Careers & People
2/16/2016
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Not-So-Secret Secret About Cybercrime

Cybersecurity is an issue business leaders fret a lot about in public, but they rarely treat the problem as a real and immediate threat.

The last quarter of 2015 was a busy and interesting time to be a cybersecurity threat intelligence solutions provider. During the last part of the year, I witnessed some upticks in activity I have not seen much of over the last few years.

For instance, for the first time, I saw more than a few customers in unexpected industry sectors adding budget items to their security spending to include new approaches like cyber threat intelligence. I also saw customers looking for real ways to bring an understanding and ownership of cyber threat and risk management closer to the business side of their operations.

I even met a few customers wanting to learn how to start analyzing their risks and their matching cyber threats just as they would, say, their HR, logistics, or sales. Let’s just say it was a pleasant surprise.

Overwhelmingly, though, the least surprising aspect of last year was the continuation of what has perennially remained the same: for most of corporate America, cybercrime is not a threat. At least, it isn’t being treated like one. Let me clarify.

Tone deaf senior management

For most of the senior leadership and executive management of corporate America, cybercrime is not treated as a real and immediate business threat. I’m convinced from nearly two-and-a-half decades of working in and around cybersecurity, this is indeed a true statement about today’s world. What’s worse, this pervasive attitude is a big part of what’s keeping us from making quicker, sweeping strides in becoming safer from cyber mayhem.

Here are a few shockingly real examples from the last year:

  • A major Northeast credit union began appearing in our data collection and analysis streams as potentially having an exploited ATM card reader with card numbers and full customer data sets being actively traded on the Dark Web. Despite hard evidence of an active breach that could lead to litigation, company leadership directed concerned, albeit lower-level, security and risk professionals to ignore the issue and immediately discontinue any further monitoring. “That’s up to the customers to take care of,” they told them.               
  • A large energy and power company contacted me after being attacked by a hacktivist group. Worried about customer litigation and reputation damage, their security professionals were urgently exploring ways to keep track of related hacktivist-targeting. Despite understanding the value of recommended threat intel from security leaders, senior executives said no company monies should be expended on “hit or miss” hackers who will get bored and move on [because] “the threat will pass.”
  • Security professionals from a financial subsidiary of a major oil company wanted to explore how they could find active threats to their financial customers. Security team members were shocked by the sheer volume of actionable cyber threats to their company and customers -- everything from hacked accounts and data being sold to highly-vulnerable software in customer-facing systems. After recommending a threat intelligence approach, leaders shut it down. The reason: “Those are non-factor” vulnerabilities.

Now that sounds ridiculous.

In reality, though, it’s the status quo for most corporate leaders and strategists. I’ve personally experienced it with alarming regularity, month in and month out.

Despite undeniable evidence that every business is beset on all sides by cybercrime virtually every hour of every day, it seems that the cyber threat isn’t regarded as a real business risk in the same way, for instance, as weather might be for a shipping company, spoilage might be for a produce company, or malpractice might be for a healthcare company.

As illogical as this seems, most corporations only pay lip service to cybersecurity. They view it as a secondary or tertiary concern that’s more of a technical box to check than a business driver. Practicing cybersecurity is the kind of thing you have to openly support and admit to being worried about in public. But privately, many business leaders fail to adequately prioritize it until push comes to shove. Review the details of the dozens of big breaches over the last few years and you’ll see it’s no accident each business appeared much less prepared than they should’ve been. In truth, each result was more an active policy of unpreparedness than any sort of coincidence.

Conventional business wisdom - and traditional training - says management should really only address (i.e. spend and strategize) cyber threats (or any threat, really) when those threats are on your proverbial front doorstep, having burst into flames.  

A generational shift

Why is this phenomena happening? In my opinion, the answer to this question lies partly in the answer to a totally unrelated question: Why doesn’t my father have a smartphone? (Hint: he wouldn’t know what to do with it anyway if I bought him one.)

Corporate America is in the beginning phases of a business management generational shift, the impact of which is illustrated nowhere more clearly than in how companies are (or are not) keeping up with the quickening pace of technology and its unwanted by-products like cybercrime.

Many of these companies are led by the generation that came from an un-wired world, a generation of business leaders who navigated the bulk of their careers without the steeping influence of technology. This is the not-so-secret secret of cybercrime, and it is why companies don’t prioritize the risks represented by cybercrime and cyber insecurity. It’s because technology has advanced so rapidly and we’ve connected everything in our world so quickly that the knowledge gap across the last couple of generations is wider than it has ever been -- and it’s getting wider each year.

This gap has led to the single biggest cybersecurity challenge we face - a lack of understanding of “just what the hell is going on with all this technology and cyber stuff.” It’s something my dad (and my customers) tell me almost every week. 

More On This Topic

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jason Polancich is founder and chief architect of SurfWatch Labs http://www.surfwatchlabs.com, a cyber risk intelligence firm. He has more than 20 years of experience as an intelligence analyst, software engineer, systems architect, and corporate executive. Jason is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.