Chief Executive Officer at Active Cypher.
Cybercriminals and digital environments have completely changed, but most businesses haven’t evolved their cybersecurity approach along with the changing landscape. Instead, they’ve been busy perfecting the art of fighting the last war just in time for the new one.
So why is cybersecurity in a seemingly endless crisis? That’s easy. We aren’t adapting to the changing environment, and the bad guys are winning. As a result, cybercrime statistics are through the roof, and security professionals are burned out. In fact, cybersecurity professionals are leaving the industry because they’re frustrated by this disconnected approach, and cybercriminals are thrilled. Instead, the digital security architecture must evolve with the environment.
Cybercriminals transformed from pranksters to mobsters.
Hackers have changed radically since the inception of the internet. They were once a gritty subculture of self-styled “hipster pranksters” armed with a social cause and questionable ethics. Incidents often focused on “sticking it to the man” through increasingly audacious digital criminal acts that showcased their technical skills.
The internet has become a utility in business infrastructure in a dizzyingly short time. It only went mainstream in business in the late 1990s when it became our primary communication and transaction medium. By the early to mid-2000s, online commercial and personal information exchange were ubiquitous. What once required face-to-face transactions now became simple and anonymous.
MORE FOR YOU
It’s now easier than ever to steal identity information, open bank accounts, create counterfeit credit cards, transfer money, apply for loans and even file fraudulent tax returns—easy money with almost complete anonymity.
Synthetic identity fraud alone brings in a $6 trillion per year revenue stream and is projected to be up to $20 trillion by 2025, according to FiVerity’s 2021 Synthetic Identity Fraud Report.
Synthetic identity fraud is a scenario in which criminals combine real and fabricated information, such as names, addresses and birth dates, creating fake identities. Between 2008 and 2010, cybercrime evolved into well-funded, professionalized and highly technical organizations. Many criminals now enjoy the equivalent compensation of a corporate 9-5 job with benefits and bonuses.
Digital transformation also transformed the attack surface.
Networking architectures were initially created with a “castle mentality.” Data and digital tools were centralized in headquarters and accessed by branches. Internet bandwidth was expensive, but most access was routed through the central headquarters. Efficiencies evolved to allow intelligent traffic routing and distributed database applications. Still, the industry was able to provide network protection through strengthened perimeters, scanning files and device log analysis. Firewalls and virus scans have proven to be questionably successful, and the log analysis is time-consuming, requiring deep specialized knowledge.
Decentralized computing and outsourced infrastructure provide massive cost savings. Businesses had planned for “digital transformation” leveraging cloud computing using infrastructure as a service (IaaS), software as a service (SaaS) and networking as a service (NaaS) at a fraction of the cost of maintaining central data centers.
Many companies once spent 4 to 6 years carefully charting their migration to this new architecture. When Covid-19 hit in 2020, plans collapsed to 4 to 6 months as companies rushed to provide remote access to quarantined workers.
As companies’ allowance for remote work increased following the pandemic, the infrastructure came to resemble peer-to-peer networking. SaaS tools and cloud repositories are integrated into a virtual architecture, enabling workers to access services directly rather than channel all traffic through corporate HQ. Networks finally transcended the perimeter, but the new architectures struggle to protect against modern criminals.
Cybersecurity has shifted to identity and data protection.
Maturing beyond the network perimeter made it difficult to protect with traditional packet filtering (firewall) protection and device log monitoring. As a result, the idea of leveraging a trusted third party became popular, with companies outsourcing data protection and security monitoring. Unfortunately, as high-profile breaches in these third parties revealed the limitations of this strategy, liability was re-established when the FTC started fining data owners rather than their trusted third parties for violations.
The legacy focus on perimeter security and internal monitoring was counter to transformed networks. In the absence of an actual perimeter, companies need hardened internal controls for identity, privilege and data protection. Internal controls must validate that the users are who they claim they are, that they have access to the right assets and that data is secure regardless of where it’s stored or sent.
Many companies already have most of the tools required for their transformed environments using Identity and Access Management (IAM), Privilege Access Management systems (PAM) and multifactor authentication. It’s now mostly a matter of ensuring security policies protect business assets and that people have access to the correct information to perform their jobs successfully. In addition, network segmentation and process controls isolate risk, and encryption protects high-risk, high-value data.
Since most data storage is now in public cloud tenants, many are opting to enable the data to protect itself. Data encryption was once too complex and difficult-to-use technology for many users. But as technology has advanced, file-level encryption can now be dynamically privilege-driven. This approach removes human error—without inconveniencing end-users. As a disclosure, my company Active Cypher is one provider of such solutions.
Make it safe—and easy.
Legacy security strengthens the network perimeter and monitors to see if something bad happens. Data encryption solutions allow companies to focus on data protection and continuous identity validation as a foundation. It won’t matter where a criminal strikes if they can be identified confidently, and data encryption better enables such detection.
With these changes, security monitoring shifts from a matter of observing everything across a massive network to one of user and entity behavior, allowing for fewer false positive alerts.
As cybercriminals have professionalized, digital crime is now a big business. Digital transformations have changed how we work, but legacy security architectures based on the old “castle walls” mentality are ineffective. Changing the focus from perimeter security and internal monitoring to strengthening the interior network elements, such as data and identity can help companies get an advantage over the massively resourced cybercriminal industry by creating a proactive risk posture. In hardening your internal identity and data protection, your company can turn the tide.