SAN FRANCISCO — Digital risks confronting organizations remain the same year after year, and the threat and potential damage awaiting unsuspecting victims is abundantly clear. Yet, many organizations still struggle to address the fundamentals required to take cybersecurity seriously.
For the things that do go wrong, there’s a good chance the initial point of intrusion or attack will sound like a broken record to longtime RSA Conference attendees. Phishing, unpatched vulnerabilities and generally lackadaisical processes come up time and again.
To shake the industry into action, a cataclysmic event may be required.
“Maybe we need another Snowden moment,” Chester Wisniewski, field CTO of applied research at Sophos, told Cybersecurity Dive last week at the annual industry gathering.
When Edward Snowden, a former intelligence consultant and whistleblower, leaked highly classified information from the National Security Agency in 2013, it created a revelatory moment in technology.
“Suddenly we went, ‘oh, geez we kind of have to encrypt the internet.’ And look, it took us 10 years but the whole internet’s encrypted now,” Wisniewski said.
Many cybersecurity experts, Wisniewski included, were lecturing the industry to fully encrypt the internet starting two decades ago. The repeated warnings finally reached a rallying point after Snowden’s revelations hit.
Persistent prodding from the threat intelligence community is making an impact. More organizations have been roused into taking security more seriously.
“Here we are in 2023, find a website that’s not encrypted. You can’t find one, but it took a Snowden moment to get everybody to go and do it,” Wisniewski said.
Repetition will spur action … eventually
Fear is a powerful motivator, but repetition — such as threat intelligence from researchers and analysts about supply chain attacks, exploited vulnerabilities and ransomware — might be what’s required to push more organizations into action.
“There’s a lot of gamblers out there,” said John Shier, field CTO of commercial at Sophos.
Repetition plays an important role for cybersecurity professionals, precisely because it can eventually hammer the preventable dangers home for business leaders that need to hear their message the most.
John Dwyer has watched best practices go unfollowed his entire 15-year career.
“Over extension of privileges, over extension of connectivity and over extension of access has been prevalent for a long time,” Dwyer, the head of research at IBM Security X-Force, told Cybersecurity Dive.
“Since I started in my career, people have been saying take away local administrative rights,” and it’s still a common problem today, Dwyer said.
Despite the recurrence of long-ignored threats, Dwyer said he’s seen a change during the last five years, marked by more organizations willing to invest in security and apply best practices.
“On the outside, it may seem like no one's actually taking any of this stuff to heart,” Dwyer said. “People have been talking about the same thing forever, and you’ve had the same kind of vendors saying the same thing. What changed is that the threat landscape changed so that every organization on the planet is now actually targeted, more or less.”
More organizations are assessing ways to reduce risk through security controls, better architecture and zero-trust models that limit privilege and access, but acquiring the investment needed to achieve those goals remains a hurdle for some companies, according to Dwyer.
Same old problems beats the alternative
Hearing about and sharing the same threats year after year might be tiring on some level for cybersecurity professionals, but for organizations under attack it’s probably better than the alternative.
Companies can patch vulnerabilities in hardware or software before a threat actor exploits them, strictly monitor supply chains and limit the impact of phishing attacks.
“Phishing is still king, and how long have we been talking about phishing?” Dwyer said.
“Just because someone gets phished doesn't necessarily mean that your organization is going to burn to the ground. There's a whole bunch of stuff that happens in between that,” Dwyer said. “I think we just need to move to assume you're going to get phished, assume that you're going to get exploited. You still have a lot of opportunities to prevent a crisis, even if that happens.”
Much like the long slog the industry endured before encryption became standard and universally adopted, strengthened defense practices and infrastructure might percolate through businesses from the top down.
“Early on,” Wisniewski said, “it was just the richest, biggest companies that understood the problem.”