The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider.
Over recent years, what lessons can we learn from our recent history — and what projections can we make about the future of data security?
Cybersecurity trends of the last decade
Let us look back at the macro trends of the last decade:
Frequency and distribution
The 2010s saw rapid growth in cybersecurity activity from both good (investment) and bad (attack) actors. Cyberattacks are not new, but today they are ubiquitous.
Sophistication and creativity
Evolution of design, intent and purpose. Past attacks were major nuisances, but today, attacks can also be targeted, destructive and meant to evoke emotion and panic. Smash-and-grab certainly existed, but the bad folks are demonstrating innovations.
Attacks come in all shapes and sizes nowadays: malware, spyware, ransomware, man-in-the-middle (MitM), hybrid (e.g., social engineering), distributed denial-of-service (DDoS), phishing (including targeted attacks such as pretexting and spearphishing), cryptojacking and supply chain/third party attacks. Remember, tools used for efficiency also have weaknesses.
Treasure troves and earning a profit
Many of the attacks target massive databases of personal records. Similarly, many attacks (specifically of the ransomware flavor) are financially motivated. Criminals see cyberattacks as a good business investment. Cyber war and hacktivism are alive and well, but cybersecurity provides business for good and bad people.
Legislation, regulation and compliance
Everybody in the pool! Governments, industry-specific regulators and third parties (such as insurers) all want their piece of the pie.
What’s old is new
Despite mounting evidence, the same issues pop up: misconfigurations, poor patching, social engineering, lack of training, incomplete or non-existent protocols and more of the like. Cybersecurity basics are still overlooked or left unaddressed, providing a target-rich environment.
The last three to five years jolted stakeholders into action, even increased awareness. Recent incidents demonstrated the need to reduce vulnerabilities, integrate security features right into development tools and improve response time because the impact is no longer localized.
Why are we not gaining ground?
Recent years have seen a good deal of operational change. At the user level, we went from desktops to laptops to mobile devices, blurring the line on who owns security requirements. At the infrastructure level, we shifted from on-premises to the cloud, and 5G and Edge Computing are knocking on the door.
Additionally, devices deployed have exploded. Ten years ago, you probably had a desktop or laptop and maybe a mobile phone (not necessarily a smartphone, either). Today, you may have at least half a dozen internet-connected devices and a stack of IoT devices — many with vulnerabilities out of the box.
We talk of the perimeter as it still exists, even though it is effectively gone — or at least on hold. We, therefore, embrace zero trust solutions, but implementing them isn’t easy. Yes, we have made great strides in data analytics, artificial intelligence and incident response, but have security investments kept pace with business efficiency investments? If so, wouldn’t the gap be closing?
Effectively, we increased risk, destabilized resilience and destroyed trust in the name of business efficiency. That bill is now coming due.
Security remains a tough sell
Geopolitical and socio-economic events are driving organizations to invest more in security, but sound approaches such as security-by-design remain an uphill battle. The key is making a case for improved security from a business perspective.
Regulations and laws are motivators. SEC rules, GDPR requirements, state-level legislation and critical infrastructure mandates force investment, but the issue with these approaches is the trap they create. Impacted parties may seek the “bare minimum” requirement or turn it all into an audit game, making security and incident response activities an exercise in achieving the lowest common denominator.
The business case for information security, therefore, remains elusive unless you have a CISO or IT team that understands the business well and can clearly articulate why the last ten years may have been the “easy” years, and the next ten are the ones that will bring pain.
How do you make that case?
The catalyst to change could come through privacy initiatives and content protections at the individual level.
Using the privacy lens to protect data
It’s not all doom and gloom as long as some behavioral approaches change. First, we must accept we are data creation monsters. Some estimates claim humanity will create 180 zettabytes of data by 2025. For perspective:
- 1 GB = 1,000,000,000 bytes
- 1 ZB = 1,000,000,000,000,000,000,000 bytes
Who owns all that data? Who processes all that data? How can you reasonably manage it? Technology is just one piece of the people, process and technology trifecta. And people are starting to get touchy about their privacy, so using biometrics to perform tasks like authentication may run into barriers.
So what’s the path out?
First, understand the data lifecycle. How is it created, how is it managed and what are the best ways to destroy it? Sure, some people may wish to hold on to it as long as possible, but maintaining confidentiality, integrity and availability has proven to be a challenge. Therefore, get data you don’t need off the books.
Next, view data through a privacy lens. Here is the shift in thinking: treat the data as somebody else’s rather than your own. Appreciating that you are responsible (and, more importantly, liable) for the data on your books is a great way to shift your risk tolerance. All of a sudden, you might find yourself thinking, “Do I really want to hold on to this?” It’s not a bad mindset.
The future demands cyber resilience
The next few years will see more protective technologies developed and deployed. Some, like quantum encryption, could be game changers. But no matter how good future technologies become, any central repository of data is a risk and liability. Proactive incident response and resilience planning should be on the rise as well. Organizations are now realizing they may have to “go it alone”.
Moving into 2023, start to get that risk off your ledger and build resilience into your operations. Federate your systems and spread the risk instead of creating one juicy target. Lastly, begin to see yourself as a custodian of somebody else’s data — because one of these days, they may just be knocking on your door for damages, and the result could get costly.