What is the relation between growing security spending, increasing hacking attacks and falling economy?
Have you ever thought how the global economy and geopolitics influence cybersecurity and cybercrime? Some people may think these are two completely different domains, however they are strongly and permanently related.
An interesting example came up during our recent security awareness project at a large, Central European financial institution. The institution was concerned about a significant increase in hacking attempts that involved social engineering and spear phishing campaigns.
The security awareness training for all of the employees was validated with a social engineering attack against all employees to check if they had learned any lessons. Only a few people from the board were aware of this test. The attack scenario was quite simple: a local lottery announced that the employee has won a big sum of money. The results were pretty much common for the European financial industry, besides one curious outcome in the analytical report: 87% of newly-hired employees, including experienced seniors and even a member of the IT security team, clicked on the link in a phishing email. Among “old-school” employees, who were hired a long time ago, and had worked in the financial institution for many years, the click-rate was only 11%.
Infosec spending not keeping pace :
Let’s have a look at the numbers to get a clearer picture of what is actually going on. Gartner says that worldwide information security spending will reach $71.1 billion this year, almost an 8% growth in comparison to the last year, as “organizations become more threat-aware”. Meanwhile, the cost of global cybercrime is about $445 billion per year, a 33% percent growth according to McAfee. Common sense suggests that something is definitely wrong here, as we cannot increase spending while at the same time observe our losses from cybercrime increasing. Let’s try to understand what is going on from the economic point of view.
I regularly meet information security managers and CSOs from midsize to large companies. Among many of these companies, there has been a certain reduction in information security spending in comparison to previous years, especially to acquire new solutions and products. Some respectable financial companies I know are even returning to paper for top secret documents. One of the largest NGOs in Geneva has recently re-introduced typewriters for their confidential documents, as they simply don’t trust digital storage anymore. Companies are losing trust in the information security industry, feeling it incapable to protect them. Why does it happen?
While the financial markets are falling, investors are looking for new financial instruments to make quick money. Risky bonds are becoming even more risky with the falling economy, and not many investors are ready to burden such risks. Where do they go? Well, many of them go to the cybersecurity market, as it’s a very hot topic today. The problem is that there are very few really innovative cybersecurity companies that invent conceptually-new approaches to solve effective problems of their customers in the most efficient way.
Many cybersecurity start-ups consider that reinventing a security scanner with a different GUI, report format or pricing model is enough to compete. The problems is that we just don’t need one more vulnerability scanner – we already have enough. We need a new concept, a new innovative approach to security testing. And very few companies have visionaries capable of creating such concepts. Nevertheless, they manage to raise funds from desperate investors trying their luck in the cybersecurity marketplace.
Last, but not least – spending more on average per year doesn’t mean that people are buying new solutions and becoming “threat aware”. The increase is also influenced by the increasing number of devices (e.g. mobiles) for which companies start buying security software they use on desktops to synchronize everything. Sometimes cybersecurity spending is just following the volume in corporate IT spending.
Let’s switch to cybercrime. Cisco estimates that there is a million unfilled security jobs worldwide. Meanwhile, Internet XSS archive received over 20,000 submissions of vulnerable websites in its first year, including companies that have Bug Bounty programs such as LinkedIn, eBay or Amazon. Something is not quite right again here.
Are we sure that the problem we face is a lack of skills, and not in fact that there are too many barriers stopping talented young people from developing countries applying their skills in developed countries? Smart graduates from developing countries may expect a very modest salary in their home countries, while emigration to developed countries is a pretty difficult, expensive and time-consuming process. Should we expect these skilled people to sit idly by, respecting the letter of international law that prevents them from experiencing a much better standard of living?
Of course not – they have in many cases adequate technical skill and tools to earn considerable sums as Black Hats, while evading detection. I am not talking about beginners who rely on simple evasion methods like TOR and open proxies, but about professional hacking teams that devote a significant part of their budgets to remaining anonymous. Even the Grey Market brings huge money in comparison to what can be gained from the most generous Bug Bounty.
If society is unable or unwilling to provide these people with well-paid jobs to protect our infrastructures, we should expect to see them on the other side of barricades soon, breaking into our corporate networks and generating more news about APTs.
Should we persist in trying to combat cybercrime using a technology only approach, and not take into account the effect of economics and geopolitics, we will continue losing the most important battle of the 21st century.
Before rushing to a conclusion, I would like to highlight that the financial institution in question has never performed security training on such a large scale before. The internal conclusion was pretty quick and straightforward: corporate culture persistently encouraged financial prudence among all employees, and therefore the employees were used to this culture and embraced it wholeheartedly, becoming more careful in general than their newer colleagues.
Almost all newly hired employees, regardless of their position, skills, seniority and experience, were paid much less than their colleagues hired years ago with generous salaries, when our society was not aware of Grexit, Brexit or PIGS. Obviously, the newer money-hungry employees were more likely to fall victim to this sort of phishing, as they dreamed of paying off the house mortgage or car leasing. The newer employees wanted to believe that this phishing email was genuinely a lottery win, as no security trainings can change the fundamental psychology and economic needs of people. Think about it, I’m sure you’ll find many similar cases in your daily infosec practice.