Facebook, Under Armour, Ticketfly, Panera. What do these companies have in common? They’ve all suffered significant data breaches in 2018. The frequency and magnitude of cyber attacks seems to be growing, and even the threat of massive fines allowed for under privacy legislation such as GDPR doesn’t seem to be having much of an impact. And when you consider that there’s a growing shortage of cybersecurity professionals, it’s tempting to draw a connection between the two, to say that there aren’t enough cybersecurity professionals to adequately protect and harden and monitor computer systems today, whether they are on premises or in the cloud, and that this is the root cause of the data breaches.
I would argue that this is a myopic view. On a fundamental level, the argument does hold. But the reality is much more complex. The breach problem is being driven by an evolving, expanding attack surface, with evolving and expanding mechanisms for accessing this attack surface. If I hack a phone, or an app, it’s highly likely that I’ll be able to get into a database. Even five years ago, this wasn’t possible.
It’s important to recognize that the number of data breaches is increasing rapidly, and that the primary driver behind this growth is the amount of data available online. There’s more data, and so there are more breaches. When there is more data than ever before, in more places than ever before, there’s a much bigger attack surface. There are also more possible routes into organizations than ever before, including mobile devices and IoT devices, and more people who use these varied ways to access data than ever before. It’s inevitable that the size of the attack surface has attracted more attention.
Another misconception is that it’s infrastructure and data that’s being hacked. Instead, we need to think of it as people being hacked. Instead of going after the infrastructure that houses the data, or the data stores themselves, cybercriminals are increasingly going after people and the way they access data.
We see this with the continuing rampant proliferation of spearphishing. Instead of one-to-many attacks, cybercriminals are now focussing on one-to-one attacks. When successful, these attacks grant access to credentials, devices, personas, that ultimately allow an organization to be breached. It’s no coincidence that spearphishing attacks focus on executives, people who are extremely busy and who receive regular urgent requests for assistance.
Another attack vector is breaches aimed at third-party suppliers to gain access to organizations. One well-known breach of Target occurred when criminals were able to access the vulnerable network of an HVAC provider. Due to a lack of proper network segmentation controls, access to the HVAC provider was used to gain access to Target’s POS systems, and from there, the criminals gained access to sensitive customer data.
While the size of the problem may not be directly related to the skills shortage, it is exacerbating that shortage. Today, more than ever, especially in Canada, there are more cybersecurity programs at more academic institutions than ever before. The number of programs has expanded dramatically in the last ten years, and it’s now possible to get an advanced degree in cybersecurity. But it’s still not enough. Yes, the talent pool is growing. Unfortunately, the problem is growing faster.
Cybersecurity work is interesting and dynamic. Because of the skills shortage, it certainly pays well. So why is there still a dire shortage of cybersecurity professionals? In a nutshell, for many individuals, the reasons to become a cyber criminal are more compelling than those for becoming a cybersecurity professional.
There are three main reasons to enter the talent pool. First, there are high paying jobs. Second, there are many jobs available. Third, the focus of economic activity is shifting from manufacturing to technology. Now, let’s consider the breach problem. It’s driven by rampant capitalization: financial capital, political capital, intellectual capital, and personal capital. For many people, these are much more powerful motivations than going to school with the goal of becoming a cybersecurity professional. The principal driver behind cyber crime is that it offers an opportunity that can be capitalized immediately, at low cost, and with a high degree of success. For an 18-year-old in India, university may not even be an option. Going onto the dark web and downloading a free ransomware toolkit is much more attractive, and it offers the chance to get paid within 24 hours.
Another important issue to consider is the prevalence of stolen or hacked operating systems. In many disenfranchised countries, a significant percentage of operating systems are not genuine installs. As such, they will not receive operating updates. As a result, the size of the attack surface in these countries is growing even faster than it is elsewhere. Defenses against cyber attacks may be shored up regularly in North America and Europe, but the global botnet is constantly growing. This is also contributing to the growing data breach problem.
When you consider the size of the attack surface, its complexity, and the fact that it’s growing at an unprecedented rate, and you consider the various motivations for engaging in cyber crime, it’s easy to see that the shortage of cyber warriors is actually a very small factor. Here in Canada, we perceive that people with cyber skills have a choice. They can choose the dark path, or the light path. But that choice is a luxury, born of a stable, thriving economy. Many people in the developing world don’t have that choice. For them, the dark path is the only way forward. I would argue the problem of data breaches isn’t a cybersecurity or technology problem—it’s a socio-economic and geopolitical problem. The way things are trending, this problem is going to get worse before it gets any better.