, web-enabled and mobile applications, home computers, and now the hundreds of millions of network-enabled devices comprising the “Internet of Things” (IoT).
“The easiest way for a cybercriminal to access valuable data is often by tricking a person into divulging the combination on the vault”
The sophisticated tactics and technology of today’s online criminals and their nonstop efforts to breach network security and steal data have far outstripped the ability of IT and security professionals to stop them. Given the transition from isolated attacks to more sophisticated, coordinated and persistent attacks, most organizations have neither the people nor the systems to monitor their networks consistently. A security talent shortage makes this problem worse—An estimated one million cybersecurity jobs worldwide are unfilled due to a lack of well-trained cyber professionals.
How grim is the upshot? Although global cybersecurity spending totaled a record $77 billion in 2015, a 6 percent increase over 2014, the cost of a breach last year swelled to $15 million, a 21 percent increase over 2014, according to a Ponemon Institute survey.
Here are other similarly dim statistics—In 2015, cybercriminals exposed more than 169 million identities, according to the Identity Theft Resource Center. Five breaches alone exposed more than 10 million identities each in 2015. That compared with only one such breach as recently as 2012. Sixty percent of the time, it takes an attacker minutes to compromise an organization, according to Verizon’s 2015 data breach report. By contrast, it takes on average of nearly eight months for a breach to be detected, according to Mandiant’s M-Trends report. According to Javelin research, identify fraud last year alone impacted 13.1 million U.S. consumers, producing a total loss of $15 billion. That works out to a loss of $36,000 every minute.
Going forward, the pace of global cybersecurity spending is projected by Gartner to speed up– to 8 percent annually, reaching $106 billion by 2019, or three times the growth in spending on IT overall. This money will have to be spent more intelligently and somewhat differently to more effectively address global cybercrime estimated to cost $400 Bn annually and to substantially decrease the numbers cited above.
New Cybersecurity Threats in Tumultuous Times
One of the biggest, relatively new threats today, is cyber-espionage by state-sponsored hackers and independent hacktivists. In the recent past, cyber attackers focused on entities on both sides of the Russia-Ukraine conflict. Other attacks targeted Hong Kong protests, territorial disputes in the South China Sea and Israeli military operations in Gaza. This is certain to increase as a tool of foreign policy objectives. As it does, industrial control systems supporting national infrastructure also become targets, underscoring that the private sector is not immune from this threat.
Still other types of relatively new threats include—Web app attacks that seek to disable or redirect web applications, often for the purpose of extracting a ransom. Insider misuse of privileged access to confidential or proprietary data. Crimeware involving the theft of personally identifiable information for financial identity theft. Point-of-sale theft of credit and debit card information. Bottom line, the threat landscape has become significantly more heterogeneous. So, predictably, the list of challenges does not end here.
Other types of attacks or vulnerabilities are growing and include—
“Onion-layered” Security Incidents
IBM has identified these as one of the top cybersecurity trends in late 2015. In these attacks, a second one, often significantly more damaging, is uncovered while investigating the first and more visible attack. This subterfuge is particularly time-intensive and expensive to address.
Remedying the problem in this particular case is usually more a matter of accountability than technology. Bad password policies, for example, continue to compromise employee termination procedures. When a system or network administrator leaves an organization, disabling their personal accounts doesn’t always limit their ability to wreck damage. Sometimes former ill-willed employees can still access shared company accounts.
Targeted Spear Phishing
The easiest way for a cybercriminal to access valuable data is often by tricking a person into divulging the combination on the vault. This is easier than writing sophisticated computer code. What is new about phishing attacks is the targeting of high-level executives and others with a high security clearance. Educating targets alone don’t fix the problem. Also needed is real-time monitoring and scanning systems with blocking capabilities.
A Continuation of Porous Defense Against Malicious Insiders
Surprisingly, many attacks have an insider component, even if it is just some sort of mistake.
Among other things, insiders erase router configurations and make unauthorized rule changes to firewalls. Because it is sometimes difficult to distinguish these malicious steps from normal service outages, some situations persist for weeks before the start of a formal investigation.
Poor Security Basics Continue to Undermine Corporate Risk Management
When a corporation or other organization is the target of a cyberattack, it must work hard to learn from the episode. Among other things, it must profile the culprits, learn their modus operandi and adopt strong counter measures.
Even so, entities must also do something simpler and more important–master and rigorously implement security basics. Far too many organizations have yet to do so. They still don’t manage passwords properly and do not require two-factor authentication. In addition, most corporations still have too many unpatched vulnerabilities that will be exploited and accommodate too many web security flaws.
If companies aggressively address these challenges, the cybersecurity threat landscape will moderate. Even in the best case, however, improvement will be a relatively slow, evolutionary process. New technology innovations are necessary. Cybersecurity didn’t become such a huge threat overnight and it won’t be remedied overnight. What counts is progress and thankfully that’s happening.