As a cybersecurity professional, I relate to those old movie scenes where a character is starting to lose it, someone delivers a firm face slap, and the first character pulls it together, saying, "Thanks, I needed that."
Corporate and government leaders around the world got a stinging wake-up slap from cyber adversaries in 2020, a year that set records for data breaches, compromised records, and ransomware attacks. The pandemic-accelerated digital transformation (including the swift switch to remote work and cloud-based databases) created the broadest security vulnerabilities in history, and attackers were ready.
The year culminated with the Sunburst cybersecurity hack, in which intruders sponsored by a hostile regime penetrated US government and corporate networks for reasons and with consequences yet unknown.
How will the world's cybersecurity experts respond to the annus horribilis of 2020? Like the slapped movie character, cybersecurity experts must pull it together and stop being distracted by trendy cybersecurity solutions that address only the best-publicized vulnerabilities. Celebrity vulnerabilities get all the attention and create distractions while the company's technical foundation crumbles.
Celebrity Cybercrimes Draw Glittering Solutions
The worse cybercrime gets, and the more publicity certain vulnerabilities attract, the more money companies budget to combat well-publicized threats. Predictions for cybersecurity spending in 2021 vary wildly — I found estimates ranging from $60 billion to $180 billion among credible analysts — but it is universally acknowledged that cybersecurity is among the fastest-growing parts of the IT industry, with a CAGR modestly estimated at 10% or more.
All this financial opportunity attracts the brightest, most innovative minds. One glittering solution after another enters the arena, aimed at famous vulnerabilities, complete with celebrity-worthy PR stylists and evangelists. Stakeholders are putting growing pressure on chief information security officers (CISOs) and chief information officers (CIOs) to invest in these bright and shiny objects instead of less sexy security fundamentals.
I've spent more than two decades doing post-mortems for companies penetrated by cyberattacks. The vast majority of hacks, intrusions, and cybersecurity failures were caused either by bumbling insiders clicking on phishing emails or by plain-vanilla mistakes that could have been avoided by basic cybersecurity best practices and hygiene.
The most important cybersecurity investment for CISOs, CIOs, and chief financial officers (CFOs) isn't some glamorous new cybersecurity solution for a high-profile problem; it's the time and resources to do fundamental blocking and tackling. Organizations must go back to basics to assure their cybersecurity foundations are rock solid, even against no-name threats. Incidentally, cybersecurity solidity works great against celebrity threats, too.
Celebrity cybersecurity challenges get the lion's share of attention because their names appear in the cybersecurity and even mainstream media, and everyone rushes to defend against them because that's where the money is. Meanwhile, yawning holes in cybersecurity sit for years without getting fixed because 1) they aren't (in)famous, and 2) they're not a fast and easy fix, if we're honest.
One example: Conficker, a vulnerability in Windows 2000 and Windows XP from 2008 that's old, boring, and still doing a lot of damage. No shiny new solutions are hitting the runway promising to protect networks from Conficker (stifle that yawn!). It continues to spread among, for example, hundreds of thousands of older medical machines still running outdated Windows versions and whose hospital and clinic owners never applied the Microsoft patches, likely because of resource and time constraints. Hospitals are among the most popular ransomware targets. Coincidence? Probably not.
But the Front Door Lock Is Still Broken
Imagine your front door lock is broken. You don't fix it because you know it will take time and money, and frankly, the work is boring. So, you put spiked bars on the windows and advanced laser security on all rear entrances. Your front door is even impenetrable reinforced steel. Very impressive, but your front door lock is still broken. Anyone can easily bypass your flashier security measures to get inside.
That's the situation for most businesses in the real world today. Fundamental cybersecurity problems are not addressed for many reasons. There may be legacy elements to a system for which no patch exists. Fixing it may be slow, costly, and require specialized expertise. A business may be unable to afford the downtime required to replace an entire operational system.
So, vendors develop the cybersecurity equivalents of window bars and laser beams when the front door lock is still broken. When I talk to CISOs and CIOs about cybersecurity, I implore them to forget about the in-vogue threats and the shiny solutions and instead do the "boring" detailed work: Run regular deep scans and find, fix, or protect those fundamental network vulnerabilities to the greatest extent possible.
Taking the time to seek and harden fundamental vulnerabilities can move the security needle more than addressing threats that get celebrity press. Admittedly it's low-glamor work, but essential for the best results. After the face-slap of 2020, it's time to get back to reality.