Why Doesn’t Cyber Security Get Stronger? Here’s a Clue: Follow the Money Understanding the headlines and what that means for our future let’s follow the money. We only need to take a look at the economics of Cyber Security hacking, what it takes to get into the hacking business will help us understand why bad actors are compelled to hack. In 2022, Cybercrime caused $6 trillion in damages with over 33 billion accounts breached. Hacking is easy. And cheap! So, what does it take to become a hacker? It’s pretty much a keyboard and a processor (about $200) and a bit of programming skill. Then, create deceptive emails or connection requests that hammer the internet universe in search of people to accidentally provide identifying or financial information, or to click or accept the request. Then it’s game on with the exploits to extract their money or to make the ransom request. Why do hackers persist? Because it’s easy and financially advantageous, especially when they can shapeshift fast enough to enter through I.O.T. devices on the edge of computing that are not protected by device management or VPN. If we “follow the money” by looking at the financial incentives, we have a clear look at where the bad guys are likely to go. Unfortunately, however, the same line of logic applies to cybersecurity providers as well. s in situations such as the Solar Winds attack, Target IOT device, JP Morgan Chase Bank work from home employee. In at least the Pipeline situation, Where’s the incentive? As a (big) case in point, consider situations such as the ransom attack in the Colonial Pipeline breach. A large cybersecurity vendor was paid a multi-year multimillion-dollar contract to protect the Pipeline from security breaches. When the protection failed, Colonial suffered 6 days of downtime, at a potentially immeasurable cost, and paid the hackers a 75 Bitcoin ransom worth between $4.4-5 million to a Russia-linked team of cybercriminals called DarkSide, opening the way for remediation to begin and for oil to begin flowing again. The situation was severe enough to raise the price of U.S. gas for a time. Colonial had to disclose the breach which served to embolden other cybercriminals. As a small silver lining, the U.S. Justice Department assembled a task force that was able to recover approximately half ($2.3 million) of the ransom, probably due to a careless criminal who shared the private bitcoin key in emails the FBI was able to seize. But here’s another interesting travesty – the very vendor paid to protect operations such as the Pipeline from attack, is also the vendor paid to remediate the situation when the protection has failed, for a price substantially higher still. Let’s do the math. Let alone the costs for cybersecurity insurance and cybersecurity protection, which are passed through to investors and consumers as higher prices and lower investment returns … and the costs of the Justice Department task force being funded by taxes… the aftermath of a disaster of this size hits us all. And even worse is the realization that a cybersecurity company that was paid some $4 million to protect against such a failure may now be paid $10 million to remediate the damage (while the organization, or at least the organization’s insurance, has paid an additional $2.3 million in ransom, now lost). It doesn’t take a math or economics degree to realize that cyber security remediation companies in a case like this may be earning more money than the criminals themselves, to fail, so they could charge the giant billings required to fix the failure that their solution has failed to prevent. While it’s extremely doubtful the technology organization would deliberately or even carelessly fail, it seems clear enough that incentives are running in the wrong direction. As an industry we need to follow the money – to create the level of solutions that give a criminal financial motivation to steal and to create financial motivation for security companies to create protection that succeeds rather than hitting an even higher payday through the charges to remediate the situation their system’s failure has caused. Solutions need to become more proactive and pre-emptive through better use of AI and better protection for the “Edge” where devices live and network management solutions don’t see. less more Whether your small business or personal accounts may present a much smaller target than an enterprise, the verdict is clear – it’s important to “think like a criminal” and follow the money as we determine and build the level of security resilience solution poised to succeed. Also published . here
