October is National Cyber Security Awareness Month (NCSAM)… whoopie! As a cybersecurity professional, I realize that most of you don’t really care. The truth is that most of us are burnt out because of the incessant threat of being hacked. According to a July 2021 survey by Kaspersky, 64% of respondents are “stressed” by ongoing reports about ransomware. In fact, cybersecurity has become one of modern humanity’s biggest fears. This is supported by the Kaspersky survey where 37% of respondents said that having their bank account hacked would be more stressful than losing their job. The lingering threat of being hacked, like most unknown things, scares us… and we are tired of being scared.
Unfortunately, these cyber threats are all too real. Most people simply cannot grasp the immense scope of the industry cybercrime has become; it is not big business—cybercrime is a huge business. According to Europol, in 2018 the “total global impact of cybercrime [had risen to] US $3 Trillion, making it more profitable than the global trade in marijuana, cocaine, and heroin combined.” That’s a lot of money… but according to this PR Newswire article, that could be as high as $10.5 trillion by 2025. For perspective, that is 183 times Apple’s 2020 earnings… 183 times. Huge business indeed.
The amount of money to be made explains the ‘why’ part of the equation. Unfortunately, the ‘how’ part is just as simple… we make it easy for them.
In a previous role, I ran an incident response service, and we would come in to help companies who had been hacked and were in real danger. In the vast majority of security incidents that I have been a part of, the entry vector for the threat actors were simple things to fix: unpatched servers, simple passwords that never expire, falling for a phishing email, and leaving remote desktop ports open to the internet. The same mistakes exploited the same way over, and over, and over – quite literally ad nauseum.
The problem is that I still see it all the time, but it’s not just companies being thoughtless. P.T. Barnum (who died fifty years before the invention of the ENIAC computer) is known to have said “there’s a sucker born every minute,” and modern threat actors have turned Barnum’s quote into a business model. Every single one of us that fails to make cybersecurity our job eventually ends up as another ‘ching!’ in the bad guy’s bank account… and every one of those encourages the threat actors to keep it up. It probably sounds hopeless, but our biggest problem is actually the solution when viewed from the proper perspective.
Threat actors play the averages. Think about it: the bad guys can make money because they come up with one piece of malware or discover one new vulnerability then distribute it out to the world. For example, let’s say there are 500 million users of Microsoft Windows. If you can trick just 2% of those people, and get ten dollars from each of them, that’s $100 million <insert Dr. Evil pinkie-to-mouth here>. Pretty good odds, and a very high Return on Investment (ROI) even if it cost you $500,000 to develop the attack (a 2,000% ROI). You get a few of those and you are “movin’ on up” like a high-tech version of The Jeffersons.
But what happens if the first user who gets taken for ten dollars tells everybody, an update gets released, and everybody patches their machine? Now that $500K investment from the threat actor only brings in ten dollars; it was not worth either the time or the money for the bad guys. THAT is how we attack cybercrime—we break their business model by practicing good cybersecurity. It really is that simple.
So how can YOU be cyber smart? There are five basic things we should all be doing to protect ourselves and the organizations we work for:
At the end of the day, we can turn the tables on the threat actors out there. However, it is going to require all of us to understand that cybersecurity is not something that your CISO does, not the Information Security department, but it is our job. One of my favorite quotes is from Aristotle who said, “We are what we repeatedly do. Excellence, therefore, is a habit.” Practice good cybersecurity at work and you will be more likely to protect yourself at home. When we all individually own cybersecurity, the bad guys will not have a chance.
Do your part for October’s NCSAM: be cyber smart!