It’s a simple question, but with all that’s done to counteract them, why are hackers still such a problem for the IT security community?
Huge amounts of money, technology and human energy are expended each year to keep the IT systems of companies of all sizes secure from cyber attack. Yet it’s still rare for a month to go by without a major incursion attracting press attention.
So what’s going on? Many cybersecurity commentators have sought to answer this question - clearly evident in the abundance of articles about hackers we come across online. More often than not, however, the focus is on external factors and not the organizations being hacked. And this is precisely the problem.
Organizations tend to look outward at the enemy, the Monster that lurks underground. They speculate about factors that work in the hacker’s favor, rather than looking inward to examine one’s own defenses.
CoalFire’s Penetration Risk Report (2018) found that humans are the single weakest link in security for organizations of all sizes. And a key reason for this is the lack of cybersecurity awareness and/or inadequate cybersecurity training for staff.
In this article, we’ll take some of the most common factors put forward to explain the success of hackers and examine them within the context of staff cybersecurity awareness.
Speed is a crucial factor in the success of hackers. However, this is not necessarily down to the lightening-quick minds of hackers themselves. Contrary to the Hollywood stereotype, you don’t have to be a genius to be a hacker.
Hackers need only rely on the slow speed of organizations to deal with security breaches. For this reason, it’s more appropriate to explain the hacker’s success on this count by examining the internal failures of the organization to detect and respond to cyber threats.
Speaking at the VigiTrust Advisory Board AGM in Dublin in 2017, Michael F Angelo, Chief Security architect with NetIQ Corporation/Microfocus informed us that when cyber-attacks happen, it can typically take from 146 to 185 days before the average company realizes it’s been hacked. Even then, they usually don't know it’s happened until someone outside the business tells them.
The problem, for many companies, is that they simply don’t have a cybersecurity strategy. Indeed, at the Skillnet Ireland’s 2018 cybersecurity Skills Initiative Conference one speaker reported that 40% of companies do not have a cybersecurity strategy. Hardly surprising then that his statistics for cyber attacks loosely correspond: 33% of organisations experienced a cyber breach in the past 2 years. And the threat is higher when money is in play, with cyber attacks experienced by 44% of organisations that sell online.
Cybersecurity expert Shlomi Boutnaru describes today’s cybersecurity paradigm as a “reactive cycle”. He notes that when a threat is exposed, it’s analyzed and a counter-solution is designed with response times varying from weeks to years. For many organizations this makes for a case of too little too late, because the damage may already have been done by the time the solution is found.
But, why not shift the focus from reactive to more proactive measures in order to reinforce defenses and increase the speed of detection?
The reason hacks aren’t detected comes down to a lack of cybersecurity awareness amongst staff and the absence of reporting strange or escalating activity on the system.
Staff should be the first line of defense against cyber threats, not the weakest link. In order for this to happen, they need to recognize cyber threats when they see them and know what to do next to raise the alarm. Adherence to standard policies and procedures regarding access control, authentication, monitoring, and reporting will limit the risk of cyber attacks or make them less likely to succeed.
An economic case is often put forward to explain the advantage of hackers. Organizations who manage to ward off an attack are not out of the woods. Cybersecurity is a war, not a battle, and the hacker has a secret weapon that they draw on to continue their offence.
The trouble is that attackers can easily reuse pieces of code from previous malware (such as exploits, decryptors or modules) and modify them to create a brand new threat which can bypass the newly updated security measures.
Boutnaru calls this reusing of code and methods a “secret weapon”, and makes an economic case for this upper hand by stating that:
“New malware is cheaper and easier to develop, while the tools needed to locate and disable it are only becoming more expensive. All the while, defenders need to cover a growing array of potential targets, each with their own set of weaknesses. For every dollar spent by cyber attackers, hundreds of dollars are being spent by the IT security industry. This economic imbalance is the springboard from which cyber-crime, cyber-terrorism, and cyber-warfare are launched. Thus, code and method reuse have become an intrinsic part of the DNA structuring of malware development today.” (source)
Undoubtedly, there’s a case to argue for the advantage of the hacker here. But can this be flipped back onto the organization?
CoalFire’s report found that although big companies have more sophisticated systems and greater financial investment in cybersecurity, it doesn't make them safer than their smaller counterparts. High-risk weaknesses were found at 49% of companies with an annual revenue of more than $1 billion. In comparison, the figure for companies with $100 million to $1 billion of revenue was 34%. The reason, the report suggested, is that the larger companies can put too much attention on high-profile cybersecurity threats and overlook basic cybersecurity.
Rather than looking at the financial investment required to tackle problems once they’ve escalated, organization’s should support ‘stitch in time’ investments that address cybersecurity detection and protocol issues early on.
Until basic cybersecurity measures are put in place and staff members trained in cybersecurity awareness from the bottom up an organization is not secure.
If more investment is put into cybersecurity awareness, then breach attempts can be dealt with more efficiently. Ultimately, the organization will become less attractive to hackers because it is more difficult to penetrate than other sitting targets.
With the number of cyber attacks increasing year on year, cybersecurity teams are in danger of being stretched too thin. Organizations who fail to step up human resources to shoulder this demand are laying themselves open to weaknesses. But what if you can’t increase cybersecurity teams because of a dearth in cybersecurity talent?
A study conducted by Cybersecurity Ventures has predicted that unfilled jobs in this cybersecurity industry will hit 1.5 million by 2019. This feeds into arguments about hackers] advantage in and around the themes of ‘you just can't get the staff these days’ and ‘there simply isn’t enough goodies to fight the baddies.
These excuses just won’t cut it in the face of a high-profile security breach. So what can organizations do?
Retrain existing staff to work on the cybersecurity team. There are many positions in an organization with skills that can be transferred to cybersecurity roles, and this pool of talent may be up-skilled to fill necessary cybersecurity positions.
Moreover, as has been the argument throughout this article, organization’s need to think about cybersecurity from the bottom up. A cybersecurity team of experts is certainly required to lead the organization’s risk management efforts, but equally important is having a cybersecurity-aware workforce.
Think of it like this. You can protect a castle with a small team of gatekeepers and elite knights positioned at various look-out points. Or, you can make every single person in the castle capable of spotting the danger and either refusing it entry or raising the alarm. Chances are the threat will be caught earlier on if everyone is on guard.
Hackers will always pose a security threat to organizations. But their success is directly related to the failure of the organization itself, and not on external factors such as the sheer wiliness of the hacker. Organizations need a strong cybersecurity and compliance culture, with staff, suppliers, and partners who are accustomed to assessments, audits and inspections. If so they are more likely to detect attempted breaches and have a greater ability to survive and overcome actual breaches.
Make everyone in the organization a member of the cybersecurity team by training all employees to be vigilant and to follow the company’s cybersecurity policy and processes. Prevention is better than cure.