Cybersecurity: It is all about People

Cybersecurity: It is all about People

Cyber security is in the spotlight, we all know that. The latest massive ransomware attack WannaCry that affected over 150,000 computers in more than 150 countries, the mega breaches of Yahoo, which affected 500 million accounts and the subsequent revealed breach just a few months after that affected 1 billion accounts, the crazy DDoS attacks bringing down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe as result of the cyber-attack to DNS provider Dyn. These are just some examples of attacks that became public, most of them never reach the news. According to a study of FireEye, an estimated 97% of businesses have been breached.

Over the past five years, the number of publicly traded Cybersecurity point solution vendors has more than doubled. A report of July 2016 from CB Insights stats that $10.9 billion was invested in over 1,200 private cyber security startups from 2012 to July 2016, making the landscape more fragmented and confusing for organizations.

Despite the increase of spending on fragmented solutions, enterprises today spend >$70B annually on security technology and services according to IDC, cyber-crime incidents continue to accelerate in frequency, sophistication, and damage, and by consequence cost. Even so with all these investments, the good guys continue following behind. Recent figures from several security vendors put the cost of cybercrime crime in 2016 as high as $500 billion and more. An even more frightening number from Juniper Research reveals that breach costs are expected to quadruple to $2.1 tri globally by 2019.

Why is that? It is all about the people, or lack of them.

The cyber security industry nowadays faces several challenges, most of them are people-centric constraints. In my opinion, there are two main reasons that contribute to the expanding gap between black hats, the bad guys and white hats, the good guys.

First and unmatched: Limited Human Capital and Security Expertise. There are not simply enough security specialists available. Talent in cyber security is quite scarce and the demand is projected to keep increasing. Cybersecurity workforce demand is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million, stated Michael Brown, CEO of Symantec, world’s largest security software vendor. The reason for this seems obvious, a growing number of attacks, attack surface, digitization of company assets and all these new the security technologies throwing off “alerts”, human capital is required to prioritize and act on the alerts. Also to develop best-breed technologies to protect and prevent organizations and users, security talent is essential.

The second reason is Lack of Cybersecurity Awareness and Training. Again it is all about the people. Humans are the weakest link, it is a fact. IBM’s 2015 Cyber Security Intelligence Index reports that 95% of cyber security breaches are due to human error. Cybercriminals rely on Social Engineering techniques to psychologically manipulate individuals by exploiting cognitive biases leading people into performing actions that let them gain access and to steal confidential information. Detection solutions, no matter how sophisticated, will be deficient due to this human vulnerability.

Spear phishing and insider threats, two attacks vectors that reveal how humans are a liability. The Anti-Phishing Working Group (APWG) observed that 2016 ended as the worst year for phishing in history. The total number of phishing attacks in 2016 was 1,220,523. This number represents the highest ever recorded, and fully a 65 percent increase over 2015.

In the case of insider threats, there are several cases of malicious employees well equipped and informed. Edward Snowden’s theft and disclosure of classified information in 2013, and Jun Xie’s exfiltration of 2.4 million files from GE Healthcare’s secure network in 2014 are just two notorious examples.

Phishing and insider threats impact on private sectors companies not only poses a risk to the companies’ proprietary information and data but also in some cases to the all Society and Economy.

The solution? I think it is a partial one but will be certainly a combination of automation, education and a strategic approach to cybersecurity.

With Automation, it is possible to reduce the level of human intervention. Enterprises will be compelled to invest in technology to keep up with more complex attacks and overcome the shortage of cyber security specialists. This could result in experts focusing on effective detection and risk mitigation.

With Investment in cyber security training and education, there will be more awareness from employees, C-Levels and consumers for cyber security concerns, diminishing the probability of breaches. Moreover, with tailored education and training, it is plausible that the number of qualified cyber security professionals will escalate.

To get automation, training and a strategic approach to cybersecurity, i.e. risk-based approach for all company processes and effective disaster and recovery plan in order to protect its assets, including its reputation, intellectual property (IP), staff and customers, companies like S21sec from Sonae IM’s portfolio are crucial.