What Can We Learn From Recent Cyber History?
The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider.
Over recent years, what lessons can we learn from our recent history — and what projections can we make about the future of data security?
Let us look back at the macro trends of the last decade:
The 2010s saw rapid growth in cybersecurity activity from both good (investment) and bad (attack) actors. Cyberattacks are not new, but today they are ubiquitous.
Evolution of design, intent and purpose. Past attacks were major nuisances, but today, attacks can also be targeted, destructive and meant to evoke emotion and panic. Smash-and-grab certainly existed, but the bad folks are demonstrating innovations.
Attacks come in all shapes and sizes nowadays: malware, spyware, ransomware, man-in-the-middle (MitM), hybrid (e.g., social engineering), distributed denial-of-service (DDoS), phishing (including targeted attacks such as pretexting and spearphishing), cryptojacking and supply chain/third party attacks. Remember, tools used for efficiency also have weaknesses.
Many of the attacks target massive databases of personal records. Similarly, many attacks (specifically of the ransomware flavor) are financially motivated. Criminals see cyberattacks as a good business investment. Cyber war and hacktivism are alive and well, but cybersecurity provides business for good and bad people.
Everybody in the pool! Governments, industry-specific regulators and third parties (such as insurers) all want their piece of the pie.
Despite mounting evidence, the same issues pop up: misconfigurations, poor patching, social engineering, lack of training, incomplete or non-existent protocols and more of the like. Cybersecurity basics are still overlooked or left unaddressed, providing a target-rich environment.
The last three to five years jolted stakeholders into action, even increased awareness. Recent incidents demonstrated the need to reduce vulnerabilities, integrate security features right into development tools and improve response time because the impact is no longer localized.
Recent years have seen a good deal of operational change. At the user level, we went from desktops to laptops to mobile devices, blurring the line on who owns security requirements. At the infrastructure level, we shifted from on-premises to the cloud, and 5G and Edge Computing are knocking on the door.
Additionally, devices deployed have exploded. Ten years ago, you probably had a desktop or laptop and maybe a mobile phone (not necessarily a smartphone, either). Today, you may have at least half a dozen internet-connected devices and a stack of IoT devices — many with vulnerabilities out of the box.
We talk of the perimeter as it still exists, even though it is effectively gone — or at least on hold. We, therefore, embrace zero trust solutions, but implementing them isn’t easy. Yes, we have made great strides in data analytics, artificial intelligence and incident response, but have security investments kept pace with business efficiency investments? If so, wouldn’t the gap be closing?
Effectively, we increased risk, destabilized resilience and destroyed trust in the name of business efficiency. That bill is now coming due.
Geopolitical and socio-economic events are driving organizations to invest more in security, but sound approaches such as security-by-design remain an uphill battle. The key is making a case for improved security from a business perspective.
Regulations and laws are motivators. SEC rules, GDPR requirements, state-level legislation and critical infrastructure mandates force investment, but the issue with these approaches is the trap they create. Impacted parties may seek the “bare minimum” requirement or turn it all into an audit game, making security and incident response activities an exercise in achieving the lowest common denominator.
The business case for information security, therefore, remains elusive unless you have a CISO or IT team that understands the business well and can clearly articulate why the last ten years may have been the “easy” years, and the next ten are the ones that will bring pain.
How do you make that case?
The catalyst to change could come through privacy initiatives and content protections at the individual level.
It’s not all doom and gloom as long as some behavioral approaches change. First, we must accept we are data creation monsters. Some estimates claim humanity will create 180 zettabytes of data by 2025. For perspective:
Who owns all that data? Who processes all that data? How can you reasonably manage it? Technology is just one piece of the people, process and technology trifecta. And people are starting to get touchy about their privacy, so using biometrics to perform tasks like authentication may run into barriers.
So what’s the path out?
First, understand the data lifecycle. How is it created, how is it managed and what are the best ways to destroy it? Sure, some people may wish to hold on to it as long as possible, but maintaining confidentiality, integrity and availability has proven to be a challenge. Therefore, get data you don’t need off the books.
Next, view data through a privacy lens. Here is the shift in thinking: treat the data as somebody else’s rather than your own. Appreciating that you are responsible (and, more importantly, liable) for the data on your books is a great way to shift your risk tolerance. All of a sudden, you might find yourself thinking, “Do I really want to hold on to this?” It’s not a bad mindset.
The next few years will see more protective technologies developed and deployed. Some, like quantum encryption, could be game changers. But no matter how good future technologies become, any central repository of data is a risk and liability. Proactive incident response and resilience planning should be on the rise as well. Organizations are now realizing they may have to “go it alone”.
Moving into 2023, start to get that risk off your ledger and build resilience into your operations. Federate your systems and spread the risk instead of creating one juicy target. Lastly, begin to see yourself as a custodian of somebody else’s data — because one of these days, they may just be knocking on your door for damages, and the result could get costly.
George Platsis is a business professional, author, educator and public speaker, with an entrepreneurial history and upbringing. Experience areas include ente…
5 min read – 2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets…
4 min read – Working in cyber incident response can certainly make life interesting. Experiences typically run the gamut from exciting, dull, fun, repetitive and challenging. IBM Security commissioned a study from Morning Consult that surveyed over 1,100 cybersecurity incident responders across ten countries.…
2 min read – In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely…
2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…
I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…
As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…
As with many other aspects of life and business, 2022 held fewer overall surprises in cybersecurity than in recent years — thank goodness. Instead, many trends brewing over the past few years began to take clearer form. Some were unexpected, and many were predictable, but all are important to consider when making plans for security in 2023. What Overall Trends Did We See in 2022? Ransomware continued to stay in the headlines in 2022. The share of breaches caused by…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.