Hacking the Cybersecurity Business Case

August 17, 2021

Hacking the Cybersecurity Business Care

Hacking is the pursuit of knowledge. To make companies more secure, we need to establish new cybersecurity habits throughout the organization. This is essential because most small and medium-sized enterprises don’t survive cybersecurity attacks, whether that’s because of failure to encrypt software, update files, allowing shared credentials, ensuring that employees do not click on suspicious links, and so on. In other words, employees are one of the biggest areas of vulnerability inside organizations. Chaining vulnerabilities and more web shells, everywhere: Despite a sweeping executive order on cybersecurity, threat actors are expected to continue to take advantage of product and supply chain weaknesses, for opportunistic intrusion vectors and enhanced persistence operations like the following –

  • Backdoors allow a threat actor to bypass normal authentication channels and interactively issue commands to a system (i.e., remote access).
  • Credential Stealers are typically designed to obtain credentials with functionality beyond basic keylogging. This could include usernames, passwords, keys, tokens, etc.
  • Droppers & Launchers can facilitate the delivery, unpacking and installation of malware, as well as launch (i.e., execute or load) files.
  • Ransomware is designed to encrypt data or drives to extort payment from victims.
  • Other includes items such as commodity malware, spyware, loggers, miners, and downloaders that don’t include backdoor, dropper or credential stealer as a primary function.

With a 125% increase in incident volume year-over-year, the impact was observed for almost every industry and geography. The triple digit increase noted was primarily driven by a global uptick in web shell activity by way of nation-state and cybercrime actors alike, targeted ransomware and extortion operations and supply chain intrusions.

Watchlist for the future

  • Return to normal could turn the spotlight on “dormant” industries: As the global pandemic begins to wane, world economies will expect to return to pre-pandemic levels. But this is no time for complacency; we expect industries such as Healthcare—already reeling from lockdowns and staff shortages—to experience upward trends in threat activity.
  • Ransomware and extortion operations are expected to retain pole position: No surprise here, but despite heightened awareness, government action and industry collaboration, ransomware is likely to remain one of the top threats to businesses globally. If anything, it has entered a new phase as threat actors adopt stronger pressure tactics and capitalize on opportunistic intrusion vectors.
  • The Cybersecurity Executive Order Order is a welcome, positive move—a long-needed call to action that will help many organizations to do the basics brilliantly. More on those basics in a moment. But first, there are many unanswered questions. This is a good thing because it means there is time for companies to study the executive order and engage with partners and government authorities to work out the devilish details. Participating in the rulemaking processes will put companies in a position to not only meet the requirements but thrive in the new environment—where companies’ security practices will become part of their competitive edge.
  • There’s a lot we don’t know yet about how, and how much, businesses will have to disclose when they get hacked. Clearly, though, the days of near-complete secrecy will come to an end as the House and Senate put forth proposals to require federal contractors and critical infrastructure providers to reveal details about their security failings. The open questions are major: Which companies must report? How quickly? And what qualifies as a reportable incident?

When we talk about helping companies become brilliant at the basics, we’re describing things like security hygiene; rigorous industry-specific controls; effective access management controls; continuous patching; ensuring visibility into and protection of ‘crown jewel’ data; comprehensive backup and recovery strategies; and crisis management/incident response planning. When we do these things better, everybody will be better off.

The ‘trickle down’ benefits

As the various elements of the order are implemented over time, we believe there will be multiple, significant benefits for companies who follow the order’s lead, including:

  • More secure software design.
  • More secure supply chains.
  • More emphasis on easier-to-secure (and business-driving) digital technologies such as cloud, zero trust, MFA everywhere, incident tracking and reporting and other technologies such as SaaS and PaaS.
  • The opportunity to wield improved cybersecurity as a true differentiator in the marketplace, thus generating not only more work with the federal government, but more work with leading businesses who are likely to adopt these same requirements for their vendors.
  • More transparent, trustworthy relationships between government and business and between businesses.

Ready to put some skin the game?

To be a CISO is to lead an army. You need a team that proactively works to identify all the ways that the enemy could attack and then build stronger infrastructures—from patching software vulnerabilities to creating security policies and cultures. Companies, and CISOs, need to quickly assess their ability to meet these standards and, beyond that, consider how to apply them. And this is important: companies need to work together and with their industry and cybersecurity partners, to participate in what the final standards should look like. The direction has been set by the government, now it is up to us to define how to implement these standards.

Finally, this is a key moment to bring cybersecurity to the board room. The secure software requirements create an opportunity for both CISOs and CIOs to engage boards and CEOs about reshaping their strategies and investments to meet and lead with more secure products, not minimum viable products. This is what we expect to become a new, more secure normal.

This is a key moment

In short, it’s an opportunity for all organizations to raise the security bar—improving resilience for U.S. companies and as a result, the resilience of America to cyber-attacks. Let’s get after it.