The State of the Threat
Data breaches exposed 4.1 billion records in the first half of 2019, with total fines doled out to non GDPR-compliant companies reaching € 428,545,407 by the end of last year. Amongst the victims, we saw universities, government departments, global organisations, huge corporations and smaller businesses crumble at the hands of opportunistic hackers.
As nation states lock horns on the cyber battlefield and hackers ransack businesses for personal gain, cyberspace is starting to feel hostile. In light of clear and present danger online, organisations are largely responding in panic. Worldwide spending on cybersecurity is forecast to reach $133.7 billion in 2022, according to Gartner. But, as RSA Chief Executive Art Coviello expressed in 2017, a lot of spending today is misplaced, with strategies being driven by fear and the perception of threats. Security and compliance vendors often capitalise on this fear, and sell the products they have, rather than the solutions customers need.
At Orange Cyberdefense, we are committed to developing and delivering products and services that enable our customers to address genuine threats, with the least possible impact on financial and human resources. This starts with a more realistic look at what these genuine threats are, as well as how to identify and track them as the threat landscape inevitably shifts.
When it comes to the threat landscape (or the State of the Threat) as we know it today, there are three distinct forces at play. These forces are unpredictable but always present; they are somewhat uncontrollable, but we can react accordingly if we acknowledge the impact they can have both on our business and our cybersecurity strategy.
The first of the three forces is geopolitics, which can equate to military, political, economic, social or legal factors on a national or international level. Geopolitical forces are the result of the vast energy and resources that governments inject into an environment when they have the political will to do so. Collectively, geopolitical forces have more impact on the State of the Threat than any other factor.
The recent splintering (or balkanisation) of the internet is a prime example of geopolitical forces at work. This is perhaps epitomised by recent developments between Huawei and many nations across the globe, as corporations begin to scale back implementations and usage of the Chinese company’s technology, for fear of surveillance and insecurity.
As we cannot control or prevent geopolitical forces, our only choice here is to observe them and orient ourselves accordingly.
The second force is structural factors – the enablers and constraints woven into our local environments. They can have a significant impact on the shape the threat takes, and our ability to respond to it.
These structural factors include, but are not limited to:
- Innovation by criminals – new ways of monetising existing attack methods, such as crypto-mining and ransomware, which change the nature of the threat at a rapid rate.
- Cyber insurance – whilst in its infancy, cyber insurance promises to remove much of the uncertainty and angst from breaches and hacks and, as a result, is shaping our strategies, policies and technology choices. Insurance providers are having a further impact on the threat landscape when they make the decision to pay ransom on behalf of their insured clients, rather than accept the much higher cost of responding and recovering from a compromise. In doing so, they in fact fuel the cybercrime economy and even create price inflation that draws more black hat players to the space.
Regulation – in conjunction with insurance, government regulations are playing a dominant role in shaping our landscape. Collectively, these regulations are certain to impact corporate spending, strategy and behaviour in a significant way. GDPR promises to shape the future of information security in Europe. The emerging Californian Data Protection legislation will likely have a similar impact in the United States.
Structural factors can significantly shape the current State of the Threat. From a defensive point of view, structural factors are beyond our power to control, but we can often influence them.
The evolution of technology
The third and final force is the evolution of technology – as the technology at our disposal changes, so does the threat and our response to it.
However, new technologies (think cloud technology, artificial intelligence and more) rarely replace old ones – they simply add to them. Therefore, over time, a business becomes burdened with a deep pool of security ‘debt’ that never goes away. New and evolving technologies will probably not reduce the risk, but only add new potential threats.
The good news is, technology is something we can exert control over. We can choose which technologies to adopt within the business, and how and when we deploy others to address cyber threats, thereby reducing the size of our attack surface and limiting risk by finding vulnerabilities. Since these efforts are completely under our control, it makes perfect sense for us to use recognised best practices to do so.
Building a threat map
By addressing the factors that influence today’s threat landscape, we can then start to build a holistic threat map of the ‘genuine’ threats that emerge and can impact businesses – whether that’s supply chain attacks, OT attacks and abuse, ransomware or otherwise. As a business, we also collect and analyse data (as a function of our role as an operator) to track, validate and tune our assumptions of this threat map on a continuous basis.
As we’re only able to control one of the three key factors – the evolution of technology – it stands to reason that this should be our immediate short-term focus, setting guidelines and best practice on how we can smartly deploy technology, people and processes to counter threats. That said, we also need to accept and anticipate that this alone will not be enough to achieve the level of resilience we require, considering the other factors at play.
Tipping the scales
In contemplating the State of the Threat today, it’s clear that businesses of all size and sector are going to find themselves in a constant, dynamic state of conflict with cybercriminals, who are aided by large, systemic forces over which we have little to no control. These factors collectively outweigh all the resources that we as defenders have at our disposal.
We therefore need to prepare to engage our adversaries in an active manner, behind the traditional perimeters of our environments. This includes the deployment of mature and effective detection and response capabilities to minimise attackers’ element of surprise and significantly increase their cost state as well as drive their efforts back and limit the real damage they can cause to the business bottom line.
Cybersecurity is complex and we cannot hope to predict what tomorrow will bring. As threats continue to evolve, it’s important for businesses to recognise that attack is inevitable. But an understanding of the real risks posed, and strategic engagement with the cyber enemy is essential, affordable and achievable with the right insight, expert knowledge and tools.