Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/16/2016
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Not-So-Secret Secret About Cybercrime

Cybersecurity is an issue business leaders fret a lot about in public, but they rarely treat the problem as a real and immediate threat.

The last quarter of 2015 was a busy and interesting time to be a cybersecurity threat intelligence solutions provider. During the last part of the year, I witnessed some upticks in activity I have not seen much of over the last few years.

For instance, for the first time, I saw more than a few customers in unexpected industry sectors adding budget items to their security spending to include new approaches like cyber threat intelligence. I also saw customers looking for real ways to bring an understanding and ownership of cyber threat and risk management closer to the business side of their operations.

I even met a few customers wanting to learn how to start analyzing their risks and their matching cyber threats just as they would, say, their HR, logistics, or sales. Let’s just say it was a pleasant surprise.

Overwhelmingly, though, the least surprising aspect of last year was the continuation of what has perennially remained the same: for most of corporate America, cybercrime is not a threat. At least, it isn’t being treated like one. Let me clarify.

Tone deaf senior management

For most of the senior leadership and executive management of corporate America, cybercrime is not treated as a real and immediate business threat. I’m convinced from nearly two-and-a-half decades of working in and around cybersecurity, this is indeed a true statement about today’s world. What’s worse, this pervasive attitude is a big part of what’s keeping us from making quicker, sweeping strides in becoming safer from cyber mayhem.

Here are a few shockingly real examples from the last year:

  • A major Northeast credit union began appearing in our data collection and analysis streams as potentially having an exploited ATM card reader with card numbers and full customer data sets being actively traded on the Dark Web. Despite hard evidence of an active breach that could lead to litigation, company leadership directed concerned, albeit lower-level, security and risk professionals to ignore the issue and immediately discontinue any further monitoring. “That’s up to the customers to take care of,” they told them.               
  • A large energy and power company contacted me after being attacked by a hacktivist group. Worried about customer litigation and reputation damage, their security professionals were urgently exploring ways to keep track of related hacktivist-targeting. Despite understanding the value of recommended threat intel from security leaders, senior executives said no company monies should be expended on “hit or miss” hackers who will get bored and move on [because] “the threat will pass.”
  • Security professionals from a financial subsidiary of a major oil company wanted to explore how they could find active threats to their financial customers. Security team members were shocked by the sheer volume of actionable cyber threats to their company and customers -- everything from hacked accounts and data being sold to highly-vulnerable software in customer-facing systems. After recommending a threat intelligence approach, leaders shut it down. The reason: “Those are non-factor” vulnerabilities.

Now that sounds ridiculous.

In reality, though, it’s the status quo for most corporate leaders and strategists. I’ve personally experienced it with alarming regularity, month in and month out.

Despite undeniable evidence that every business is beset on all sides by cybercrime virtually every hour of every day, it seems that the cyber threat isn’t regarded as a real business risk in the same way, for instance, as weather might be for a shipping company, spoilage might be for a produce company, or malpractice might be for a healthcare company.

As illogical as this seems, most corporations only pay lip service to cybersecurity. They view it as a secondary or tertiary concern that’s more of a technical box to check than a business driver. Practicing cybersecurity is the kind of thing you have to openly support and admit to being worried about in public. But privately, many business leaders fail to adequately prioritize it until push comes to shove. Review the details of the dozens of big breaches over the last few years and you’ll see it’s no accident each business appeared much less prepared than they should’ve been. In truth, each result was more an active policy of unpreparedness than any sort of coincidence.

Conventional business wisdom - and traditional training - says management should really only address (i.e. spend and strategize) cyber threats (or any threat, really) when those threats are on your proverbial front doorstep, having burst into flames.  

A generational shift

Why is this phenomena happening? In my opinion, the answer to this question lies partly in the answer to a totally unrelated question: Why doesn’t my father have a smartphone? (Hint: he wouldn’t know what to do with it anyway if I bought him one.)

Corporate America is in the beginning phases of a business management generational shift, the impact of which is illustrated nowhere more clearly than in how companies are (or are not) keeping up with the quickening pace of technology and its unwanted by-products like cybercrime.

Many of these companies are led by the generation that came from an un-wired world, a generation of business leaders who navigated the bulk of their careers without the steeping influence of technology. This is the not-so-secret secret of cybercrime, and it is why companies don’t prioritize the risks represented by cybercrime and cyber insecurity. It’s because technology has advanced so rapidly and we’ve connected everything in our world so quickly that the knowledge gap across the last couple of generations is wider than it has ever been -- and it’s getting wider each year.

This gap has led to the single biggest cybersecurity challenge we face - a lack of understanding of “just what the hell is going on with all this technology and cyber stuff.” It’s something my dad (and my customers) tell me almost every week. 

More On This Topic

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15113
PUBLISHED: 2019-08-16
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
CVE-2019-15114
PUBLISHED: 2019-08-16
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
CVE-2019-15115
PUBLISHED: 2019-08-16
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
CVE-2019-15116
PUBLISHED: 2019-08-16
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
CVE-2017-18547
PUBLISHED: 2019-08-16
The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.