Ransomware, extortionware, and theft: Are your security strategies really working?

By Jerald Dawkins

By Jerald Dawkins, Ph.D., CTO, CISO Global

Reflecting on attacks in 2022, SonicWall’s Global Cyber Threat Report reaffirmed what many other reports have stated – that ransomware was on the downward trend in 2022. A handful of high-profile arrests of cyber cartel members from notorious groups like Darkside, REvil, and CIOp, seemed to temporarily raise hopes in some that the “good guys” were finally winning. Conventional wisdom, however, tells us that the criminal appetite for money isn’t going anywhere, and until the industry finds a higher level of effectiveness, cyber criminals are going to have their payday, one way or another.

Even a broad read of industry research points us back to the fact that cyber-crime pays, and that as long as there is a way in, and sensitive information to find, will criminals continue to pivot until they get at it. In short, what we’re doing as an industry isn’t effective.

That’s probably an uncomfortable truth, but take a look at the numbers and see what you think:

CrowdStrike produces an annual Global Threat Report based on analysis of the threat data flowing into its platform, examining attack styles, types, and methodology, to determine new trends. The 2023 report details some particular trends. Notably, attackers have demonstrated a commitment to doing whatever it takes to extract funds from their victims, with most attack groups’ continued ties going back to geopolitical regions and state entities, including Russia, China, Iran, and North Korea. Among other trends noted was a reiteration of the widely accepted correlation between companies’ new technology rollouts and an increase in attacks.

The [CrowdStrike Global Threat] report shows that security must parallel the slope of technology innovation. As technology matures, security has to mature and match the innovation of the technology running our organizations. The same thing can be said for the adversary. With every innovation we achieve, we can expect the adversary to actively seek ways to exploit it. From the cloud to Kubernetes, from AI to applications and more, as technology gets more complex and provides tremendous operational gains, security must evolve to protect the productivity we gain.

All you need is more technology?

For years, the cybersecurity industry has been plagued by advertisements promising that a new technology will solve all cybersecurity woes. People spend on these technologies in droves. In 2023, $219 billion will be spent on cybersecurity solutions – more than ever before.

What it’s really like out there:

Yet, Tech Republic recently reported that according to a new Cybersecurity Readiness Index, only 15% of the 6700 CISOs and other cybersecurity leaders across 28 industries around the globe said “their organizations have implemented security programs mature enough to defend against current cybersecurity risks.” 82% of respondents expect to be attacked successfully this year.

Look at cyber insurance trends.

As business leaders and boards become more cyber literate, however, and continue to see their cybersecurity investments increase, while attacks fail to decrease, the question of ROI has to come up eventually. Just look at trends in cyber insurance. That’s one industry that will always learn from the numbers. In May, the Wall Street Journal reported that cyber insurance premiums rose 28% in Q4 of 2022, and saw an 11% year-over-year increase in 2023, presumably due to widespread losses and ransomware or extortion payouts. Furthermore, CSO Online published data indicating that many are unable to obtain coverage in 2023 due to insufficient evidence that they have a mature cybersecurity program and are sufficiently addressing risk. What insurance companies are saying by this is, “What you’re doing isn’t working, and we refuse to continue throwing money at poor practices and immature security programs.”

There are geopolitical forces at work.

One thing is certain; cybersecurity is absolutely tied to the global balance of power. Russia’s war in Ukraine, for example, which some researchers have postulated as the likely reason for a temporary drop in ransomware (because they were otherwise occupied), and others have proposed as a primary beneficiary of more broadly defined state-sponsored cyber-attacks in 2022, is just one instance of how the global political climate both impacts – and is impacted by – cybercrime.

Cybersecurity is a Culture.

It’s undeniable that practitioners need to be leveraging AI, automation, and technologies like SOAR in their strategies to speed up processes, gain new insights, and become faster at what they do. However, when you approach technology with an understanding that what makes new technology effective is almost never the tool itself, but its configuration, implementation, and integration into your overall strategy, it becomes clear that what matters most is who’s behind it. Who architected the implementation? Who configured it? Who manages it? Who provides updates and patches? That’s where there’s really a struggle, because of the crisis-level global shortage of cybersecurity experts. These factors are part of your company’s cultural fabric.

In a recent presentation to a group of enterprise IT security leaders, CISO Global’s President and CISO, Ashley Devoto, asked everyone in the room who knew they still weren’t executing cybersecurity fundamentals the way they’d like to be, to raise their hands. Nearly everyone in the room had a hand in the air. A very honest conversation ensued, with many staying after to discuss the struggles they were facing just to complete seemingly basic projects, like rolling out MFA to all parts of the company. It’s not that the leaders haven’t taken tremendous steps – they have. The problem is that completing cybersecurity tasks company-wide takes time, because it requires collaboration, people/financial resources (which are often in short supply), etc.

So, What’s the Fix?

  1. Get help with your culture. Work with someone who can step in and measure where you are, look at your whole program, and help you speed up progress. This means examining implementations, configurations, network design, roles, policy, procedure, and more. ROI on your cyber investments depends on the organization’s cyber maturity, and you can’t get there overnight – but you can get there.
  2. Consider vendor consolidation. According to a report from Gartner, 75% of organizations are looking to reduce vendor sprawl through consolidation. Vendor sprawl is one significant factor in poor integration and strategy, because vendors tend to work in silos, their services have limited visibility in the context of your overall program, and they offer little help to your big-picture strategy. They are concerned with making sure you use their tools, their services, so their data and portals are designed around that goal. You might consider trying to use fewer vendors, working with providers who can cover more of your needs at once, and improving visibility through a platform like Argo Security Management.
  3. Upskill and train your people. From a security awareness training perspective, it’s absolutely essential to ensure everyone at every level of your organization is consistently trained and growing in their cybersecurity understanding, awareness, and acumen. However, you also have IT staff who could be learning new skills. Consider providing more certification programs and professional development. Be sure you invest in your people, too, so you don’t lose the people you train to high turnover rates. If you’re not sure where to start with upskilling, you might consider working with an outside consultant to help determine where you need the most support to shore up your internal teams.

In conclusion, the increasing sophistication of cyber threats and the continuous evolution of technology necessitate a multi-faceted approach to cybersecurity. Organizations must recognize that the acquisition of the latest technology is not a panacea for cybersecurity challenges. It is the integration, configuration, and management of these technologies that determine their effectiveness. To genuinely progress, organizations must foster a culture of cybersecurity awareness, invest in their employees’ skill development, and integrate their cyber strategies seamlessly with their overall business objectives. Indeed, cybersecurity is no longer just an IT issue but a fundamental business concern that requires long-term commitment.


No posts to display