Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:00 PM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

By the Numbers: Parsing the Cybersecurity Challenge

Why your CEO should rethink company security priorities in the drive for digital business growth.

Digitization is progressing rapidly. From 2013 to 2020, EMC expects the digital universe to grow tenfold — from 4.4 trillion to 44 trillion gigabytes. In fact, the universe more than doubles in size every two years. However, along with that growth, the world becomes exposed to cyber attacks in an order of magnitude that is unprecedented. The tumult around the 2016 US election is just the tip of the iceberg - with a far bigger and growing issue beneath the surface.

Everyone is a potential target
Few are aware that literally every company and individual is a potential target. One in 10 people is now a victim of fraud or online offenses, a study in the UK concluded, as highlighted in The Telegraph. While these numbers appear shockingly high, it’s important to keep in mind that the overwhelming majority of these crimes are believed to remain unreported by the victims for a number of reasons, such as fear, a lack of awareness, or embarrassment.

According to Radware’s 2016-17 Global Application & Network Security report, 98% of organizations experienced cyber attacks in 2016. The perception that criminals only go after large enterprises and the public sector is completely wrong. As much as 31% of these attacks are directed at small and mid-sized companies with fewer than 250 employees. This trend is going to continue in 2017.

Cybercrime is an industry that is evolving exponentially
As reported on Bloomberg, cyber insurance premiums to protect against financial damages resulting from hacking could become a blockbuster product and rise to between $8.5 billion and $10 billion by 2020 from about $3.4 billion currently.

Cisco expects that cybercrime damages could cost up to $6 trillion annually by 2021, up from $3 trillion in 2015. However, these costs are sometimes hard to quantify and vary widely, depending on a number of factors, such as size of the organization, type and extent of the attack, publicity, industry, geography and so on. Most security experts (54%) estimate the impact of each attack at less than $100,000, but as much as 12% estimate the cost of an attack to be $1 million or above, according to Radware’s research.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Shortage of talent, missing attention in the boardroom
When asked about their primary obstacle to counter cyber attacks, more than one-quarter (27%) cited missing manpower, as the Radware report concludes. With 1 million vacancies in 2016, there is a severe workforce gap in cybersecurity, which is getting worse as the digital universe expands. Cybersecurity Ventures estimates the talent shortage will reach 1.5 million vacancies by 2019, which makes the skills rare and drives up wages.

In a 2015 study by PWC, 21% of CEOs asked globally were "extremely concerned" about cyber threats, and nearly 42% were "somewhat concerned." Frankly, these numbers appear surprisingly low, compared to the potential damages and given the workforce gap enterprises have to cope with.

So what's ahead?
Overall, the cybersecurity community seems more pessimistic about what to expect throughout 2017. Cyber attacks will become more sophisticated and catch many by surprise. According to the Radware report, the range is likely to include: Rise of Telephony Denial of Service (TDoS) and Permanent Denial of Service (PDoS) for datacenter and IoT operations; compromised surveillance systems available for rent, enabling intruders to watch through third-party cameras; more targeted and segmented ransom attacks; hijacked personal avatars and personal information for sale, or being auctioned (including medical or criminal records, lawsuit information etc.) as the Darknet goes mainstream.

CEOs should critically review their corporate priorities as the threat of cybercrime seems to be widely underestimated. To prepare their organizations for the future, gearing up and concrete actions are required. This includes technology investments (solid threat prevention and detection capabilities, robust incident response plans etc.) and, more importantly, adequate resources. Since security experts are scarce, requalification programs and formal training of the existing IT workforce plays a critical role in helping to close the gap.

While this might sound fairly intimidating, it would be negligent to trivialize the threat. With the expansion of the digital world, shiploads of data being processed, and the emergence of smart cities, societies will become increasingly dependent upon the availability and resilience of IT systems that affect our everyday lives. More than ever, it’s crucial to properly safeguard IT infrastructure as well as data whenever it's being transmitted (in motion), processed (in use), or stored (at rest).

Related Content:


Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Strategist
6/14/2017 | 10:44:58 PM
Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity.  Why isn't it being addressed?  Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It's the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don't help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don't specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line. 
User Rank: Apprentice
6/15/2017 | 9:51:31 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
You raise good points. I hope the authors will explore this as a topic more in depth. 
User Rank: Apprentice
6/16/2017 | 2:04:39 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
There are tools to mitigate this, and an ever growing number of comanies is using them.
My job is to make sure they use ours to the best of their abilities
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
RiyaLab CloudISO event item is added, special characters in specific field of time management page are not properly filtered, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks.
PUBLISHED: 2021-05-11
Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS (Cross-site scripting) attacks.
PUBLISHED: 2021-05-11
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.