In the past two years, the world has been shocked economically, politically, and technologically. Technology advancement has shifted into overdrive from its already dizzying pace.
Against this backdrop, a series of cybersecurity myths have gained traction, often prompting well-meaning security teams to focus on the wrong things. Here are seven of them to keep a watchful eye on.
Myth #1: Only a small number of social media accounts are fake
A lot of enterprises know they have bots, but the reality is social media companies often don’t know and don’t want to know how many bots they have. We did a proof of concept with a social networking site some years ago that showed 98 per cent of their logins were automated bots. This company was very proud of its rapid growth and excited for the future, but they only had a tenth of the subscribers they thought they had.
The significance of this knowledge and its importance has been playing out publicly with the acquisition of Twitter. The value of the company is largely based on its number of users. Elon Musk’s challenge to the company to demonstrate that spam bots and fake accounts are less than 5 per cent is a fair expectation for any investor, advertiser, potential business partner, and even its users. I predict that Twitter’s bot number is closer to 50 per cent or more. Companies must validate human users and effectively manage and mitigate their bot traffic.
Simply stated, the success of malicious bots indicates a security failure. Bot prevention is critical to ensuring the integrity of the information flowing through these sites and having accurate data for companies to make important business decisions and for others doing business with them.
Myth #2: Bot prevention is an in-house DIY project
We have seen good companies with big budgets and brilliant technical staff battling bots for years. Yet when we analyse the bot traffic in these organisations, expecting to see sophisticated bots that had evolved to overcome their defences, it just isn’t the case.
Companies have been fighting bots by blocking IPs, regions, and autonomous systems, and here is where we see the evolution of malicious bot traffic – attacks are now coming from hundreds of thousands, even millions of IP addresses. Those network layer defences only take you so far.
My mantra is that client-side signals are king. You must have behavioural biometrics. You must interrogate the browser and interrogate the device. All those signals taken in the aggregate are how you identify not just bots but malicious humans.
Companies also think they can hire their way out of this situation, but there is no way to hire enough IT people to fix this vast problem. The only way to fight automation is with automation.
Myth #3: Focus should always be on a mysterious new threat on the horizon
Those of us in security, the tech press, and corporate PR share a common fear of those threat actors who are constantly innovating and staying ahead of us. But in many ways, attacks are still the same with only slight tweaks along the way.
Most of the bots we see today show the same level of sophistication that we saw five years ago. They just come from different places. Credential stuffing still works despite two-factor authentication and/or CAPTCHA. Attackers won’t innovate new attack vectors as long as the original vector remains successful. All they need to do is devise a way to dodge new defences.
Companies need to consider emerging threats and prepare for them, but the industry also needs to continue to mitigate last year’s threats.
Myth #4: Managing multiple clouds is a hard challenge that requires unobtainable talent
The multiple cloud world is a reality that many, if not most, companies live in today. Whether it’s because of an acquisition, integration with a partner, or just capturing best-of-breed features, multi-cloud is here to stay.
Yet when I ask companies if they’re in multiple clouds, one answer I hear repeatedly is some version of, “Yes, unfortunately.” Companies operating across multiple clouds sometimes begrudgingly and don’t embrace the opportunity to get the best of all worlds.
Today there’s no reason that managing and securing your IT estate across multiple clouds should be arduous. Cloud vendors have built interoperability into their strategies, and there are many other providers whose solutions are designed to remove the burden of integration, abstract their functionality across clouds, and deliver it through a simple, unified interface.
Myth #5: Securing the enterprise’s architecture and devices is enough
Security teams are focused on the enterprise’s infrastructure, their servers, their computers, their desktops – everything inside the organisation. They largely are not focused on the organisation’s employees’ home networks.
An attacker might want to target the CEO to access mergers and acquisitions insights or other strategic information, but monetising that isn’t as easy as targeting an accounts payable clerk or an IT administrator. When working from home is more common than ever, home networks are an emerging loophole for bad actors.
Myth #6: You can trust your employees
Insider threats have an enormous advantage simply because it’s human nature to assume the best of those around us. But the fact is you can’t hire 50 or 100 employees without the very real risk of introducing a bad apple or two to the barrel.
Disgruntled employees don’t just leave bad reviews on Glassdoor. They can throw sensitive files onto a thumb drive and walk right out the door. There’s even a growing concern that they might leave malicious software in the system.
I’ve long had a theory that insiders are probably behind a lot of ransomware attacks. An IT administrator can easily create a persona on the dark web, give that persona access to the system to install malware, and then issue a demand for ransom – and, in turn advocate that the company just pay the ransom. It’s important to note that I’ve not yet seen evidence of this, but the incentive is certainly there.
Myth #7: Our biggest cyber threats come from nation-state actors targeting infrastructure
When the Colonial Pipeline was attacked a year ago, causing long lines at gas stations that inconvenienced consumers on the East Coast, it was major international news.
Yet, there is little to no conversation about the millions of Americans who are defrauded every year online, many of whom are elderly and living on their retirement savings. This is a tremendous threat to our social safety net that can have devastating effects on people and their families – much more so than having to wait in line and pay more for gas.
I spent years in law enforcement investigating cybercrime, more often than not, with frustrating results, and this issue is a passion of mine. Attacks on our infrastructure are important and very real, but when you listen to the stories of these victims, it’s clear that widespread cyber fraud should be getting more attention than it is.