Rapid technological change and the growing professionalism of cybercriminals drives businesses to get more sophisticated about their digital security. To discuss these trends, Passcode and Highwire PR gathered seven security industry experts on the sidelines of the RSA conference in San Francisco.
Here are seven key takeaways:
1. Meet the new chief digital officer
There aren’t many chief digital officers (CDOs) out there yet, but that’s set to change, said Sumedh Thakar, chief product officer at Qualys, a cloud based security platform built for digital transformation. These c-suite executives excel at busting silos that stand in the way of digitization and keeping all of an organization’s data secure.
Traditionally, chief security officers (CSOs) oversee some digital security as part of a larger portfolio. Now, digital transformation and security is an interconnected, core need.
“These people are reporting to the board because the transformation directive is coming from the board. It is fundamental to the business now,” said Mr. Thakar.
2. The $75 billion question answered
The world gives the cybersecurity industry $75 billion annually to defend against attacks even as costly breaches continue at an alarming pace. Why is that?
“We are approaching new problems with the same old solution,” said William Harmer, a senior director at Zscaler, a cloud security company. “We are coming at it from the perimeter, the corporate stack, … in a world that’s become mobile, where the network is irrelevant and the perimeter is porous.”
Many companies fall into the trap of buying multiple off-the-shelf systems to match a system to every threat on their checklist.
“Checkbox security is an absolute disaster. And that’s where your $75 billion is going,” said Mr. Harmer. Much smarter: Figure out what information is most important, what the most dangerous threats are to that data and then focus your efforts at reducing those threats.
3. Are breaches more frequent today? Maybe not.
Some good news: The steady flood of headlines about new breaches doesn’t necessarily mean that more security failures are happening now than in the past. We might just be hearing about more of them.
The argument, made by Jesse McKenna, director of product management at vArmour, a provider of data center security, goes like this: First, companies have better detection systems so more breaches are now noticed by the companies themselves. Second, new regulations and disclosure requirements on companies mean firms are publicly reporting incidents that once would have been swept under the rug.
And even when companies fail to detect the breaches, investigators and journalists now have an easier time alerting the public by looking for stolen data on the darknet, where the stolen data goes on sale, said Harmer of Zscaler.
4. You’re more connected than you realize.
Quick, how many Internet-connected devices do you have in your house?
The answer in the case of Justin Fier, director for cyber intelligence and analysis at Darktrace, which delivers unsupervised machine learning security technology, is over 30 connected devices. It’s a small example of just how big the attack surface has become, even in our personal lives, with the proliferation of Internet-enabled devices.
“If you look at that, you can think of your house as a small-to-medium business now” in terms of the digital security challenge, Mr. Fier said.
5. Criminals need graphic designers, too.
Ransomware is now big business. In 2015, $24 million in ransoms were paid out, according to reports made to the FBI. That ballooned to $200 million in the first quarter of 2016 alone.
“When you are dealing with those kinds of numbers you know the bad guys are scaling. Any time you scale, you have to professionalize” the operation, said Jeremiah Grossman, chief of security strategy at SentinelOne, an endpoint security company.
Part of professionalizing is tapping specialists to streamline the business of turning crime into cash. When cyber-criminals were mostly trafficking in stolen credit card numbers and personally identifiable information, they could sell the data to a network of insiders. With ransomware, the criminals must present themselves to the victims and work at developing a clear message that gets people to pay for the return of their data.
“They are hiring graphic designers to create a nice presentation to describe what the victim needs to do. It’s very professional,” said Chris Wysopal, CTO and co-founder of Veracode, which secures web, mobile and third party apps for the enterprise. “There’s actually probably some market research going on.”
6. There’s honor among thieves.
There’s a comforting aspect to ransomware becoming more professionalized: Reputation is becoming very important to these criminals. Specifically, their reputation with their victims.
“Why? Because if people don’t trust they will get their files back, they won’t pay the ransom,” said Ziv Mador, vice president of security research at Trustwave, which helps businesses fight cybercrime, protect data and reduce security risk.
That means in most cases these groups will decrypt the files once you pay, and they will often provide proof of their ability to do so up front.
7. Do you have a ransom policy?
Eventually, the threat of ransomware will get to a point where it will be standard policy for a business to have a ransomware strategy. And your business will be shunned if it does not.
“People are going to [say], ‘I’m not going to do business with you or invest in your company or be a partner unless you tell me, do you have that disaster recovery system, does it work?’” said Mr. Wysopal of Veracode.
That is still some years away, he added, but once it takes hold, the prevalence of ransomware should begin to fade.