Mining data is daunting but crucial

The cybersecurity industry seems addicted to research but isn’t all that good at it. Mining the massive amount of data produced is daunting but crucial to everyone.

Surveys and studies are an important part of marketing form the cybersecurity industry. Cyber Protection magazine receives a lot of them. We read them all. In the two months before the RSA Conference, more than one a day came into our inbox. However, they are not a great source of independent data and insight.

Ignoring the cherry-picked data highlighting a particular company’s product or service, there are a few nuggets that, taken together, produce some interesting insights. Out of 60+ reports, we took a pass on any that were repetitive, were suspect methodologically, or effectively plagiarized from another source. We chose to look at seven with a solid methodology, representation of industry-wide concerns, and originality. The reports came from Dynatrace, Black Kite, SlashNext, Metomic, Originality AI, Logicgate, and Sophos. We found three common themes: The impact of AI on security, government regulation compliance, and understanding of security concerns on the C-suites and board levels.

Understanding security issues.

Almost every study has a common complaint. CISOs say application security is a blind spot at the CEO and board levels. They say increasing the visibility of their CEO and board into application security risk is urgently needed to enable more informed decisions to strengthen defenses.

However, Dynatrace’s study said CISOs fail to provide the C-suite and board members with clear insight into their organization’s application security risk posture. “This leaves executives blind to the potential effect of vulnerabilities and makes it difficult to make informed decisions to protect the organization from operational, financial, and reputational damage.”

Recent news shows the study may have a point. Marriott Hotels admitted that a 2018 breach was the result of inadequate encryption of customer data. In 2018 the company claimed their data was protected by 128-bit AES encryption when customer identity was only protected by an outdated hashing protocol. One can imagine the discussion between the CEO and the IT department:

CEO: is our data encrypted?
IT manager: Yeah, sort of.
CEO: OK, good enough

If the CEO doesn’t understand the difference between a hash and AES encryption, that’s a problem.

And there many be evidence that ignorance is widespread. Apricorn reported that the number of encrypted devices in surveyed companies had dropped from 80 percent to 20 percent between 2022 and 2023. Some of that could be attributed to work-from-home (WFH) growth in companies. It is also likely that companies over-reported what was encrypted simply because they did not understand what “encryption” meant. Once they learned the meaning, adjustments were made.

That lack of a foundational security technology could be a reason for the devastating growth in ransomware in the past two years.

A problem, not THE problem

Black Kite’s study saw a massive increase in ransomware attacks last year. More than 4900 businesses reported attacks in 2023 as opposed to more than 2700 in 2022. “This highlights the increased persistence of these groups as well as the incredible effectiveness of their tactics,” the report stated.

But the growth of ransomware is dwarfed by the monumental growth of phishing. SlashNext’s 2023 State of Phishing Report claimed a 1,265% increase in malicious phishing emails and a 967% increase in credential phishing between Q4 2022 to Q3 2023.

That statistic is validated by the United States Internet Crime Complaint Center. The number of phishing and spoofing crimes are massively more than ransomware reports (298,000 over 2800 in 2023). Most studies and experts claim that the reports of phishing and ransomware crimes are underreported, which explains the discrepancy between the center’s numbers on ransomware and Black Kites. The reality is phishing is a much bigger problem for a much larger portion of the populace

SlashNext CEO Patrick Harr attributed the growth to the introduction of an increasingly sophisticated use of generative AI tools. “About a year and a half ago, we started seeing tools like WormGPT and FraudGPT. You pay $60 a month and you can create and launch near-perfect business email compromise attacks. Just take this open source model and tailor it to a particular application.” He said that since the introduction of ChatGPT, phishing attacks increased 4500 percent.

Fire with fire

Metomic’s 2024 CISO survey said CISOs recognize the impact of generative AI and they’re ready to fight AI with AI. “Two-thirds of CISOs and IT security leaders say their top concern with generative AI is the threat of the technology being used to create a security breach. More than half of the survey respondents said they are concerned about employees uploading sensitive business data to large language models (LLMs) that are used to train various generative AI platforms—a move that could potentially expose confidential business information and intellectual property. The survey showed 80 percent IT security leaders will implement AI-powered tools to fight emerging AI-based security schemes and threats.

Mirroring the Black Kite findings, Metomic’s survey pointed to complacency as the biggest threat to data security strategies. “Implementing and maintaining a strong data security framework across the organization is top of mind for security leaders in 2024, with 80% of survey respondents agreeing security culture and awareness will be their most crucial challenge in 2024.”

There is room for improvement. Originality AI said only 15 percent of respondents to their survey embrace the benefits of AI for defense. Nearly one-quarter of respondents say their AI plans require longer than 12 months, and 15% say they have no plans at this time.

Regulation compliance

Regulatory compliance is driving adoption of defensive technologies, according to the Logicgate Annual Report on GRC compliance. At the high end, 17% of the organizations in this research spend more than $1.50 per $100. At the low end, 14% spend $0.10 or less per $100. Financial services organizations spend almost three times more than healthcare organizations, despite both industries being subject to stringent regulations. Healthcare spends the least on people and talent and is more reliant on third-party services.

The 2024 Sophos Threat Report focused on the cybersecurity challenges facing small businesses. Sophos has tracked offers on underground forums claiming to provide access to many small and medium businesses’ networks. “More than 90% of attacks reported by our customers involve data or credential theft in one way or another, whether the method is a ransomware attack, data extortion, unauthorized remote access, or simply data theft.”

Missing links

In all of the studies, some answers brought up other questions and there was no reference to the use of generative AI to influence elections.

An example of the first came out of the Metomic survey on the question of deleting unnecessary data. Eight percent of the respondents said they made no effort to cull data regularly. This flies in the face of basic security requirements and even several laws.

A fundamental principle of data privacy and security is that culling unnecessary data protects against harm caused by a security breach. By 2026, data brokers doing business with California customers must delete records within 45 days of a request. Some organizations, like healthcare organizations, must maintain data under the Health Insurance Portability and Accountability Act (HIPAA), Financial institutions are required under the U.S. Banking Privacy Act to keep records for seven years. Even then, eventually, the data becomes obsolete while still being dangerous in the wrong hands.

Metomic’s CEO Richard Vibert was likewise surprised. “There’s this very fundamental principle to data privacy and even data security, which is data minimization: Only store you need. I don’t know any company that isn’t deleting data because it is a challenging problem, but 8% I think is remarkably high. I’m curious as to who those organizations are.”
 Vibert said in next year’s survey they will attempt to identify what companies are not deleting data.

The black hole of election security

None of the companies that submitted documents to us addressed the emerging problem of election security, which we found as odd. Almost every democracy, representing 5 billion people worldwide, has or is electing new governments in 2024 and the use of generative AI and traditional phishing scams is a growing concern.

As far back as 2018, election officials have been warning voters about scammers posing as fundraisers for candidates. The 2016 and 2020 US elections were targeted by multiple nation-state actors from Russia, China, North Korea, and Iran. In February, the National Cybersecurity Alliance issued a report warning voters of rising voter scams. The included phishing for donations, spoofed election websites, fake voter registration drives, and robocall scams.

Accessing voter information is relatively easy. Voter registration data that includes names, addresses, emails, and phone numbers are available to all campaigns, with notoriously poor security safeguards. Today, only the state of Nevada allows voters to request their personal contact information be removed from the rolls.

So election security is an enormous issue that all the organizations have missed in their research. We hope that will be corrected in the coming year, even if it is after the fact.

As we said , all these documents are meant to sell a product or service first and inform second. In the process, many important issues are missed due to marketing myopia. The cybersecurity industry is unique in the technology world. It affects absolutely everyone in the world with any kind of digital footprint. Its members are called to a higher purpose than profit. We hope they come to realize that.