The Bad Guys, including malicious and careless insiders, continue to raise the cybersecurity stakes with existing and emerging threats.
The reason cybersecurity is a process, not a one-time solution, is that the Bad Guys - whether careless or malicious employees, hacktivists, cybercriminals, or rogue governments (not to be confused with the good governments, which only spy on us for our benefit) - are a problem that will never go away. Every new and improved security measure is only as good as the people who use it and only effective until somebody comes up with a way to beat it.
The best cybersecurity can do is slow down the attackers, and remediate problems once they are identified. The situation isn’t hopeless; it just seems that way. While existing problems like viruses, ransomware, bots, kill chains, zero-day, and denial-of-service attacks are being addressed, the Bad Guys are expanding their arsenals with new threats like:
- Headless worms: malicious code targeting "headless devices," such as smartwatches, smartphones, and medical hardware
- Blastware: destroys or disables a system when detected
- Jailbreaking: malware on modified smartphones
- Ghostware: malware that enters into a system, completes its mission, i.e., stealing data, then disappears without leaving a trace
- Two-faced malware: seems benign under surveillance, but morphs into malicious code once it's no longer under suspicion
In 93 percent of cybersecurity cases it took attackers minutes or less to compromise systems. Exfiltration happened within minutes in 28 percent of cases, while organizations took weeks or more to discover that a breach had even occurred; 70 percent of breaches involving insider misuse took months or years to discover.
Almost all breaches (95 percent ) and incidents (86 percent) are covered by eight patterns:
- Miscellaneous errors (17.7%)
- Twenty-six percent of miscellaneous errors involved sending sensitive information to the wrong person.
- Insider and privilege misuse (16.3%)
- End users account for a third of insider misuse;
- Attacks are typically motivated by money:
- Thirty-four percent of breaches involving misuse were motivated by financial gain—although a quarter can be linked with espionage, such as the theft of intellectual property
- Physical theft and loss (15.1%)
- Thirty-nine percent of theft is from victims’ own work areas
- Thirty-four percent is from employees’ personal vehicles
- Denial of service (15.0%)
- Crimeware (12.4%)
- Web app attacks (8.3%)
- Point-of-sale intrusions (0.8%)
- Cyber espionage (0.4%)
A lot of money is being spent on cybersecurity, and the annual amount is growing more than 5x overall IT spending (compound annual growth rate of 8.3 percent through 2020, versus 0.9 percent in 2016 (to $3.4 trillion) and up to $3.8 trillion by 2020). However, throwing money at cybersecurity doesn’t address the biggest threat: People. Ninety-five percent of all security breaches were caused by human error.
Another set of issues relates to the Good Guys, the cybersecurity professionals who guard the perimeters and seek out and remediate threats. There are too few of them (46 percent of organizations claim to have a problematic shortage of cyber security skills), and they are too overworked to stay on top of the threatscape.
According to a new survey, more than half (56 percent ) say they aren’t receiving the right level of skills development to address the rapidly evolving threat landscape. Jon Oltsik, Seior Principal Analyst, Enterprise Strategy Group (ESG), said, “This research paints an escalating and dangerous game of cyber security ‘cat and mouse,’ and today’s cyber security professionals reside on the front line of this perpetual battle, often knowing they are undermanned, underskilled, and undersupported for the fight,” said Jon Oltsik, senior principal analyst, Enterprise Strategy Group (ESG).
While the cybersecurity threatscape is growing, so are the solutions, but all that can be undermined by something called threat fatigue. "There is a form of growing desensitization to the daily reports of cyber hacks and threats to the degree where some have begun to wonder just what is the point of cybersecurity practice at all," noted Gartner Research VP and security guru Earl Perkins in a recent blog.
Fortunately, proper security procedures, practices, and products can make it next to impossible for the Bad Guys to prosper. But it takes the combined efforts of the Good Guys and employees, partners, and customers to minimize the attack surface and ensure that problems don’t escalate into disasters.