This article was originally written by Naomi Eide and published on CIODIVE.
The bad guys have just as much smart resources as the good guys do, arguably more money, and absolutely no need to play by the rules.
Since the start of the consumer internet in 1995, people have moved huge parts of their personal lives online, conducting everything from banking to interactions with the government.
Seemingly by accident, over the course of 20 years the internet became the underpinning of a huge amount of commerce and human interactions. But that was never its design. The underlying internet technology was never designed to be secure, according to John Parkinson, affiliate partner at Waterstone Management Group. “They were, in fact, designed with a security through obscurity strategy.”
“When you attach 10s of millions of businesses and billions of people to the internet, suddenly you attach value,” Parkinson said. “These are things worth stealing.”
For a long time, companies thought they could increase perimeter network defenses and adequately secure their internal systems. Emphasis was placed on building larger walls by focusing on firewalls and intrusion detection. But not enough emphasis was placed on application security, according to Parkinson.
We’re still trying to build better castle walls, despite the fact that the attackers will always have better weapons than the walls can resist.John Parkinson Affiliate partner at Waterstone Management Group
Now, with 20-25 years of accumulated code running through many businesses, keeping up with attackers and defending internal systems seems almost an insurmountable challenge. With the thousands of reported cyberattacks and data breaches in the last two years alone, it is clear the model of cybersecurity focused on keeping the “bad guys” out is not working.
“If you’re on the defensive side, you have to keep the attackers out all the time,” said Dr. Andy Yen, CEO and founder of ProtonMail. But, “if you’re on the offensive side, you only have to get in once.”
The imbalance between the sophistication of attackers and overwhelmed defenders has led to failure by public and private organizations. With attackers steadily outpacing the skills and resources of the defenders, not to mention their proclivity for breaking the law, the number of breaches and cyberattacks has steadily increased each year. Just two to three years ago, about 20,000 cyberattacks were attempted per week, according to Microsoft data. Now, that number is up to between 600,000 and 700,000 attempted cyberattacks each week.
“The bad guys have just as much smart resources as the good guys do, arguably more money, and absolutely no need to play by the rules,” Parkinson said. “We’re still trying to build better castle walls, despite the fact that the attackers will always have better weapons than the walls can resist.”
The flaw in the code
One of the root causes of industry cybersecurity failings stems from the underlying architecture of systems.
The increase in cyberattacks and defense tactics has led some companies to increase security budgets, even though increased investment doesn’t always pay off. In a recent survey of 2,000 enterprise security practitioners, Accenture found more than half would invest more in cybersecurity, even though those investments have “not significantly deterred regular and ongoing breaches.”