Last year in 2018, we probably saw some of the worst Security related breaches possible. Just consider some of these examples:
*The Marriott Hotel breach which impacted over 500 million customers;
*The USPS breach in which the PII of more than 60 million customers were stolen;
*The Facebook/Cambridge Analytica fiasco that could cause Facebook as much as $1.63 Billion in fines due to the GDPR Legislation;
*The average cost of a Cyberattack to Corporate America is now reaching a staggering $1.23 million.
One would think that the normal course of human nature would be take all the steps that one can to help protect the business or corporation that they work for. But unfortunately, this still has not yet hit the mindsets of Corporate America, especially that of the C-Suite. Yes, there are improvements being made here, such as the Board of Directors holding CIOs and CISOs more accountable for their actions.
But being held accountable and having that translate into a sense of proactiveness still has not yet made the connection. So just why is it that the Cyberattacker can still keep hitting prized targets over and over again and keep getting away with it?
Well, Kaspersky Labs launched yet another market research study to find out the reasons for this, and here is what they collectively found:
*We are in the midst of a huge digital transformation:
This simply means that we are seeing all of the Internet connections that we have with both on a virtual and physical basis is now coming down to one item: The Internet of Things (IoT). Really more than just a transformation, I would actually term more as a divergence of various technologies coming into one. Thus, we are now seeing things coined as “Smart Products”, “Smart Homes”, and even “Smart Cities”.
The idea here is that everything in our lives will be automated. Heck, the day will even come when you could just clap your hands and you can get car out of the parking lot just with that. But all of this comes with a huge cost: This increased level of interconnectedness has also in turn increased the attack surface for the Cyberattacker, with many weak points being exposed.
In fact, according to the survey from Kaspersky, over 52% of CISOs agree that this so-called Digital Transformation is having a huge impact upon their level of Security. The CISOs also feel that migrations to the Cloud and a more remote workforce are further exacerbating this.
In this category, another big fear factor amongst CISOs are that of the Malicious Insider. Almost 30% of CISO’s fear this, second only to Cyberattackers with a huge financial motive at 40%.
*The CISOs need to have their budgets made a first priority:
One would think that with this climate, that the CIO or the CISO would have requested budgets approved fairly quickly. But, this far from the reality. Why is this happening?
*Very often, money allocation requests for Cybersecurity get allocated under one huge bucket known simply as the “IT Budget”. This includes other line item budgets like salaries for the IT staff, enhancements to other projects, adopting newer technologies in order to keep up with the so-called Digital Transformation, etc. But as we all know, usually even in times of great economic conditions, IT Budgets are the last to get approved, and the first to get slashed in periods of economic slowdowns.
*Unfortunately, when the CISO gets asked by the CEO or even by the Board of Directors if they can guarantee that they won’t be hit a Cyberattack after more money is allocated, the CISO is stuck with a gun pointed to his or her head and has to flat out say “No”.
Just like anything else, there are no guarantees in life, and rather than asking this question, the CISOs higher ups need to be asking if the increased spending will greatly reduce the chances, or the probabilities of being hit by a Cyberattack.
*The right kinds of questions are not being asked:
As just stated, instead of asking “Can you guarantee that our organization won’t be hit”, the question in dealing with today’s Cybersecurity Threat Landscape should be about “OK, what can we do to avoid the chances of becoming a victim”? In other words, the mindset with the C-Suite should be is not “if” and attack occurs, but “when” will it actually occur?
Also, there needs to be much more attention given to detecting and actually trying to mitigate risks and threats, rather than using the methodology of throwing everything (including the proverbial kitchen sink) towards beefing up the lines of defense, trying to model specific Cyberthreats and further analyzing their profiles and signatures is becoming of prime importance today.
My thoughts on this?
In the end, nobody can guarantee that their business or corporation will never be hit. It is an even now absurd question to be asking these days. The bottom line is that one of the prime motivations for the Cyberattacker to launch their threat vectors is that of financial gain.
Now, the mindset has to drastically shift to how make Cyberattacks a financial loss for the hacker (although this is an easy statement to make, this is actually difficult psychology – one which will be addressed in a future blog).
But also, think of the role of the CISO as a Business Development Representative. If the latter truly believes in the product and service that they are selling, their passion and energy will come through, thus increasing the chances of making a sale.
The same holds true of the CISO. Most likely, they do have the inner passion to protect their respective organizations from being a victim of a Cyberattack. But the fact is that since they don’t get the attention or the time they deserve by their higher ups, their morale gets beaten down, and thus this passion dissipates.
But unfortunately, this can have a cascading effect as well to the people who report directly to the CISO, all the way down to the employees.
It just all comes down to basic human ego: We all want to feel that we are being heard, and that are plans are being taken seriously. Once we feel this, we then feel good about ourselves, and thus are further motivated to do more and more.
Remember, it only takes a little bit of gas in order to further blow this basic human need. It’s not hard to do, and best of all, there is no cost to it.
Finally, the report from Kaspersky can be downloaded at this link: