The cybersecurity industry has historically focused on perimeter defense, developing expertise in criminal activity on the Dark web, recruiting ex-military personnel trained in government security networks, and building up protection against malware. The traditional mindset has been that in order to keep the internet a safe place, the best way to spend your time is in hunting down the bad guy.
And for all intents and purposes this approach has served us well for the past few decades. But things have changed in the meantime. The way we do business is increasingly digital, increasingly global and increasingly connected. In order to succeed today, businesses need to share information widely and rapidly. But this constant flow of information introduces numerous opportunities for our precious data to escape and be used against us. It’s not just the hacker lurking on the Dark web that poses a risk to our information security, it is also our suppliers, contractors, or employees.
In advance of the onset of GDPR, Paypal opened up about the numerous third parties with whom it shares its users’ data. This includes up to 600 different firms. For us, the Paypal communiqué was more than a refreshingly honest contribution to the GDPR discussion; it underlined the extent to which the concept of “securing our data” (or even “securing our infrastructure”) is out of step with the way we do business today. No matter how secure our internal networks might be, it doesn’t take much creativity to imagine a supplier saving our sensitive documents on an unsecured company server, a consultant working from home unwittingly backing up files onto a personal NAS drive, or an employee accidentally posting credentials on a code-sharing website.
The threat of negligence is nothing new. Information security professionals have long been aware that their role is more complex than acting as a sort of digital security guard, preventing thieves from entering the premises. We need to start thinking beyond where a cyber attack ends, and more about where it begins. Cyber criminals plan their attacks by exploiting data exposures, and 94% of the leaks that we find for our customers can be traced back to third parties.
So why has the cybersecurity industry not adapted? Why are we spending so much time looking for broken windows when we’ve left the back door unlocked? At CybelAngel, we certainly monitor the traditional settings of cyber crime, like Dark web networks. But we are also searching code-sharing sites where employees are accidentally posting source code. We are also searching the unprotected cloud storage where contractors are storing sensitive files. We search these areas because we know that criminals are looking there. And it’s not only criminals by the way, but also investigative reporters, or corporate spies. If we can detect data exposures before they are exploited by someone else, then it will be a lot easier for our customers to avoid the associated damage.
The landscape of cybersecurity is changing, and we need to shift our approach to keep up. Of course, the traditional settings of cyber crime remain relevant, and it would be a mistake to ignore them. To go back to our previous analogy, there are still broken windows out there, and we need to continue alerting our customers to them. But there is also a large number of unlocked back doors occasioned by third-party exchanges. Malevolent actors have realized this and they are exploiting the weakness.
Information security professionals can no longer ignore the threat of third-party and employee data leaks. And the cybersecurity industry needs to rise to the challenge of providing these information security professionals with the tools they need to detect data leaks before they are used to weaponize attacks.