Security from the ground up

Complexity may be the biggest issue of cybersecurity

In 2018, the spending on cybersecurity in the United States reached $66 billion. The global market is expected to reach $153 billion next year. You would think that all that money being spent on a problem would actually result in a positive outcome.

You would be wrong.

According to a 2017 study released by Accenture (NYSE: ACN) and the Ponemon Institute, the cost of cybercrime to businesses world wide averages out to more than $11 million… per business. Not “a” business. Every business. Some estimates put the total at $600 billion, more than three times what the investment in the solution is in real costs. when you include in the additional costs of stock depression, reputation and loss of business long term, the cost goes into the trillions of dollars.

In fact, it is going to get worse before it gets better. Another 2017 report from Cybersecurity Ventures predicts, “cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment.”

Based on that information, the daily cost for business jumps to $8.3 billion in 2015. Oh my!

Let’s make it visual. This chart was developed by Axiado Corporation, based on data regarding the biggest data hacks from various sources, including DataBreaches.net, IdTheftCentre and several press reports.

The most common breaches from 2006 to 2015 were outright hacks and people losing devices. Occasionally there were a few inside jobs and poor security practices (Sony’s email breach was due to an IT administrator leaving his password on a Post-it note on his screen). Between 2006 and 2014, that resulted in the loss of more than 3 billion records. But look at what started happening after 2014. Poor security became a major problem.

How can this be when the amount of money invested in security technology has been skyrocketing? The answer is in we’ve made the process too complex.

There are many reasons a system can get hacked and most of the reasons are just human error. But as more and more money was invested in closing holes, something strange happened, Equipment and software failures, physical attacks on systems and brute-force hacking became more prevalent.

Some people think that the tech industry isn’t taking full responsibility for the problem they have actually created. ARM Ltd said as much in a manifesto released last year. ARM called on the entire industry to work together to reduce, if not resolve the problem of cybercrime.

Other people think we may have made it easier for cyber criminals by making the solution more complex.

Axel Kloth, CTO of Axiado Corporation, says the cyber world is a bucket that criminals have punched full of holes and the cybersecurity industry has figured out how to patch only a few of them. “There are solutions to specific problems, but those solutions are not comprehensive and, as a result, the industry has made the problem much more complex.

At the SecurityWeek CISO conference in Half Moon Bay in June 2018 were a handful of security technology companies touting their wares. Here is what they agreed on:

  1. Firewalls stop about 20 percent of the attacks, but 80 percent of the attacks occur behind the firewalls. People bring in unsecured mobile devices, use cheap thumb drives with malware attached at the factory, and visit questionable websites. This is known as east-west or lateral attacks.
  2. Pretty much every security program is designed to apply a defense AFTER the attack has begun. One of the company representatives bragged that their system can find and isolate an attack “within 48 hours.”
  3. The larger the client, the more likely that they buy any and all services they can get their hands on, hoping they patch as many holes as they can.
  4. None of them want to integrate with anyone else.

A few weeks later at the Design Automation Conference in San Francisco I met with three other organizations that said the same thing. So ARM and Kloth seem to be on the right track. Very few companies in the cybersecurity industry, hardware or software, are willing to solve the problem collectively. As a result, their customers are employing an overly complex, patchwork solution that is more easily exploited by hackers who actually enjoy the challenge.

That 20/80 percent view of where the problem lies is a bit squishy. It appears to come from a Ipswitch report that says 75 percent of data breaches come from internal sources. However, that number comes primarily from internal opinion not on actual data. The companies that state this percentage were all software services that sit behind the firewall. So, it is a good selling point for them. But let’s go back to the chart and the numbers preceding it.

Based on that data, 62 percent of the breaches are coming from outside the firewall and 38 percent in lateral attacks. That is not as good a business problem for the cybersecurity industry which is primarily focused on dealing with internal attacks after they happen. Les Spruiell, vice president of Service Operations and Security for Zentera, said they monitor as many as 3 attacks on client firewalls, every second of every day. Those are direct attacks on the hardware and VPNs.

There are many ways to solve this problem. Some of it involves artificial intelligence, some of it involves teaching people proper security practices. In the long run, however, we need to look outside the box and look for the simplest answer and one that stops attackers from getting in the first place.


This is the first of a new series that I may turn into a book, tentatively titled: The Stupid Side of Digital Security. Full disclosure, some of the companies I will be mentioning, like Axiado, will be content strategy clients of mine. However, I am open to talking to anyone who is offering insight into the issues I present. We are all in this together.

 

Written by Lou Covey. Published with permission.

Leave a Reply

Your email address will not be published. Required fields are marked *