Monthly Archives: April 2018

Security megatrends — more powerful attacks, more stressed infosec executives

Larry Ponemon

A major deterrent to achieving a strong security posture is the inability for IT professionals to know the big changes or megatrends in security threats that they need to be prepared for. Too many companies are overwhelmed with the daily attacks that are coming fast and furious to think long-term and understand what investments they should be making in people, process and technologies to prevent a catastrophic data breach or cyber attack.

The 2018 Study on Global Megatrends in Cybersecurity was conducted by Ponemon Institute and sponsored by Raytheon to help CISOs throughout the globe prepare for the future threat landscape that will be characterized by an increase in cyber extortion or ransomware attacks and data breaches caused by unsecured IoT devices. Here is the link to download the full report: 

Here is a brief summary:

Around the world, cyberattacks on businesses are getting more powerful and harder to stop. Corporate boards aren’t being briefed on cybersecurity, and executives don’t see it as a strategic priority. Meanwhile, information security officers will become more important – and more stressed out.

Those are among the findings of the 2018 Study on Global Megatrends in Cybersecurity, a survey sponsored by Raytheon and conducted by the Ponemon Institute. The survey, conducted in late 2017, looks at commercial cybersecurity through the eyes of those who work on its front lines. More than 1,100 senior information technology practitioners from the United States, Europe, and the Middle East/North Africa region weighed in on the state of the industry today, and where it’s going over the next few years.

Among their insights:

The Internet of Things is an open door: 82% of respondents predict unsecured IoT devices will likely cause a data breach in their organization. 80% say such a breach could be catastrophic.

More ransomware on the way: 67% believe cyber extortion, such as ransomware, will increase in frequency and payout.

Cyber warfare growing likelier: 60% predicted attacks by nation-state actors against government and commercial companies will worsen and could lead to a cyber war. 51% of respondents say cyber warfare will be a high risk in the next three years, compared to 22% who feel that way today. Similarly, 71% say the risk of breaches involving high-value information will be very high, compared to 43% who believe that risk is high today.

Confidence is slipping: Less than half of IT security practitioners surveyed believe they can protect their organizations from cyber threats. That’s down from 59% three years ago.

For execs, cybersecurity is taking a back seat: Only 36% of respondents say their senior leadership sees cybersecurity as a strategic priority, meaning less investment in technology and personnel.

Corporate boards aren’t engaged: 68% of respondents say their boards of directors are not being briefed on what their organizations are doing to prevent or mitigate the consequences of a cyber attack.

IT professionals are feeling pessimistic about progress: 54% believe their organization’s cybersecurity posture will either stay the same or decline. 58% believe staffing problems will worsen, and 46% predict artificial intelligence will not reduce the need for experts in cybersecurity.

CISOs’ stress levels will rise: When asked to rate their level of stress today and three years from now on a scale from 1 = low stress to 10 = high stress, respondents’ stress rating is expected to rise to a new high of 8.08.

Direct effect on shareholder value: 66% believe data breaches or cybersecurity exploits will seriously diminish their organization’s shareholder value.

The true story behind history’s biggest hack: A podcast

Bob Sullivan

You probably had a Yahoo account. And you probably know that account was hacked. After all, the firm admitted about a year ago that 1 billion accounts had been compromised. Check that…it was actually 3 billion. Every Yahoo account created since, essentially, the dawn of the Internet.  What you probably don’t know is that’s the least bad thing that happened during the Yahoo “hack.”

You might not know that U.S. authorities are convinced that a group of Russian-backed hackers, including two FSB (KGB) agents, probably hacked Yahoo, and you. And I feel pretty certain you don’t know that this group of Russians did much more than the usual snatch-and-grab passwords thing.  They lurked inside Yahoo’s systems for more than two years. The had full access to Yahoo account management tool. Critically, they could read user emails. For years. Maybe they read yours.  At first, they targeted very specific individuals — Russian journalists, U.S. government officials; also employees at French transportation company, a Swiss bitcoin wallet firm, a U.S. airline, and many more.

Then, they started scanning millions of user emails.  Last year, investigators revealed that the group was clever enough to “mint” cookies, giving them access to 32 million Yahoo email accounts, and users’ most intimate life details.

Yahoo was the biggest hack in history — both in depth, and in breadth.

Four months ago, I was contacted by the folks at Spoke Media who came to me with an already-assembled team of  brilliant producers and asked if I wanted to help them try to make sense all this.  I jumped at the chance, and I’ve spent most of my time since learning everything I could about this hack. The result is a five-episode podcast which we just released.

It’s a very different kind of storytelling than I’m used to, and you’re used to. You get to come along for the ride. We admit what we don’t know.  We show our work– as journalists, I think this is critical in our time. Experts get to talk, not for moments, but minutes. Even longer.

As you and I try to make sense out of what’s going on at Facebook, in the election, in the era of fake news, I hope we are making a serious contribution to this discussion.

I’m very proud of the project, which has implications far beyond the seemingly innocuous hack of your 10-year-old, dormant Yahoo email account.

You can sample episode 4 by clicking play below, or visit the iTunes page and subscribe to the podcast.