Cybersecurity companies play up hackers' abilities to help them sell security services - expert comments
| 10 February 2017
In a speech , Dr Ian Levy, technical director of the UK's National Cyber Security Centre, claims that cybersecurity companies play up hackers' abilities to help them sell security hardware and services.
Commenting on this, David Gibson, VP of strategy and market development at Varonis, said “Levy is absolutely right; cybercriminals are not masterminds at all. With 100,000 ransomware attacks per day, it’s clear you don’t need to be a mastermind to do damage. While nation-state attacks are scary, the reality is that companies are woefully unprepared to deal with unsophisticated attacks by any script-kiddie who knows how to browse a network share.
He’s not wrong to criticise the cybersecurity industry, because many take a reactive approach to the latest headline threats such as nation-state attackers. Don’t get caught up in the sophisticated hacker and reacting with an expense-in-depth approach—stockpiling the latest security technologies as mentioned in this recent Forrester study . The reality is that most attacks aren’t sophisticated and could be thwarted or mitigated by companies taking a thoughtful approach to data security—what content do I need to protect, who can access it, who is using it and is that normal behaviour. Trust has always been the bedrock of any relationship and that doesn’t change with cybersecurity. “
Stephen Gates, chief research intelligence analyst at NSFOCUS, added “Anyone with little if any cybersecurity knowledge, could easily read the news and quickly realise that hackers are gaining ground at tremendous rates. In this past year alone, the world witnessed the largest breaches of personal information ever recorded, billions of dollars in cyber-induced financial losses, the largest DDoS attacks ever recorded, ransomware infections impacting nearly every entity on the Internet, extortion demands growing at exponential rates, massive botnets of IoT devices impacting the globe, country-wide ISP outages, and the list goes on-and-on. Security companies don’t need to exaggerate on the problem. Wake up world, it’s all around us, and nearly everyone has been impacted by hackers in some fashion or another. “
Paul Calatayud, CTO at FireMon, said “Dr. Levy focuses on the wrong issue by debating the level of sophistication vendors portray when defining the threat landscape. We live in an era defined by ‘when’ organisations will get breached, not ‘if’ or ‘why.’ In other words, whether these attacks are from highly skilled attackers or not, the simple fact of data breach statistics demonstrates there is a high rate of success from this population. Thus, the concerns of breach and cyber defence strategies to defend it due, in fact, hold a very important level of attention in many organisations. This transcends technology, but technology cannot be avoided. As an example, antivirus in its traditional state is a technology that by the assertion from the AV vendors themselves blocks 40% of malware. Is the attacker sophisticated or not in order to bypass antivirus? As a prior CISO, I don't care, what I know is it’s possible, it’s happening, and I need to be aware so that I don't have a false sense of security in terms of my current technologies.”
Mark James, IT Security Specialist at ESET, concluded “We should not in any way underestimate cyber criminals. With so much of our infrastructure running on technology these days we have to treat this type of threat with respect. As more and more of our world becomes connected and capable of sharing, storing and archiving data we should treat security as our number 1 priority. Explaining the problems, threat landscape and measures needed to protect against an evolving “living” threat is not an easy task; too little and people don’t understand they are at risk, too much and people think your scaremongering. Finding the right approach to help someone stay safe against a threat that may or may not happen is not easy and underestimating cyber criminals is not the way to do it.”