Careers & People

2/16/2016
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Not-So-Secret Secret About Cybercrime

Cybersecurity is an issue business leaders fret a lot about in public, but they rarely treat the problem as a real and immediate threat.

The last quarter of 2015 was a busy and interesting time to be a cybersecurity threat intelligence solutions provider. During the last part of the year, I witnessed some upticks in activity I have not seen much of over the last few years.

For instance, for the first time, I saw more than a few customers in unexpected industry sectors adding budget items to their security spending to include new approaches like cyber threat intelligence. I also saw customers looking for real ways to bring an understanding and ownership of cyber threat and risk management closer to the business side of their operations.

I even met a few customers wanting to learn how to start analyzing their risks and their matching cyber threats just as they would, say, their HR, logistics, or sales. Let’s just say it was a pleasant surprise.

Overwhelmingly, though, the least surprising aspect of last year was the continuation of what has perennially remained the same: for most of corporate America, cybercrime is not a threat. At least, it isn’t being treated like one. Let me clarify.

Tone deaf senior management

For most of the senior leadership and executive management of corporate America, cybercrime is not treated as a real and immediate business threat. I’m convinced from nearly two-and-a-half decades of working in and around cybersecurity, this is indeed a true statement about today’s world. What’s worse, this pervasive attitude is a big part of what’s keeping us from making quicker, sweeping strides in becoming safer from cyber mayhem.

Here are a few shockingly real examples from the last year:

  • A major Northeast credit union began appearing in our data collection and analysis streams as potentially having an exploited ATM card reader with card numbers and full customer data sets being actively traded on the Dark Web. Despite hard evidence of an active breach that could lead to litigation, company leadership directed concerned, albeit lower-level, security and risk professionals to ignore the issue and immediately discontinue any further monitoring. “That’s up to the customers to take care of,” they told them.               
  • A large energy and power company contacted me after being attacked by a hacktivist group. Worried about customer litigation and reputation damage, their security professionals were urgently exploring ways to keep track of related hacktivist-targeting. Despite understanding the value of recommended threat intel from security leaders, senior executives said no company monies should be expended on “hit or miss” hackers who will get bored and move on [because] “the threat will pass.”
  • Security professionals from a financial subsidiary of a major oil company wanted to explore how they could find active threats to their financial customers. Security team members were shocked by the sheer volume of actionable cyber threats to their company and customers -- everything from hacked accounts and data being sold to highly-vulnerable software in customer-facing systems. After recommending a threat intelligence approach, leaders shut it down. The reason: “Those are non-factor” vulnerabilities.

Now that sounds ridiculous.

In reality, though, it’s the status quo for most corporate leaders and strategists. I’ve personally experienced it with alarming regularity, month in and month out.

Despite undeniable evidence that every business is beset on all sides by cybercrime virtually every hour of every day, it seems that the cyber threat isn’t regarded as a real business risk in the same way, for instance, as weather might be for a shipping company, spoilage might be for a produce company, or malpractice might be for a healthcare company.

As illogical as this seems, most corporations only pay lip service to cybersecurity. They view it as a secondary or tertiary concern that’s more of a technical box to check than a business driver. Practicing cybersecurity is the kind of thing you have to openly support and admit to being worried about in public. But privately, many business leaders fail to adequately prioritize it until push comes to shove. Review the details of the dozens of big breaches over the last few years and you’ll see it’s no accident each business appeared much less prepared than they should’ve been. In truth, each result was more an active policy of unpreparedness than any sort of coincidence.

Conventional business wisdom - and traditional training - says management should really only address (i.e. spend and strategize) cyber threats (or any threat, really) when those threats are on your proverbial front doorstep, having burst into flames.  

A generational shift

Why is this phenomena happening? In my opinion, the answer to this question lies partly in the answer to a totally unrelated question: Why doesn’t my father have a smartphone? (Hint: he wouldn’t know what to do with it anyway if I bought him one.)

Corporate America is in the beginning phases of a business management generational shift, the impact of which is illustrated nowhere more clearly than in how companies are (or are not) keeping up with the quickening pace of technology and its unwanted by-products like cybercrime.

Many of these companies are led by the generation that came from an un-wired world, a generation of business leaders who navigated the bulk of their careers without the steeping influence of technology. This is the not-so-secret secret of cybercrime, and it is why companies don’t prioritize the risks represented by cybercrime and cyber insecurity. It’s because technology has advanced so rapidly and we’ve connected everything in our world so quickly that the knowledge gap across the last couple of generations is wider than it has ever been -- and it’s getting wider each year.

This gap has led to the single biggest cybersecurity challenge we face - a lack of understanding of “just what the hell is going on with all this technology and cyber stuff.” It’s something my dad (and my customers) tell me almost every week. 

More On This Topic

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jason Polancich is founder and chief architect of SurfWatch Labs http://www.surfwatchlabs.com, a cyber risk intelligence firm. He has more than 20 years of experience as an intelligence analyst, software engineer, systems architect, and corporate executive. Jason is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Email, Social Media Still Security Nightmares
Dark Reading Staff 6/15/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12526
PUBLISHED: 2018-06-21
Telesquare SDT-CS3B1 and SDT-CW3B1 devices through 1.2.0 have a default factory account. Remote attackers can obtain access to the device via TELNET using a hardcoded account.
CVE-2018-1253
PUBLISHED: 2018-06-21
RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other ...
CVE-2018-1254
PUBLISHED: 2018-06-21
RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript...
CVE-2018-12615
PUBLISHED: 2018-06-21
An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.
CVE-2016-10723
PUBLISHED: 2018-06-21
** DISPUTED ** An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurre...