Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/16/2016
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Not-So-Secret Secret About Cybercrime

Cybersecurity is an issue business leaders fret a lot about in public, but they rarely treat the problem as a real and immediate threat.

The last quarter of 2015 was a busy and interesting time to be a cybersecurity threat intelligence solutions provider. During the last part of the year, I witnessed some upticks in activity I have not seen much of over the last few years.

For instance, for the first time, I saw more than a few customers in unexpected industry sectors adding budget items to their security spending to include new approaches like cyber threat intelligence. I also saw customers looking for real ways to bring an understanding and ownership of cyber threat and risk management closer to the business side of their operations.

I even met a few customers wanting to learn how to start analyzing their risks and their matching cyber threats just as they would, say, their HR, logistics, or sales. Let’s just say it was a pleasant surprise.

Overwhelmingly, though, the least surprising aspect of last year was the continuation of what has perennially remained the same: for most of corporate America, cybercrime is not a threat. At least, it isn’t being treated like one. Let me clarify.

Tone deaf senior management

For most of the senior leadership and executive management of corporate America, cybercrime is not treated as a real and immediate business threat. I’m convinced from nearly two-and-a-half decades of working in and around cybersecurity, this is indeed a true statement about today’s world. What’s worse, this pervasive attitude is a big part of what’s keeping us from making quicker, sweeping strides in becoming safer from cyber mayhem.

Here are a few shockingly real examples from the last year:

  • A major Northeast credit union began appearing in our data collection and analysis streams as potentially having an exploited ATM card reader with card numbers and full customer data sets being actively traded on the Dark Web. Despite hard evidence of an active breach that could lead to litigation, company leadership directed concerned, albeit lower-level, security and risk professionals to ignore the issue and immediately discontinue any further monitoring. “That’s up to the customers to take care of,” they told them.               
  • A large energy and power company contacted me after being attacked by a hacktivist group. Worried about customer litigation and reputation damage, their security professionals were urgently exploring ways to keep track of related hacktivist-targeting. Despite understanding the value of recommended threat intel from security leaders, senior executives said no company monies should be expended on “hit or miss” hackers who will get bored and move on [because] “the threat will pass.”
  • Security professionals from a financial subsidiary of a major oil company wanted to explore how they could find active threats to their financial customers. Security team members were shocked by the sheer volume of actionable cyber threats to their company and customers -- everything from hacked accounts and data being sold to highly-vulnerable software in customer-facing systems. After recommending a threat intelligence approach, leaders shut it down. The reason: “Those are non-factor” vulnerabilities.

Now that sounds ridiculous.

In reality, though, it’s the status quo for most corporate leaders and strategists. I’ve personally experienced it with alarming regularity, month in and month out.

Despite undeniable evidence that every business is beset on all sides by cybercrime virtually every hour of every day, it seems that the cyber threat isn’t regarded as a real business risk in the same way, for instance, as weather might be for a shipping company, spoilage might be for a produce company, or malpractice might be for a healthcare company.

As illogical as this seems, most corporations only pay lip service to cybersecurity. They view it as a secondary or tertiary concern that’s more of a technical box to check than a business driver. Practicing cybersecurity is the kind of thing you have to openly support and admit to being worried about in public. But privately, many business leaders fail to adequately prioritize it until push comes to shove. Review the details of the dozens of big breaches over the last few years and you’ll see it’s no accident each business appeared much less prepared than they should’ve been. In truth, each result was more an active policy of unpreparedness than any sort of coincidence.

Conventional business wisdom - and traditional training - says management should really only address (i.e. spend and strategize) cyber threats (or any threat, really) when those threats are on your proverbial front doorstep, having burst into flames.  

A generational shift

Why is this phenomena happening? In my opinion, the answer to this question lies partly in the answer to a totally unrelated question: Why doesn’t my father have a smartphone? (Hint: he wouldn’t know what to do with it anyway if I bought him one.)

Corporate America is in the beginning phases of a business management generational shift, the impact of which is illustrated nowhere more clearly than in how companies are (or are not) keeping up with the quickening pace of technology and its unwanted by-products like cybercrime.

Many of these companies are led by the generation that came from an un-wired world, a generation of business leaders who navigated the bulk of their careers without the steeping influence of technology. This is the not-so-secret secret of cybercrime, and it is why companies don’t prioritize the risks represented by cybercrime and cyber insecurity. It’s because technology has advanced so rapidly and we’ve connected everything in our world so quickly that the knowledge gap across the last couple of generations is wider than it has ever been -- and it’s getting wider each year.

This gap has led to the single biggest cybersecurity challenge we face - a lack of understanding of “just what the hell is going on with all this technology and cyber stuff.” It’s something my dad (and my customers) tell me almost every week. 

More On This Topic

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...
CVE-2020-3171
PUBLISHED: 2020-02-26
A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input vali...