Cyberattacks are becoming easier to carry out and will threaten the digital economy unless businesses innovate
Cybercriminal activity is one of the biggest challenges that humanity will face in the next two decades. That’s a bold statement, but not without warrant. Cybercrime represents one of the fastest-growing categories of crime in the world. Underestimating the scope of this threat has left security departments underfunded and understaffed.
Today, cybercriminals are unleashing fifth-generation attacks, but 97% of the world can only protect itself from second and third-generation attacks. This growing divide between the sophistication of cyberattacks and security defenses cannot continue without impacts to the digital economy, which grows more unstable with each successful attack.
As companies become increasingly dependent upon internet-enabled business models, they make themselves more vulnerable to a wider array of cyberattacks and business disrupting events. For example, a broken website may cause potential customers to explore other options, while any IT system downtime has a negative impact on productivity. In some cases, such as healthcare and power, an outage can have life threatening repercussions.
In the first half of 2019, more than 3,800 breaches were publicly disclosed, exposing 4.1 billion compromised records. That represented a 54% increase in reported breaches over the same time period in 2018. Accenture estimates companies risk losing an estimated US$5.2 trillion in value creation opportunities from the digital economy over the next five years due to cybersecurity attacks. That’s nearly the equivalent size of French, Italian and Spanish economies combined.
The Evolution of Cyberattacks
Since the introduction of the internet, businesses have been playing a continuous game of catch-up with threat actors. Pressures to rapidly deploy new internet-enabled business models and a reactive cybersecurity culture has provided nearly endless opportunities for cybercriminals.
Personal computers were popularized in the 80s, which led to first-generation attacks in the form of computer viruses. In turn, businesses deployed anti-virus software. Cyberthreats became more sophisticated in the 1990s as hackers targeted networks with second-generation attacks—making firewalls the next reactive security defense. The 2000s ushered in the widespread use of applications as well as the exploitation of their vulnerabilities through third-generation attacks, which were mostly addressed using intrusion prevention systems (IPS).
Starting in 2010, we began to see fourth-generation attacks with zero-day threats that use highly evasive polymorphic content to bypass traditional defenses. Behavioral analysis tools have helped businesses tackle these threats. Now we’re witnessing the proliferation of large-scale and multi-vectored fifth-generation attacks, like WannaCry and NotPetya, due to the leak of government developed programs. The daily headlines of successful data breaches and IT outages serve as a harsh reminder of the mounting cybersecurity failures across industries.
As we enter 2020, you can expect to see even more sophisticated attacks designed to exploit the connected and device-driven world the digital economy thrives upon. With data scattered everywhere, sixth-generation attacks will be even harder to defend against and have farther reaching impacts.
Denial is No Longer an Option
Today, every business leader should understand that underinvesting in cybersecurity is like rolling into battle in an armored tank, while your opponent is launching ballistic missiles from halfway across the globe. Cyber risk is business risk. It’s a cost of doing business in the digital age and the methods you use to defend yourself must be more effective than the weapons of your attackers.
With an ever-growing network of cybercriminals working to develop the most advanced attack methods to penetrate systems, every business, financial institution, utility provider and government should assume they are under attack by cybercriminals set on causing devastation for their own gain.
When cybercrime services became commercialized in the mid-2000s, it marked a tipping point that went largely unmatched by enterprises. With a flourishing market, offering a broad range of accessible tools and services—like exploit kits, custom malware, and botnet rentals—any motivated 12-year-old can now run a ransomware campaign.
This isn’t just some passing folly of juvenile delinquents or state sponsored threat actors—it’s a thriving industry. High earners make up to $2 million per year. Mid-level criminals make up to $900,000. And entry-level hackers make $42,000.
It’s Time to Act
If you believe digital trust and connectivity are resources worth saving, here’s a list of actions you can take to help reclaim cybersecurity order in 2020 and beyond.
Digital Economy Stewardship
Preserving trust in the digital economy is a win-win for all organizations and people that gain positive benefits from its existence. With the proliferation of the internet of things (IoT), artificial intelligence (AI) and cryptocurrency, the time has come to make cybersecurity a global priority. When thieves and outlaws tried to lay claim on the Wild West, settlers banded together to protect their assets and maintain civil order. It’s time to join forces with other business and security leaders who agree the digital economy has value. Together, we have the power to create the proper framework of ethical standards, governance, and innovations necessary to turn the tides against cybercriminals.
Security By Design
Security can no longer be addressed as an afterthought. Security must be approached as a foundational requirement of any business model, supply chain, product or service. This vision needs to be communicated and enforced from the top down. If your board hasn’t already taken notice of the evolving cybersecurity landscape, they should. According to research, nearly half (48%) of corporate boards and 63% of business leaders are actively involved in cybersecurity strategy discussions. You must be ready, willing and able to assemble and execute a sound security strategy that includes the right talent and technologies to defend against today’s sophisticated threat environment.
Adaptive, Layered Defenses
As with any criminal activity, it’s not possible to protect against 100% of the threats 100% of the time. But there are always ways to minimize the threat. Traditional security methods like anti-virus, firewalls and intrusion detection systems (IDS) are no longer effective on their own because mobility, cloud, and IoT trends have dissolved the network perimeter and environments are no longer static. Adaptive security models can help solve this problem by automatically analyzing behaviors and events to create a feedback loop of threat visibility, detection, and prevention that consistently becomes more effective. Paired with layers of endpoint security, data security and monitoring, adaptive security can help you prevent an attack from occurring and respond to a breach within milliseconds.
Accountability
Security is only as strong as the weakest link. And right now, humans are often the favorite target of cybercriminals for this very reason. It only takes one wrong click for a hacker to penetrate corporate defenses. For cybersecurity to be a success, you must weave good security habits into the fabric of your organization, and hold employees accountable and responsible for corporate security. Formal security training programs can help teach employees how to protect themselves and your company against cyberattacks, but changing the attitudes and habits of your workforce can be more challenging. For this, you will need to properly leverage change management models to successfully build an all-inclusive security culture.
Offensive Strategy
Cybercriminals keep gaining ground because they are willing to innovate. Businesses need to do the same. As an industry, we need to address the inherent security issues of the internet, invest in innovations that get in front of evolving attack vectors and solve the cybersecurity workforce skills gap. There are potentially game-changing products in development. Autonomous services, adaptive identity management, blockchain-based data protection, and automated data rights revocation are just a few areas of innovation that we believe will be key to success in the coming years. You should be working with cybersecurity vendors to define an offensive cybersecurity game plan and ensure the delivery enterprise-ready solutions ahead of the threat curve.
2020 is the right time to start a cybersecurity revolution. If we aren’t ready to make cybersecurity a fair fight now, we risk surrendering the digital economy into a state of lawlessness that will become increasingly difficult to reclaim. The future prosperity of businesses and the benefit of internet-enabled innovations depend upon a solid cybersecurity foundation.
Marcus Chung is CEO at BoldCloud, the cybersecurity advisor that businesses and consumers trust to help them stop cyberthreats and close security gaps. With a cybersecurity career that spans over 20+ years, Marcus held key roles at Sygate and was instrumental in the company’s acquisition by Symantec. As a founding member of Malwarebytes, he helped grow the company to over 200 employees. Marcus has built a career based on the belief that providing cybersecurity should mean more than achieving success in selling products, but rather providing the best strategy and solutions companies can afford and efficiently strengthen their cybersecurity stance.