Cybersecurity pros are a paranoid bunch, at least according to a survey Lastline conducted at the RSA Conference in March. It makes sense when you think about it. After all, these are the folks who know what the threats are and how easily it is to gain access to a network.
But I hadn’t thought about just how paranoid these pros are until I read the results of the survey. Of 136 participants, about half said they’d rather walk barefoot in a public restroom than connect to public Wi-Fi and 69 percent cover the webcam lens on their laptops (which would explain why webcam covers was popular swag on the show floor). This lack of trust in cybersecurity is enough to make Lastline’s CEO John DiLullo shut off all of his devices and disconnect from the internet—well at least for a brief moment. He, like all of us, understands the good side of the internet and technology, not to mention that isolation is next to impossible if you want to survive in the 21st century.
Still, it is alarming the amount of distrust in cybersecurity that professionals have. These are the folks who are responsible for keeping the rest of us safe, after all. So I asked DiLullo, What do you guys know that is causing this paranoia?
“Today’s security experts recognize that the typical enterprise is in retreat and not winning the battle,” he said. “Losses due to cybercrime hit a record in 2018 and it is largely believed that another record will be broken in 2019. People often believe that they are next in line, if they have not already been breached. No one feels totally safe. No one has that much hubris.”
Expanding Attack Surface
Perhaps adding to this lack of trust is the ever-expanding attack surface brought about by companies moving more workloads into the cloud and the corresponding rising number of endpoints accessing the cloud. In the past, said DiLullo, there was a single entry point into the network, making it easier to monitor traffic in and out of the data center. Now, there are plenty of entry points for bad actors to penetrate.
Plus, he noted, there’s an increased number of data assets that are exposed in the cloud every day. “A single careless move can make critical cloud-based information assets very vulnerable. In the past, it was easier to build redundancies, barriers and ‘DMZs’ that security professionals could rely upon. The cloud has made extinct those architectures,” he said.
Cybersecurity pros not only have a larger attack surface to defend, but they also have to worry about the poor decisions that users make. People continue to be the weakest spot in the security link, at a time when identity and account compromise is becoming more sophisticated, with attackers exploiting new methods to “borrow” an identity and use it to create a lot of damage. All without leaving fingerprints behind.
Users simply don’t realize how easy it is for bad guys to gather that information. When my friends say they are targeted by a scam that used personal information, they question where hackers could get the data—and then I see all of the personal stuff they put out there. Thanks to lax security on many social media sites (the survey found that security professionals don’t trust the big tech in general) and overall poor security hygiene, DiLullo said gaining compromising data about someone online has never been easier.
“The prevalence of public Wi-Fi, social passing of infected thumb-drives, vulnerable IoT devices and people more frequently bringing personal devices to work exacerbates the situation,” he added.
Cybersecurity Is the Real National Security Risk
One of the more interesting findings in the survey, in my opinion, was the 92 percent who feel that cybersecurity is a greater threat to the country than border security. Border security is a crisis, according to the news channels and many within government, but cybersecurity could do serious damage with one well-placed piece of malware. And yet, even an incident involving a Chinese woman carrying devices with malware into Mar-a-Lago was barely a blip on the news radar.
Since cybersecurity is going to take a backseat to border security as a national threat, DiLullo thinks our best hope falls to the private sector. “Cybersecurity is a defense capability best developed and delivered by private enterprises, overseen by governments and advanced by governmentally assisted research, policy and initiatives,” he said. “Private endeavors are a good proxy for nimbleness and alacrity.”
The fears many cybersecurity professionals have are real—for many, simmering under the surface for a long time. They may have the technology, the tools and the skills to address cyberthreats, but there is so much that is out of their control. No wonder they are paranoid.