Careers & People
2/16/2016
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

A Not-So-Secret Secret About Cybercrime

Cybersecurity is an issue business leaders fret a lot about in public, but they rarely treat the problem as a real and immediate threat.

The last quarter of 2015 was a busy and interesting time to be a cybersecurity threat intelligence solutions provider. During the last part of the year, I witnessed some upticks in activity I have not seen much of over the last few years.

For instance, for the first time, I saw more than a few customers in unexpected industry sectors adding budget items to their security spending to include new approaches like cyber threat intelligence. I also saw customers looking for real ways to bring an understanding and ownership of cyber threat and risk management closer to the business side of their operations.

I even met a few customers wanting to learn how to start analyzing their risks and their matching cyber threats just as they would, say, their HR, logistics, or sales. Let’s just say it was a pleasant surprise.

Overwhelmingly, though, the least surprising aspect of last year was the continuation of what has perennially remained the same: for most of corporate America, cybercrime is not a threat. At least, it isn’t being treated like one. Let me clarify.

Tone deaf senior management

For most of the senior leadership and executive management of corporate America, cybercrime is not treated as a real and immediate business threat. I’m convinced from nearly two-and-a-half decades of working in and around cybersecurity, this is indeed a true statement about today’s world. What’s worse, this pervasive attitude is a big part of what’s keeping us from making quicker, sweeping strides in becoming safer from cyber mayhem.

Here are a few shockingly real examples from the last year:

  • A major Northeast credit union began appearing in our data collection and analysis streams as potentially having an exploited ATM card reader with card numbers and full customer data sets being actively traded on the Dark Web. Despite hard evidence of an active breach that could lead to litigation, company leadership directed concerned, albeit lower-level, security and risk professionals to ignore the issue and immediately discontinue any further monitoring. “That’s up to the customers to take care of,” they told them.               
  • A large energy and power company contacted me after being attacked by a hacktivist group. Worried about customer litigation and reputation damage, their security professionals were urgently exploring ways to keep track of related hacktivist-targeting. Despite understanding the value of recommended threat intel from security leaders, senior executives said no company monies should be expended on “hit or miss” hackers who will get bored and move on [because] “the threat will pass.”
  • Security professionals from a financial subsidiary of a major oil company wanted to explore how they could find active threats to their financial customers. Security team members were shocked by the sheer volume of actionable cyber threats to their company and customers -- everything from hacked accounts and data being sold to highly-vulnerable software in customer-facing systems. After recommending a threat intelligence approach, leaders shut it down. The reason: “Those are non-factor” vulnerabilities.

Now that sounds ridiculous.

In reality, though, it’s the status quo for most corporate leaders and strategists. I’ve personally experienced it with alarming regularity, month in and month out.

Despite undeniable evidence that every business is beset on all sides by cybercrime virtually every hour of every day, it seems that the cyber threat isn’t regarded as a real business risk in the same way, for instance, as weather might be for a shipping company, spoilage might be for a produce company, or malpractice might be for a healthcare company.

As illogical as this seems, most corporations only pay lip service to cybersecurity. They view it as a secondary or tertiary concern that’s more of a technical box to check than a business driver. Practicing cybersecurity is the kind of thing you have to openly support and admit to being worried about in public. But privately, many business leaders fail to adequately prioritize it until push comes to shove. Review the details of the dozens of big breaches over the last few years and you’ll see it’s no accident each business appeared much less prepared than they should’ve been. In truth, each result was more an active policy of unpreparedness than any sort of coincidence.

Conventional business wisdom - and traditional training - says management should really only address (i.e. spend and strategize) cyber threats (or any threat, really) when those threats are on your proverbial front doorstep, having burst into flames.  

A generational shift

Why is this phenomena happening? In my opinion, the answer to this question lies partly in the answer to a totally unrelated question: Why doesn’t my father have a smartphone? (Hint: he wouldn’t know what to do with it anyway if I bought him one.)

Corporate America is in the beginning phases of a business management generational shift, the impact of which is illustrated nowhere more clearly than in how companies are (or are not) keeping up with the quickening pace of technology and its unwanted by-products like cybercrime.

Many of these companies are led by the generation that came from an un-wired world, a generation of business leaders who navigated the bulk of their careers without the steeping influence of technology. This is the not-so-secret secret of cybercrime, and it is why companies don’t prioritize the risks represented by cybercrime and cyber insecurity. It’s because technology has advanced so rapidly and we’ve connected everything in our world so quickly that the knowledge gap across the last couple of generations is wider than it has ever been -- and it’s getting wider each year.

This gap has led to the single biggest cybersecurity challenge we face - a lack of understanding of “just what the hell is going on with all this technology and cyber stuff.” It’s something my dad (and my customers) tell me almost every week. 

More On This Topic

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jason Polancich is founder and chief architect of SurfWatch Labs http://www.surfwatchlabs.com, a cyber risk intelligence firm. He has more than 20 years of experience as an intelligence analyst, software engineer, systems architect, and corporate executive. Jason is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You should see what I wear on my work from home days!
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.