Top Cybersecurity Concerns Are WRONG
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
A recent survey by Varonis of 500 security professionals from the U.S., UK, and France highlights the top three cybersecurity concern for 2018: Data Loss, Data Theft, and Ransomware. Sadly, we are overlooking the bigger problems!
Missed the Target by a Mile
I think we are scrutinizing at the small and known threats, when we should be looking forward at the significant risks coming our way. In some ways, it is like the child in the crosswalk who is looking down at their untied shoes, while oblivious to the truck speeding towards the intersection. The top survey results are not surprising, just disappointing.
The Real Threats
Here is what the world should really be concerned about, when it comes to cybersecurity:
- Data Integrity Compromises. These types of attacks can cause catastrophic impacts and losses, orders of magnitude greater than data breaches and common theft. By just modifying a few transactions or data records, thieves have been able to steal tens to hundreds of millions of dollars, researchers have taken control over the operation of cars and planes, and national infrastructure systems have been physically damaged.
- Escape of Nation-State Attack Techniques and Code. Highly sophisticated and funded capabilities are normally reserved by nation states for precision attacks. But once the vulnerabilities, exploits, and tactics are used in the wild or leaked, others will have the opportunity to harvest, dissect, and duplicate functions for their purposes. Threats such as cyber criminals, anarchists, and other nation states will gladly wield these super weapons for their end-goals and to the severe detriment of others.
- Exploits in IoT Devices Which Pose a Risk to Life-Safety. Society is sliding over the verge where we place our lives and safety in the hands of intelligent machines. It is most relevant in the automotive, critical infrastructure, healthcare industries. Although astonishingly wonderful if used for good, it comes with risks. Autonomous vehicles, electrical grids, and medical devices all play an important role in keeping people alive and healthy. When attacks undermine functions and turn malicious, people will be put in harm’s way.
Not a Flawed Survey
Sadly, I believe the survey was accurate. This means those professionals who provided answers are only seeing the near-term problems: the very ones they fear most. These issues are annoying, but do not compare to what is just around the corner. The risks are as mismatched as much as the capabilities to prevent, detect, and respond to them. Consider that there are already mature tools and defenses for data loss, theft, and ransomware. They just must be instituted, configured, and maintained to work against most attacks. For the real threats, we are much less capable in our defenses. Granted, the participants may not have many options to choose from, but the answers given may speak volumes about those who voted for these categories. Namely, that they are likely not as prepared for these basic risks as they would like, therefore they fear what they know will come. With their focus on these, they fail to see the long-term strategic picture. That is bad for everyone, except the attackers. Without looking forward, like the child in the crosswalk, they are likely to be surprised when the truck hits.
We Must Do Better
We must think strategically if we want to be prepared and make a meaningful difference.
“Plan for what is difficult while it is easy, do what is great while it is small” - Sun Tzu
If we don’t perceive and understand the big problems ahead, we stand little chance in addressing them early.
Where do you stand? Is your attention only on the immediate and well-understood risks?
Interested in more? Follow me on your favorite social sites for insights and what is going on in cybersecurity: LinkedIn, Twitter (@Matt_Rosenquist), YouTube, Information Security Strategy blog, Medium, and Steemit
Cyber Security Enthusiast | Information Security Manager | Risk Management | Compliance | Technology Audit
6 年In todays business environment ignorance for small flaw can lead the business vulnerable and can have big impact for the operations and financial losses.
This is so true, I guess they ignore some things because it isn't rampant. It shouldn't be forgotten that this is cybersecurity, the small threats matters too
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
6 年David Marothy Too little regulation, like your outlined can be bad. Too much, like regulations for healthcare devices that prohibit security updates can be seen as too much. The secret to good security is to find the optimal balance between risk mitigation, cost, and usability.
Senior SOC Expert at Black Cell
6 年Regarding the iot and zero day problems: the main one lies with regulation and the with the financial liability of the manufacturers. If there will be a regulation to make companies financially liable regarding 0 days, then the world will turn from public beta testing of expensive products to have actually usable products and devices. Regarding data*: no hundred percent security and if you store data, then you are a target, so act accordingly. Also, I fear a bit more from a data breach at facebook or some third party advertising agency, with hundreds of petabytes of user behaviour big data, then from another NSA breach. Also, I believe, we have to talk about regulating the companies, who are storing years worth of UBA on every internet users in the world.