By Jack B. Blount and Bob Barker, Intrusion
The common vulnerabilities and exploits (CVE) database lists more than 11,000 exploitable vulnerabilities in commonly used systems and software—and as of mid-2019, 34 percent had no patches available. – Josh Fruhlinger, CSO, March 9, 2020
How Cybersecurity is Failing
The threat of cyberattacks to businesses worldwide has become immense and continues to grow. While significant measures have been taken to address this acceleration of cyber aggression, the figures remain mind-numbing.
CSO magazine recently listed these statistics:
9 Key Cybersecurity Statistics at-a-Glance
Most of the time when we consider our cyber vulnerabilities, software exposures come to mind. While software threats are extensive, a Dell survey revealed that 63% of companies identified a hardware-level or silicon-level security breach as the reason their data was compromised within the last twelve months, and further found that “only 28 percent of companies were happy with their vendors’ hardware security management.”(1)
In combatting this growing threat, the cybersecurity market has grown dramatically. According to Cybersecurity Ventures, “The cybersecurity market grew by roughly 35x over 13 years entering our most recent prediction cycle. Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021.”(2)
Despite massive spending, it is challenging to see progress, and certainly no one is claiming victory. While most new technologies addressing a specific type of threat work as advertised, the number of breaches continues to grow.
To put it bluntly, the cybersecurity industry as a whole is failing to protect our economy. Instead of continuing to invest blindly as new classes of threats emerge, it’s time to find a new paradigm that is based on an enhanced architecture.
Changing the Paradigm
While businesses of all sizes are impacted by breaches, the nature and impact differ.
Large Enterprises and Government
A common assumption among CISOs is “you haven’t been breached if you don’t know it,” and that is simply untrue. Sony, Home Depot, JP Morgan Chase, and the other millions of businesses that got breached will tell you they did not know of their breaches until it was too late. Almost every business – no matter how large or small – has been breached. Agents are living on your network, examining what data you have, and searching for what’s most valuable to them. One of the authors of this paper found that software agents had been living undetected on the networks of his consulting client for almost two years. In cybercrime and cyber warfare, this seems to be the new normal.
CISOs of large companies must adopt a new mindset and make different assumptions than most currently have. They can’t assume they are safe now, let alone that they will be safe in the future. They have to be constantly diligent and seek out evidence of bad actors, not resting until they are found. They must realize that they can’t keep bad actors out of their networks. Technology allows adversaries to find a way to come into your network. CISOs of all size companies must accept these facts and fight complacency.
Small and Medium Enterprises
According to the SBA, more than 30 million small businesses exist in the U.S., employing almost half the private workforce.(3) Cyberattacks are an even greater danger to small and medium businesses because according to the FBI, 60 percent of businesses that experience a ransomware breach fail soon thereafter.
The Vistage CEO organization, with more than 24,000 members, joined Cisco and National Center for the Middle Market to survey small businesses. They found that 62 percent of the 1,377 respondents did not have an active cybersecurity strategy, and “that’s a major problem, given that the cost of a cyberattack can be high enough to put a company out of business; according to the National Cyber Security Alliance 60 percent of small and midsized businesses that are hacked go out of business within six months.”(4)
Smaller businesses can’t adequately prepare for cybercrime, much less cyber warfare. With only about 3,000 certified CISOs in the U.S., few of the 30 million organizations have a CISO. While they realize the threat, they don’t know where to get the education they need to take appropriate measures within their available budget.
Myths and Fallacies
Many companies rely on information that is half true at best, or totally inaccurate at worst. We have to retrain them to face today’s realities.
Even large companies like Equifax have problems keeping up with updates.5 Even more importantly, they need to realize that of all of the millions of breaches that have occurred on businesses, they all had one thing in common—the business had a firewall. Firewalls don’t stop breaches.
2. “Software and hardware from trusted vendors is secure when delivered.”
Vendors acquire systems and components from the lowest cost source with adequate quality. They don’t consider it cost-effective to evaluate every item before shipping. Furthermore, in most cases they would not know how to identify malware already hidden in the ROM by the manufacturer.
3. “An intrusion protection system or DNS tool will spot the bad guys and keep the network safe.”
Most companies that use block lists may have 50,000 entries, and some may approach one million IPs identified. In reality, there are over five billion IP addresses in existence, so this only begins to scratch the surface.
4. “The right number of people with the right talent will keep the network safe.”
According to Gartner’s Cybersecurity Report, there is a severe shortage of talent in the global security workforce. By 2022, the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions. The depth and breadth of the problem companies’ face can’t wait for that gap to be filled.
Elements of a New Paradigm
To replace the current, unrealistically positive view of cyber resilience with a new, realistic paradigm means starting from a very different perspective. Here are the key components of such a paradigm that CISOs and other IT professionals must adopt if they are to have a fighting chance of protecting their company’s valuable data:
About the authors: Jack B. Blount is president and CEO of Intrusion, Inc. and Bob Barker is founder and CEO of The Partnering Network. Intrusion is a cybersecurity innovator that has reframed the problem of failed network security to successfully address the depth and breadth of cyberattacks experienced every three seconds in the United States alone. Learn more by visiting intrusion.com.