Allow me to introduce myself. I am the chief financial officer for a high-end cybersecurity company. At the risk of understatement, I can tell you that business is booming. Every year the number of cyberattacks keeps going up, and 2021 was the highest yet. That upward trend is likely to continue well into the future. But why? Is it because, as a nation, we’ve become more relaxed about security? Are the technologies we use less secure than before? Or are cybercriminals getting smarter?
As far as the technologies are concerned, I think they are getting better. It’s just that they’re not improving as fast as the bad guys are at finding new ways of undermining them. That’s not entirely due to greater brainpower on the part of cybercriminals. In fact, some of the most insidious attacks use technology developed by, and stolen from the NSA, and then made available on the dark web to buyers who don’t have the time or technical savvy to create hacks of their own. Want Ransomware-as-a-Service? No problem. Although we’re getting pretty good at nailing down the front doors to our systems, hackers are getting in through open windows, side entrances, Trojan Horses, supply chains and customers.
That leaves the question of whether, as business leaders and private citizens, we’re just getting sloppy, or bored, or suffering from security fatigue. While elements of each of those are probably at work, I think there’s more to it. One is that people are still being tricked into surrendering network access. The other is that we’ve grown complacent about sharing personal information, indifferent about being under constant camera surveillance and oblivious to the contents of lengthy forms using opaque legal language to describe how our data will be used. Accepting that data consent comes with the territory of web-based businesses.
Some of it is a relic of 10 or 15 years ago when people seemed to be a lot more comfortable about sharing the types of personal information—birth dates, high schools, places of birth and so on—which eventually became the answers to their security questions. And most of that information was poorly guarded. Now, with a greater public awareness of potential abuses, at least some people would like to retract what they had shared in the past. But it’s hard, and maybe impossible, to corral that information and take it back. Because that sort of data is on-prem, in the cloud, on all sorts of backup devices and typically in multiple places at the same time.
Historically, Americans have been fairly open about sharing information. That’s an important piece of our heritage. Secrecy, suspicion and distrust are not the key ingredients of our national DNA. Indeed, you could argue that our openness has been fertile ground for innovation, collaboration and progress. So, relinquishing that legacy and trying, as they have in Europe, to impose a regimen of deleting any information about someone at their request would be extremely difficult, maybe even impossible here. Just the sheer mass of data and the number of systems around is overwhelming.
At the same time, looking forward, I think we will continue to improve our defense capabilities around those systems. And I think we will change how we capture information and the types of information we capture. For example, technological advancements like blockchain, which is touted as being “hack proof,” offer the opportunity for transactions to be completed without anything bad happening to them. And there are other promising approaches to improving security as well. But while there will always be advances in technology, the bigger question is whether you can prevent them from being violated. It appears there’s always a backdoor entrance into digital systems, and sooner or later, someone will find it.
In the meantime, companies are spending more on security and becoming more sophisticated about where to spend it. After all, not all assets are created equal. There are some apps and websites that a company doesn’t need to focus on as much as others. An online public relations presence, for example, might be hacked and end up embarrassing the company. But it’s not as important to defend that as the company’s crown jewels: their revenue-generating applications.
So, while your public relations site might use an automated service that’s simply good enough, your essential business functions need a higher, and likely more expensive, type of defensive perimeter. At the same time, companies are re-thinking which phases of their application development they need to invest in security. Is it the front-end development process? The production phase? The administrative back-end? Somewhere else? It depends.
Several years ago, a colleague of mine, Joseph Feiman, said that it’s a fool’s errand to try protecting personal data. The better way to protect it, he said, is simply not to have it. You don’t have to worry about something if it’s not out there. If you haven’t captured data, you don’t have to protect it. I think he was right. Because if we have a smaller target, we’re in a better position to defend it. And if we have no target at all, there’s nothing we need to defend. But can you pull that off in every case? Can you do a transaction without capturing some level of information that’s going to be personal and proprietary?
It won’t be easy. But safeguarding applications, and the data that fuels them, is possible. The question is, will companies allocate resources to the proper tools before it’s too late, and the inevitable breach hits their doorstep, or that of a trusted partner or customer.
