Say your company just became the target of a massive security breach, with attackers piercing data networks and shaking your business to the core. What is your response? Obviously, you will repair the damage, but when the dust has settled, will you change your security strategy? Even though megabreaches have raised the level of security awareness, the reality is that we may not have seen the worst of cyberattacks yet and may need an even more dramatic event for companies to revolutionize their security policies.
We hear more and more about cybersecurity, but it’s hardly a new topic. Exploiting vulnerabilities in IT systems dates back more than 45 years to experimental, self-replicating programs. From there, the first virus made it into the wild and we began understanding the criminal potential of IT security hacks. We’ve seen an evolution of malware and attacks on IT networks, and now things are advancing at a breakneck pace.
Larger Scale, Costlier Security Breaches
In recent years, we’ve seen verified security breaches that included giant numbers of compromised accounts and data records. These included compromises of more than 1 billion Yahoo accounts in 2013 (and 2014…and 2016), 412 million FriendFinder accounts in 2016, 165 million LinkedIn accounts in 2012, or 110 million Target customer data records in 2013, just to name a few. The financial implications were colossal and have solidly hit the triple-digit million-dollar range for the biggest breaches.
Yet the true impact of these breaches and the industry-wide effect has largely been short-term and seems to almost vanish when the clean-up has been completed. One reason may be that many organizations don’t fully appreciate the risk of an attack. They either assume it won’t happen to them or they accept potential vulnerabilities in their networks as a cost of doing business. It is clear that there is not enough incentive for organizations to elevate the role of cybersecurity. This leads to an obvious question.
What Incentive Do We Need to Give Cybersecurity a More Prominent Role?
In short, we may need a catastrophic security breach as a signal. This may mean different things to different people and organizations, but the next stage of cyberattack evolution may provide clues as to what cyberattacks we could be facing.
The variety of attacks is growing, with malware extending to include ransomware/crimeware and new vehicles emerging such as phishing, trojans, code injection, distributed denial of service attacks (DDoS) and social engineering. More importantly, the targets and goals of attacks are shifting.
In the past, many attacks were driven by curiosity and later became financially motivated. What we see now and are likely to see in the future are attacks that may be motivated by both economic and political goals and may be sustained over a long period, resulting in long-term impacts. As the attack surface grows to include connected IoT devices, the potential damage of security breaches can also result in physical impact to our general infrastructure.
Considering the evolution of potential vulnerabilities, the impact of a data breach could be staggering. The cost of fixing it and erosion of trust in its customer base caused by it could threaten a company’s very existence. Or an infrastructure attack may create a situation that disrupts the flow of society, even causing loss of life.
Should We Do More in Cybersecurity Now?
From CompTIA’s research, it appears that there is a noticeable gap between what many organizations currently do to safeguard their networks and what could be done to safeguard their networks even more. Most companies agree that the secure perimeter is a thing of the past, but they still rely heavily on technology without considering proactive techniques, policy changes or end-user education.
As attack surfaces and as motivations for attacks grow, the incentive for securing systems needs to grow as well. Companies must elevate cybersecurity to be a business priority from the board room to the server room. Complex defense strategies may cost money, but businesses must view security, rather than vulnerabilities, as the accepted cost of doing business.