monsitj - Fotolia

Carbon Black’s UK Threat Report is grim news for those protecting data

Attacks are widespread and the criminals are outwitting a lot of customers, which worries Nick Booth

I tell you where the money is: cybercrime. They make a fortune.

One trillion dollars a year are being invested by cybercrime gangs on tools, training and channels, according to Carbon Black. By contrast, only a tenth of that amount is being spent on defending the law abiding companies against malware, hacking, denial of service and all the other methods of exploitation.

Almost every company in Britain has been breached, 92% of Carbon Black’s survey sample.

The criminals seem to have a very well organised supply chain, judging by the testimony of Tom Kellerman, Carbon Black’s chief cybersecurity officer. By contrast, their law abiding victims are not a tight unit at all.

“There is not enough sharing of intelligence over what happens when an attack has been mounted,” says Kellerman. The problem is that lawyers and compliance people get involved, and the company is more worried about its public reputation than in helping its peers. Which is pretty disgraceful really. How much damage is done to our economy by this greed? Surely, there is a gap in the market there for a trusted, discrete intelligence service by which security experts could help each other and nip criminal activity in the bud.

By contrast, the criminals have a vibrant, creative ‘geekosystem’ full of collaborating criminals who want to think outside the jail. This, says the Carbon Black report, is why the criminals are becoming more sophisticated, using moves like lateral movement, counter incident response and island hopping.

Hacking can be a great way of getting into cyber security, according to Joan Pepin, CISO of security firm Auth0. Twenty years ago, Pepin’s mischievous nature drew her to mix with the Boston area hackers who were put off by the corporate culture of the IT industry around the turn of the century. This highlights another problem with the security industry that nobody talks about. Many of the ‘security experts’ are such boring, self important, unhelpful control freaks that anyone with any spark or creativity would have nothing to do with them.

“There is too much mystique around security and the attitude of certain practitioners is off putting,” says Pepin, “there is an elitist culture and this creates a high barrier to entry that puts people off.”

Pepin’s mission is to attract more women into the security industry. The industry desperately needs more diverse brains from a wider talent pool, because there are 300,000 jobs in OpenSec at the moment, but only 80,000 of them are actually taken. Explaining the importance of security to the people who matter is a massive challenge at the moment. That’s another perennial problem, says Pepin. Security people have to step up as leaders. But do chief information security officers have the charisma to carry the board with them?

There seem to be far more opportunities in crime. The Internet of Things industry will be another bonanza. It is going to be so much easier to be disruptive in a fast moving industry where everyone is too rushed to pay too much attention to detail.

There was definitely too much detail for me in the excerpt from Ponemon’s Institute’s Global PKI Trends Survey. There might have been some good stuff but it was obscured by all the fancy graphics, distractograms and confusa-dazzlers.

The IoT is already providing a brilliant opportunity for criminals, since most of the hardware (sensors, cameras, servers) is built by multiple sources. At every stage of the production of these devices, there is a chance for a rogue OEM to slip in some dodgy code. Every microchip in every device could be embedded with some furtive software that makes it hackable by villains.

“If you put an IoT device on your network that’s compromised from inception, your network doomed from day one,” says Clive Watts, product manager for Secure Thingz. What’s worrying is that Watts worked for a chip manufacturer once, so he knows the risks well.

The best way to prevent these tragedies would be to employ public key infrastructure experts who are IoT architects, according to John Grimm, senior director of security strategy for Thales e-security.

“Gartner says there are only about 100 people like that in the world,” says Grimm.

There’s never been a better time to be a cyber criminal. It’s a gateway to a fast track career and you can always go straight later. Looks like their channel programmes are very creative too.

Read more on Data Protection Services