Negligence: cybersecurity’s elephant in the room

Apr 10, 2018

The cybersecurity industry has historically focused on perimeter defence, developing expertise in criminal activity on the darkweb, recruiting ex-military personnel trained in government security networks, and building up protection against malware. The traditional mindset has been that in order to keep the internet a safe place, the best way to spend your time is in hunting down the bad guy. 

The new frontier of cybersecurity

And for all intents and purposes this approach has served us well for the past few decades. But things have changed in the meantime. The way we do business is increasingly digital, increasingly global and increasingly connected. In order to succeed today, businesses need to share information widely and rapidly. But this constant flow of information introduces numerous opportunities for our precious data to escape and be used against us. It’s not just the hacker lurking on the Dark Web that poses a risk to our information security, it is also our suppliers, contractors or employees. 

Chiming in on the hot-topic of the looming GDPR legislation, Paypal recently opened up about the numerous third-parties with whom it shares its user data. This includes up to 600 different firms. For us, the Paypal communiqué was more than a refreshingly honest contribution to the GDPR discussion; it underlines the extent to which the concept of “securing our data” (or even “securing our infrastructure”) is out of step with the way we do business today. No matter how secure our internal networks might be, it doesn’t take much creativity to imagine a supplier saving our sensitive documents on an unsecure company server, a consultant working from home unwittingly backing up files onto a personal NAS drive, or an employee accidentally posting credentials on a code-sharing website. 

Gearing up to tackle negligence

The idea of negligence is nothing new. Information Security professionals have long been aware that their role is more complex than acting as a sort of digital security guard, preventing thieves from entering the premises. We need to start thinking beyond where a cyberattack ends up, and more about where it begins. Cybercriminals plan their attacks by exploiting data exposures, and 94 percent of the leaks that we find for our customers can be traced back to third-parties. 

So why has the cybersecurity industry not adapted? Why are we spending so much time looking for broken windows when we’ve left the back door unlocked? At CybelAngel, we monitor the traditional settings of cyber crime, like Dark Web forums, but we are also searching code-sharing sites where employees are accidentally posting source code; we are also searching the unprotected cloud storage where contractors are storing sensitive files. We search these areas because we know that criminals are looking there. And it’s not only criminals by the way, but also investigative reporters, or corporate spies. If we can detect data exposures before they are exploited by someone else, then it will be a lot easier for our customers to avoid the associated risks. 

Solutions to close the back-door

The landscape of cybersecurity is changing, and we need to shift our approach to keep up. Of course, the traditional settings of cybercrime remain relevant, and it would be a mistake to ignore them. To go back to our previous analogy, there are still broken windows out there, and we need to continue alerting our customers to them. But there is also a large number of unlocked back doors occasioned by third-party exchanges. Malevolent actors have realized this and they are exploiting the weakness. 

Information Security professionals can no longer ignore the threat of negligence. And the cybersecurity industry needs to rise to the challenge of providing them with the tools they need to detect data exposures before they are used to weaponize attacks. We should never stop looking for broken windows, but we also need to start spending more time looking for the unlocked doors.