One area that has remained a consistent concern for leadership is cyber-crime. Crime doesn’t take holidays. On December 30, 2019, smart camera provider Wyze reported two breaches, when databases were left exposed for over two weeks.
The IBM Security-sponsored Ponemon Institute study, 2019 Cost of a Data Breach Report, estimates that the average cost of lost business for organisations was US$1.42 million, representing 36% of the total average cost of $3.92 million.
A Selfkey blog post reported that on December 19, 2019 convenience store chain Wawa suffered a massive data breach involving payment information starting in March 2019. On the same day, security expert Bob Diachenko discovered that more than 267 million Facebook users had their records – names, phone numbers and Facebook IDs – exposed.
The Ponemon Institute also revealed that data breaches tend to have a long tail, demonstrating that the costs of a data breach can be felt for years after the incident. It continued that breaches caused abnormal customer turnover of 3.9% in 2019. Organisations with customer turnover of 4% or greater averaged a total cost of US$5.7 million – 45% greater than the average total cost of a data breach.
According to the RiskBased Data Breach QuickView Report 2019 Q3, at the end of September, there were 5,183 breaches, exposing 7.9 billion records. Compared to the 2018 Q3 report, the total number of breaches was up 33.3% and the total number of records exposed more than doubled, up 112%.
FutureCIO spoke to Gil Shwed, founder and CEO of Check Point Software Technologies, to get his perspective on the trajectory that the cyber threat landscape, how enterprises are reacting to the threat, what industry players are doing, and what the future bodes in the fight against cybercrime.
Escalating cyber warfare
Since 2010 budgets allocated for cyber security initiatives have been rising, increasing by 141% from 2010 to 2018, with enterprises pouring US$64.2 million on security services in 2019, US$15.3 million on infrastructure protection, and US$13.2 million on network security equipment.
The trend is the same with most things security-related: cloud security spend has gone up 148% since 2017, general data security budgets has risen 28%, and information security software grew 25% between 2017 and 2019.
Still, enterprises remain vulnerable. Schwed conceded that it’s very hard to predict what will be the future in any industry.
“At this moment I must tell you that we haven’t started really seeing the implication of cyberattacks. We know all the doomsday scripts about the bad things that can happen. We haven’t seen many of them materialise yet. There are criminal organisations that are developing very sophisticated tools to attack our infrastructure. So far, they’ve been used in a minimal way. We know that they can attack us. We need to make sure that we are prepared because the message is out there,” he lamented.
Secure future
Asked if there will ever be a future where consumers and businesses will be secure (in cyber space), Shwed was adamant: “not going to happen!”
“Predicting the future is always difficult but the foreseeable future will have plenty of work. I think the world needs to catch up. The world today is about at least 10 years behind in terms of the security technologies that companies used to the security technology which they need and what is available. So I think the message to the world is we need to make the jump, to leap forward and be updated with today’s technology,” said Schwed.
Message for software developers
Many of today’s cyberthreats are rooted in the software that consumers and enterprise use. Just consider the recent revelation of zero-day vulnerability stemming from the use of Microsoft’s Internet Explorer browser. But Microsoft isn’t alone here. Software vendors that have grown considerably in years on the back of popular support from consumers and enterprises are just as vulnerable: Adobe, Citrix, Oracle, Salesforce, and SAP. Even IBM’s Websphere is not without its vulnerabilities.
Shwed suggested that software developers need to learn more and more about safer and better ways to develop software to avoid become victims of hacks. He conceded that as the world moves to create and adopt innovative ideas and solutions, this results in greater software complexity.
He acknowledged that the biggest jumps in innovation were a result of innovations in software. He cautioned that all these advances may come at the price of security. Securing these software-led innovations is the responsibility of software developers as well as security vendors like Check Point.
Securing the cloud
According to the Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global) report, as organizations adopt new infrastructure and software, cloud security spending will rise, reaching US$12.7 billion by 2023.
Is that a good thing?
Schwed conceded that cloud presents a very challenging conundrum from a security standpoint. As a business opportunity, securing the cloud is good for security vendors because it will mean plenty of work for them.
“I think the move to the cloud by itself has its benefit and it’s good. I’m all for technology moving forward. But from a security standpoint, I don’t think people take it seriously enough. People don’t understand the level of risks that’s being taken when you open the environment in such a way,” he warned.
DevOps – a double-edge security challenge
Proponents of DevOps predict that 2020 will see greater use of automation through the use of artificial intelligence and data science. Check Point’s Schwed is all for DevOps. “Because it drives innovation it, moves things forward,” he reasoned.
He cited a loophole in waterfall development model where updates were too infrequent – which isn’t good for security. Agile implies faster updates, greater opportunity to keep software secure. He cautioned, however, that DevOps tools are still in early stages.
“We need to develop the right processes that will make sure that security is very well embedded into the process. For us [Check Point] it’s a big opportunity and a big challenge to make sure that we have the right tools that every DevOps person can embed,” he concluded.
