Cyber Crime: Why Is All the Talent in Hacking and Not in Security?
It’s been a tough few years for security experts in the tech field. Big name companies like Target, Neiman Marcus, and eBay have fallen prey to major security breaches that have been widely reported, making customers leery of doing business with them — and making amends is expensive. Target offered a year’s worth of free credit card monitoring to those affected by the breach. It was a pricy but necessary show of good faith for its mistake.
Every organization, from companies to government agencies, would like to ensure cyber-security for their data, but they face a steep uphill battle. The recent 2014 U.S. State of Cybercrime Survey revealed what has been hidden in plain sight all along: cyber criminals are more technologically advanced than the people responsible for keeping our data safe. While the cyber risks continue to grow, the cyber defenses are unable to keep up. That’s bad news for everyone but the bad guys. The worst part is that we can only expect more breaches of theses kinds to take place in the years to come.
The survey, which was co-sponsored in part by security heavy hitters like the CERT division of Carnegie Mellon University’s Software Engineering Institute and the United States Secret Service, was compiled using responses from 500 executives from U.S. businesses, law enforcement services, and government agencies. The results of the survey should be enough to scare anyone and everyone — particularly because there’s virtually nothing you can do to keep your data safe. As Target customers found out toward the end of last year, you don’t even have to use the Internet to be at risk.
The report states, “One thing is very clear: The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries. Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect.”
But surely this isn’t that big of a deal, right? Wrong. The U.S. Director of National Intelligence has ranked cyber crime as the number one threat to national security — above terrorism, espionage, and weapons of mass destruction.
So why is this such an issue? Why can’t the good guys keep up with the bad guys to protect our valuable data? The main reason, according to the report, is that most organizations don’t spend their cyber security budgets very wisely. The smartest way to spend security resources, the report says, is to allocate them based on specific business risks — in other words, beef up security on your most valuable data, and focus on protecting the areas where your organization is most vulnerable.
It turns out that’s a problem in large part because it means there’s no one-size-fits-all strategy that all businesses and organizations can use. According to the report, “A retailer’s high-value data, for instance, would include customers’ financial information, while the lifeblood of pharmaceutical companies is often trade secrets for developing new medications.” Those two industries, then, can’t use the same tactics against potential cyber criminals. They each have to figure out what’s best for them, and many organizations don’t have the resources or knowledge to do so.
So to answer the question of why the tech talent is so heavily weighted on hacking and not on security, we have to look no further. Both sides have smart people working for them, but the hackers have a clear, easily defined goal: to steal as much data as possible. The security people, on the other hand, are often being paid to focus on the wrong things.
The whole report is very interesting and eye-opening, with loads of data on what industries are particularly at risk, and which ones are better suited to prevent cyber attacks. You can read the full report here.