The destruction cyber-attacks leave and the pressures victims face
It is a strong possibility that another cyber-attack happened today. As of October 1st, 2022, the Center for Strategic & International Studies has documented 96 significant cyber incidents on Government agencies, defense and high-tech companies, or economic crimes with losses of more than a million dollars during 2022. Yet, while the instances of cybercrime is up 600% since the beginning of the Pandemic, there is still much we can do to reverse that trend line. It can seem insurmountable. It can seem inevitable.
The victims are not nameless, faceless organizations but ordinary citizens like you and me holding the bill.
How do cyber-attacks disrupt people’s lives?
At the risk of generalization, Cybercrime is never victimless. It is common to justify actions of perceived justice or without monetary gain as harmless or even just. The reality is when companies are attacked, cyber insurance for others increase. When nations are attacked, budgets are reallocated, and other services suffer. When personal data is taken, reputation is irreparably broken, and the cost of customer retention and net-new users swells.
Whether cybercriminals realize the cost, or outright do not care, the scale of victimhood has changed. In 2022, we saw the infamous Conti Ransomware attack on the Costa Rican Government. We know that the Costa Rican Ministry of Science, Technology and Telecommunications of Costa Rica (MICITT) is currently dealing with the fallout of a cyber attack on their essential government services on April 15, 2022. The fine people of that country were left with no recourse when the ministry was forced to shut down the entire network to stop the bleeding, leaving the entire population without access to health, education, and monetary services for weeks. We can only hope that their refusal to pay the ransom will be a positive step in dissuading future attempts against other nations.
In the end, some victims are victimized over and over as a result. Credential stuffing is a remarkably simple form of brute force cyberattacks in which criminals use stolen usernames and passwords to access user accounts in other systems. It is one of the most common causes of data breaches for a simple reason: stolen usernames and passwords are cheap, accessible, and they work. As more credentials are exposed through breaches, credential stuffing attacks are increasing.
What kinds of pressures do CISOs carry these days?
With these attacks becoming commonplace, a growing, albeit lesser, consequence is the personal and professional stress induced by the uncertainty.
When asked which technical facet of the job drives the most stress, CISOs pointed the finger at “staying ahead of threats” (33%), securing the network (28%), and securing endpoints (26%). (Balbix)
Twenty-five percent (25%) think the job has had an impact on their mental or physical health (or both), as well as their personal and family relationships. (Balbix)
100% of CISOs surveyed find their role stressful, with 91% saying they suffer moderate or high stress. (Balbix)
Eighty-eight percent (88%) of CISOs are doing more than the average 40-hour work week, with 60% saying they rarely disconnect. (Balbix)
As a result, companies and other organizations sacrifice efficiency for the necessary, potentially restrictive additions to core architecture. Cybercrime is a reality of life, but it wastes so many cycles that could be spent on productivity. In a way, the biggest victim of cyber-attacks is our future.
How should victims secure their systems without relying on new tech?
Since a magic, ‘fix-all-security-issues’ security tool is unlikely to exist, the battle is never-ending. The good news is that by changing the way we think, our philosophies are maturing and are making a significant difference.
Unfortunately, relying on users to make good decisions is never a good bet. On the other hand, a single training session might save millions overall. Implement password managers and good practices. Teach people to inspect links and to verify requests for information. Instruct people not to trust implicitly.
Zero Trust Security Policies
An architecture based on the philosophy that nothing – no device, user, or application attempting to access our architecture – will ever be considered secure. On average, zero trust security policies saved $1.76 million per breach (PurpleSec).
Expanding on this a little bit, the idea that you should never trust anything you do not control can also be a valuable strategy and contrasts with recent trends regarding multi-packet, open-source dependencies and ‘bolt-on’ security. In some cases, this might mean that we should not trust our operating systems or our expensive security tools.
DevSecOps stands for development, security, and operations. It blends process, culture, and tooling to integrate security as the responsibility of all members in the IT (Information Technology) lifecycle. To narrow it down to the biggest differences:
It puts security first by introducing it immediately in the software development lifecycle (SDLC) by the developers.
- DevSecOps is about built-in security, not “bolt-on security” that functions as a perimeter around apps and data.
- Everyone involved has an obligation to security in the DevOps continuous integration and continuous delivery (CI/CD) workflow.
DevSecOps attempts to deliver secure applications as quickly as possible.
If it makes sense to slide the responsibility for security from the IT team to the Application Developer, then it also makes sense to slide the responsibility of data security from the transport layer to the application. Truly, if the data is the most valuable part of the application, then it should be our desire to protect it as soon as possible, in the application, and secure it until it is consumed or stored.
By combining the philosophy of zero trust with application toolsets that are validated, quantum resistant and able to provide consistent security for all applications and appliances throughout your entire network, it is possible to remove trust in the things we do not control, build the security in from the beginning, and protect our applications against future threats.
The future will be better because of the changes we are making right now. It is unlikely that cybercrime can be prevented but we can change the way we think. We should find inspiration in the victims of cybercrime because it is to them, we owe our effort. If we cannot be perfect, we can at least be a little bit better. If our efforts today seem futile, we could be saving ourselves time and effort tomorrow. And somewhere down the road, a policy with your name on it might have saved someone from being a victim.
To read this article in Cybersecurity Trends, click here.