“Chief Hacking Officer: Yevi, where are you at with London bank hack?”
“Yevi, I think we are okay; we should have something by Friday.”
“Chief Hacking Officer: What? You committed that hack two weeks ago!”
“Yevi, yea, well, I hope it will be okay. Security kinda tough get inside.”
“Chief Hacking Officer: When you should have never committed this hack.”
Dr. Yaniv Harel, SVP of Cyber Defense at Sygnia, was speaking at a conference on the future of cyber and fintech in Israel:
“We recognize an increase in the focus and effectiveness of attacks. Hackers today work in shifts and act as a business organization for all intents and purposes to bring ROI on their effort,” said Dr. Yaniv Harel, SVP Cyber Defense at Signia, speaking at a conference on the future of cyber and fintech in Israel.
Have global firms ever looked at the monthly losses cybercriminals and hackers endure? Did Gartner or Forrester consider doing an ROI or ROA from the cyber criminal’s perspective?
Our industry may be asking the wrong question. We should not be focused so much on the organization’s Return on investment or Return on asset around security spending; we should consider for a moment that with every significant security awareness training, every adaptive control, and every security policy only makes the task “of being hacked” even more expensive for the cybercriminals.
Corporations worldwide, profit and non-profit all report to some form of a financial system. Each system reports monthly revenues, donations, expenses, and capital purchases. When a business brings in less income by lowering its costs, then tends to take a loss. In some months, when they bring in more revenue than expenses, they walk away with a profit. Some organizations will reinvest their profits in capital purchases to increase their revenue and profit margins. I wonder if hackers live by the same financial model? Do these groups invest in cybersecurity by acquiring tools and talent similar to global organizations? Yes. Many of these tools and skills can be found on the darknet.
According to the IBM Cost Per Breach Report for 2019, the average total data breach cost increased from $3.86M in 2018 to $4.24M in 2019. Organizations with a more mature security posture tended to have lower fees and better risk management than those without. No single investment in cybersecurity will prevent all cyber attacks or reduce the volume of a cyber incidents. The spending on cybersecurity tools, security staff, upgrade of the security operations center, and security awareness training is an aggregation of efforts to reduce the organization’s overall risk posture. The scaling of the cybersecurity landscape and organizations’ digital transformation projects drove the need for more significant cybersecurity investment priorities.
Ransomware attacks, phishing attacks, and business email compromises continue to impact organizations more frequently than a year ago. Budget for cybersecurity and off-budget cybersecurity spending affect organizations’ profits. With the continuous change in the cyber threat landscape, chief information officers will attempt to increase their cyber spending with several lines of defense within the environment to minimize the damage caused by breaches.
I had the displeasure of meeting a global hacker during a trip to Taiwan in 2016. During my stay at the Taipei Marriott, I noticed a young person sitting in the executive lounge on the rooftop. How he got there, I have no idea. While working, I kept hearing a clicking sound coming from this guy’s direction. Finally, I got up to get some more coffee and made a straight line to this table. He was taking pictures of my computer screen. He seemed very calm as I walked up to him. “Hey, if you want a better one, you may want to come and sit in my chair.” The kid didn’t blink an eye. I just smiled and headed back to my seat. Moments later, the kid sat down at my table overlooking Taipei.
“May I take a picture of your laptop?” asked the kid. Smiling, I said,” sure, let me close everything first.” Looking defeated, the kid looked down at his feet in disarray.
“Look, you wanted to see something on my laptop; what is it exactly? Are you looking for?” I asked. After several moments, the kid finally answered. “I was sent here to steal information from foreign computers.” I nodded with no great surprise. “I need money, and I have nothing. Someone told me they will pay me if I can bring pictures off a foreign business person’s computer.”
I opened my laptop and let the kid take a few pictures. I even told him my password was “admin123.” He, of course, wrote it down.
The kid looked at me, “I don’t have a life; this is all I have.” He proceeded to tell how this hacker outfit worked.
“I have a territory given to me by my boss. I have west and south Taipei technology park. I go into businesses looking like delivery drivers and food delivery runners. Those guards let me by because they think I am only there to bring food and flowers. Each week, I must commit to stealing a much information and credit cards. My boss holds a weekly meeting with everyone on the team. He has reported to someone in Shanghai the total money from everyone’s hacking for the week.”
By now, my head began to spin backward, thinking I was back in a regional sales forecast call at Cisco System.
Many of the businesses are hard to break into. My boss gives us a few dollars for weekly food and rent. If we don’t make money from hacking and stealing, our boss and his boss lose money!” I gave the kid a rugged look, “we have bosses, quotas, and rent to pay.”
After this young man walked away, I began to think about how can security professionals turn the tide on hackers.
Thinking about the moment in front of a client CFO, “what is the ROI here if I buy your security product?” I realized that our industry is looking at security spending incorrectly.
Yes, denial of service attacks, high-profile incidents like account takeover, and other cybersecurity issues will happen. Organizations must deal with the lack of global talent shortage for their cybersecurity teams. Security breaches cause foreseeable financial damage to the organization. In many cases, more significant than the amount spent on combined network security, cloud security, and artificial intelligence. The chief information security officer has multiple responsibilities to the organization, including security protection of all corporate assets and resources. The CISO also sets the direction security standards, which cybersecurity functions the organization will deploy, and align to all business priorities. Having a deal with all kinds of risks, including zero-day attacks, network security equipment failures, and ongoing cybersecurity threats coming from criminals all over the world, the CISO has to place these security investments in places that will have the most impact on the organization. Not every threat or possible cyber event can be protected. The CISO relied on security intelligence from 3rd-party resources and security organizations for some insight into the threats and severity level. The security office also analyzes the cost of cybercrime to the organization as a benchmark for investment and strategy.
Let any other business or global organization, I am sure, hackers have payroll, expenses, and revenue expectations. If, for a moment, they decide to hack into a bank looking to steal credit cards or wire transfers. If the bank recently invested in additional training and technology, along with a managed 24×7 service, will that make the task of being hacked more expensive for the cybercriminal? What happens to their ROI if the cyber attack is not successful? How much capital outlay did the hacker bosses have to payout for this hack event?
Every dollar spent on cybersecurity makes the task of your organization getting breached more complex and more expensive for the cybercriminals to execute their plan.
During their “due diligence,” as their cyber hacking teams perform their reconnaissance, they determine that getting in will be more challenging and time-consuming. Along with heightened awareness of getting caught, they will consider moving on to a lesser target. That alone could explain to the CFO and CEO why cybersecurity continues to be a high priority in the organization.
Until next time,