Today’s cyberthreats are more complex and severe than ever. The risk to organizations of all sizes has never been greater. As we begin 2021, it is important to reflect on the state of cyberthreats so that organizations can better secure themselves.
Today’s threat landscape is shaped, in part, by a number of important factors.
The Economics of Cybersecurity
The economics of cybersecurity favor the attackers. The amount of time and money it takes attackers to hack a network is vastly less than what it takes to defend a network. It is estimated that the private sector alone spent more than US$103 billion on cybersecurity in 2019.1 In contrast, according to Top10VPN, it only costs a cybercriminal just under US$1,200 to compromise a person’s entire online identity.2
The amount of time and money it takes attackers to hack a network is vastly less than what it takes to defend a network.
Additionally, most attackers do not face consequences for their actions. Despite the best attempts of law enforcement, identifying, charging, and prosecuting attackers is difficult.
Malicious Cyberactors Are Becoming More Skilled
In the same way that a carpenter shares tips with coworkers at the jobsite, cybercriminals and other threat actors share their skill sets and tools, and work in teams. There is an entire underground economy in which attackers sell their services or tools to willing buyers.
One of the greatest challenges this presents is that capabilities that were once possessed only by state actors are now available to non-state actors. According to a 2019 report released by the US Department of Homeland Security’s Public Private Analytic Exchange Program, the tools made available to nation-states and non-state actors are enabling espionage and surveillance capabilities that have never been seen before.3 Attackers are using these nation-state tools to attack private enterprises.
COVID-19 Caused a Mass Transition to Remote Work
Cybersecurity professionals are grappling with new security challenges imposed by the COVID-19 pandemic. To ensure business continuity, organizations were forced to implement and deploy new technologies with limited planning and end user training. This poses obvious risk.
In addition, the rapid, unplanned migration to work-from-home environments vastly expanded attack surfaces. The pandemic pushed employees from enterprise networks to less secure home networks. Employees’ home devices—including personal devices, school computers and home routers—are now potential gateways into enterprise networks.
Every Business Is at Risk
Many organizations have become complacent, believing that they do not possess any information that would be of interest to an attacker. This is merely a false sense of security. While some attacks are targeted to specific organizations, many are random, wherein the attacker recycles tactics that are known to work with the goal of finding new victims. Being a victim of such attacks can be a death knell for an organization. It is reported that 60% of small businesses that suffer a cyberattack go out of business within 6 months.4 Even those that manage to recover face significant financial challenges. In 2019, Security Intelligence reported the average cost of a data breach to be US$3.92 million.5
For those who are still looking for a New Year’s Resolution, here is a suggestion: Approach cyberrisk as if it is an existential threat to your organization.
Endnotes
1 Dignan, L.; “Global Security Spending to Top $103 Billion in 2019, Says IDC,” ZDNet, 20 March 2019
2 Migliano, S.; “Dark Web Market Price Index (US Edition),” Top10VPN, 28 February 2018
3 US Department of Homeland Security’s Public Private Analytic Exchange Program, “Geopolitical Impact on Cyber Threats From Nation-State Actors,” USA, 2019
4 Johnson, R., III; “60 Percent of Small Businesses Close Within 6 Months of Being Hacked,” Cybersecurity Ventures, 2 January 2019
5 Ponemon, L.;“What’s New in the 2019 Cost of a Data Breach Report,” Security Intelligence, 23 July 2019
Scott Algeier
Is the executive director of the Information Technology–Information Sharing and Analysis Center (IT-ISAC). Algeier facilitates cyberthreat information sharing among leading technology companies and partners. He also oversees the daily management of the organization, including implementing enhanced information sharing and analysis processes and capabilities.