Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:00 PM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

By the Numbers: Parsing the Cybersecurity Challenge

Why your CEO should rethink company security priorities in the drive for digital business growth.

Digitization is progressing rapidly. From 2013 to 2020, EMC expects the digital universe to grow tenfold — from 4.4 trillion to 44 trillion gigabytes. In fact, the universe more than doubles in size every two years. However, along with that growth, the world becomes exposed to cyber attacks in an order of magnitude that is unprecedented. The tumult around the 2016 US election is just the tip of the iceberg - with a far bigger and growing issue beneath the surface.

Everyone is a potential target
Few are aware that literally every company and individual is a potential target. One in 10 people is now a victim of fraud or online offenses, a study in the UK concluded, as highlighted in The Telegraph. While these numbers appear shockingly high, it’s important to keep in mind that the overwhelming majority of these crimes are believed to remain unreported by the victims for a number of reasons, such as fear, a lack of awareness, or embarrassment.

According to Radware’s 2016-17 Global Application & Network Security report, 98% of organizations experienced cyber attacks in 2016. The perception that criminals only go after large enterprises and the public sector is completely wrong. As much as 31% of these attacks are directed at small and mid-sized companies with fewer than 250 employees. This trend is going to continue in 2017.

Cybercrime is an industry that is evolving exponentially
As reported on Bloomberg, cyber insurance premiums to protect against financial damages resulting from hacking could become a blockbuster product and rise to between $8.5 billion and $10 billion by 2020 from about $3.4 billion currently.

Cisco expects that cybercrime damages could cost up to $6 trillion annually by 2021, up from $3 trillion in 2015. However, these costs are sometimes hard to quantify and vary widely, depending on a number of factors, such as size of the organization, type and extent of the attack, publicity, industry, geography and so on. Most security experts (54%) estimate the impact of each attack at less than $100,000, but as much as 12% estimate the cost of an attack to be $1 million or above, according to Radware’s research.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Shortage of talent, missing attention in the boardroom
When asked about their primary obstacle to counter cyber attacks, more than one-quarter (27%) cited missing manpower, as the Radware report concludes. With 1 million vacancies in 2016, there is a severe workforce gap in cybersecurity, which is getting worse as the digital universe expands. Cybersecurity Ventures estimates the talent shortage will reach 1.5 million vacancies by 2019, which makes the skills rare and drives up wages.

In a 2015 study by PWC, 21% of CEOs asked globally were "extremely concerned" about cyber threats, and nearly 42% were "somewhat concerned." Frankly, these numbers appear surprisingly low, compared to the potential damages and given the workforce gap enterprises have to cope with.

So what's ahead?
Overall, the cybersecurity community seems more pessimistic about what to expect throughout 2017. Cyber attacks will become more sophisticated and catch many by surprise. According to the Radware report, the range is likely to include: Rise of Telephony Denial of Service (TDoS) and Permanent Denial of Service (PDoS) for datacenter and IoT operations; compromised surveillance systems available for rent, enabling intruders to watch through third-party cameras; more targeted and segmented ransom attacks; hijacked personal avatars and personal information for sale, or being auctioned (including medical or criminal records, lawsuit information etc.) as the Darknet goes mainstream.

CEOs should critically review their corporate priorities as the threat of cybercrime seems to be widely underestimated. To prepare their organizations for the future, gearing up and concrete actions are required. This includes technology investments (solid threat prevention and detection capabilities, robust incident response plans etc.) and, more importantly, adequate resources. Since security experts are scarce, requalification programs and formal training of the existing IT workforce plays a critical role in helping to close the gap.

While this might sound fairly intimidating, it would be negligent to trivialize the threat. With the expansion of the digital world, shiploads of data being processed, and the emergence of smart cities, societies will become increasingly dependent upon the availability and resilience of IT systems that affect our everyday lives. More than ever, it’s crucial to properly safeguard IT infrastructure as well as data whenever it's being transmitted (in motion), processed (in use), or stored (at rest).

Related Content:


Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/16/2017 | 2:04:39 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
There are tools to mitigate this, and an ever growing number of comanies is using them.
My job is to make sure they use ours to the best of their abilities
User Rank: Apprentice
6/15/2017 | 9:51:31 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
You raise good points. I hope the authors will explore this as a topic more in depth. 
User Rank: Strategist
6/14/2017 | 10:44:58 PM
Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity.  Why isn't it being addressed?  Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It's the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don't help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don't specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line. 
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.