In 2017 it’s hard to know where you stand when it comes to cyber security. After all, depending on who you ask, you’re likely to get wildly differing accounts of just what the cyber-threat landscape actually looks like.
According to one headline, the threat is getting worse all the time. And to another, the risk is gratuitously overhyped. According to yet another still, it’s not as bad as it looks…but you’re still too confident.
It’s the tech world’s version of fake news.
Asked if businesses down under are overconfident, Andy Prow, CEO of RedShield, said the answer is more that they are underprepared. “We all know about the everyday rise in attacks, it’s in the news constantly. The reason for the attacks is simple, it’s because they are very successful and there are people out there making good money, or intelligence, by making those attacks,” he stated.
Speaking to iStart from Los Angeles, Prow explained why there’s also good reason for overconfidence/unpreparedness. It costs money, and usually lots of it, to run secure systems. While the hackers/crackers/malware propagators focus on the big fish or low hanging fruit, companies down under are relatively unscathed. “It’s the tail end of where the attacks are targeted,” Prow confirmed. “There’s less to gain – and that’s evident from our perspective, too, because in the US or the UK for us, the deals are 5 to 10 to 20 to 100 times bigger. The scale is completely different and for an attacker, you want to hit the big ones.”
So where does the truth lie for the average business?
Well, it’s complicated.
First things first: The threats are surely out there, as Prow has made clear. Any average news day, as well as the particularly high profile attacks on Uber, Equifax, and HBO prove as much. And while most of us survived the ransomware epidemic of early 2017, don’t relax just yet – the latest Microsoft-tinged strain, known as ‘Scarab’ – is currently infecting five to six million new hosts every month with no end in sight. On the phishing front, EnergyAustralia, Telstra and the Commonwealth Bank have all had their brands used in malware attacks this month.
And here come the (inevitable) scary statistics: One estimation shows cybercrime causing US$450 billion of damage to the economy in 2016, with that number is expected to increase to $1 trillion by 2021.
But it’s not just dollars, it’s data too. Nine billion ‘records’ stolen or lost since 2013 with two billion of those disappearing in the first half of 2017 alone. And as what qualifies as ‘assets’ becomes ever more digital, the threat increases. A report from Lloyd’s and Cyence guesstimates that a single major cyber-attack could have the impact of a catastrophic natural disaster at the scale of Superstorm Sandy – that’s an estimated US$53 billion of economic losses.
(Interestingly online advertisers are now beginning to feel the burn too. The ‘Hyphbot’ is estimated to be costing advertisers US$1.3 million a day by way of a technique known as ‘domain spoofing’, or fake versions of websites created for the sole purpose of defrauding brands and platforms of their advertising dollar.)
It’s no wonder the cyber security sector is enjoying boom times. Spending is up across all key areas, especially analytics, threat intelligence, mobile and cloud security – with cyber-security spending expected to hit US$182 billion by 2021.
And when even the government is responding – the Australia’s new military Information Warfare Division is under way with almost 1000 staff expected to be manning the keyboards within the decade – you know you’ve got a problem.
It’s enough to make the average business owner just a tad paranoid.
But does it?
A new report from Sapio Research – DDoS 2017 Report: Dangerous Overconfidence – suggests that most companies are, in fact, perfectly confident in their ability to resist cyber-attacks, statistics be damned.
The report, which surveyed 500 senior IT personnel with “material control over IT security” found that the large majority (88 percent of the U.S. businesses surveyed) are confident in their ability to defend themselves against distributed denial-of-service (DDoS) attacks, even though 69 percent of that same group had suffered from a successful DDoS attack in the last 12 months. Sure, DDoS isn’t quite a data security issue, but the implication is the same – blind unjustified confidence.
Why the disconnect?
It may have something to do with the amount of money being spent. Businesses in the US reported big spending on security – a staggering $34,750 per year on DDoS mitigation alone. More than a quarter (26 percent) of all US respondents to the survey have invested more than $53,000 in DDoS mitigation technologies in the last 12 months.
“The results show that most US companies are mindful of the alarming recent rise in DDoS attacks, and are increasing their investment in mitigation technology in response,” said Alex Nam, MD of CDNetworks Americas (for which the research was conducted).
“This has understandably led to a confidence in resilience. But when comparing alongside the frequency of DDoS attacks and the likelihood of their success, this confidence tips worryingly into complacency.”
“It seems businesses have not noticed they are losing the arms race against cybercriminals. Only with fundamental changes in mindset and more targeted investment can such confidence be earned.”
Confidence is one thing. Not giving a damn, quite another.
Prow said businesses tend to have a ‘risk acceptance’ approach to potential attacks – certainly in the Antipodes. “This gets me riled, because you effectively have executives accepting the potential compromise of the data of thousands of their customers. Would the customers be OK with that? I doubt it.”
He added that because there is no immediate competitive advantage in being more secure, it can add costs and even make one organisation’s offerings less attractive than those of another. For that reason, he said the General Data Protection Regulation being introduced in Europe, is a good idea – because it effectively adds the same cost overlay to all businesses, rather than leaving open an incentive to skimp on security in the interests of lower overheads or simpler devops.
Along with pushing for even greater spending, the Sapio survey reports that the vast majority of companies – 88 percent – expect to face new attacks in the next 12 months.
They’re probably right. The independent, not-for-profit Information Security Forum (ISF), says 2018 is going to be the year of the data breach. Specifically, look forward to the rise of ‘Crime-As-A-Service’ (CaaS), the Internet of Things adding a host of new unmanaged risks, and supply chains as the new point of vulnerability for data leaks.
“The scope and pace of information security threat [growth] is jeopardizing the veracity and reputation of today’s most reliable organisations,” said Steve Durbin, ISF MD.
“In 2018, we will see increased sophistication in the threat landscape with threats being personalised to their target’s weak spots or metamorphosing to take account of defenses that have already been put in place.”
“These days, the stakes are higher than ever before. High level corporate secrets and critical infrastructure are regularly under attack and organisations of all sizes need to be aware of the significant trends that we forecast in the year to come.”
So what’s the average bewildered company to do? One proposed solution: Just hand it over to the machines already.
According to McAfee – granted, a company somewhat prone to overstating the threat landscape – in 2018, businesses can look forward to ransomware’s inevitable penetration into the burgeoning Internet-of-Things and, interestingly enough, the rise of machine learning as a new weapon in the security arms race.
“The rapid growth and damaging effects of new cyber-threats demand defenses that can detect new threats at machine speeds, increasing the emphasis on machine learning as a valuable security component,” said the company on announcement of its McAfee Labs 2018 Threats Predictions Report yesterday.
“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers.”
And a race it will surely be, involving both man and machine.
“The evolution of ransomware in 2017 should remind us of how aggressively a threat can reinvent itself as attackers dramatically innovate and adjust to the successful efforts of defenders,” said Steve Grobman, McAfee’s CTO.
“We must recognize that although technologies such as machine learning, deep learning, and artificial intelligence will be cornerstones of tomorrow’s cyber defenses, our adversaries are working just as furiously to implement and innovate around them.”
“As is so often the case in cybersecurity, human intelligence amplified by technology will be the winning factor in the arms race between attackers and defenders.”
The other winning factor, for the security vendors anyway, might just be the stories that drive the greatest fear, uncertainty and doubt.