The high-profile hacks of credit card systems over the past few years and the scourge of ransomware attacks that reached lofty levels in 2017 appears to have convinced businesses to become more proactive about cybersecurity, according to an expert in Cisco Systems' security services group.
In an interview with Security Now at this week's Cisco Live 2018 conference in Orlando, Fla., Sean Mason, director of threat management and incident response for Cisco's Security Advisory Services, said he has seen a shift over the past couple of years in customers becoming increasingly interested in learning how to protect themselves against hacks and other cybercrimes rather than simply reacting when an attack occurs.
"For years there was a lot of news and a lot of press around nation-state attacks, and to be fair, a lot more organizations were impacted than truly thought they were," Mason said, adding that their thinking was, "'I'm not doing X, Y, Z, so I don't have to worry about that problem.' That wasn't necessarily true, but that was the mentality. Then we started seeing a lot of credit card hacks."
Many well-known companies were victims of attacks in which cybercriminals stole personal data from millions of customers -- think Equifax, Target, Home Depot, Chipotle and, most recently, MyHeritage. Still, there were businesses that still rationalized their situation by thinking that since they don't process credit card data, they didn't need to worry. (See MyHeritage Data Breach of 92M Accounts Raises Many Questions.)
"Then what really went mainstream a couple of years ago was ransomware," he said. "I hate saying that, because it's a lot less sophisticated in some cases than dealing with a nation-state or even cybercriminals going after credit card data. It's a different way of doing things. It's extremely noisy … and the types of organizations that were hit, all of a sudden it was, 'Oh my gosh, that could be us,' and it really hit home that it no longer just somebody else's problem. It was, 'This could be us tomorrow.' That might have really been the trigger."
Ransomware wasn't new; stealing corporate or personal data and holding onto it until a ransom is paid, usually in cryptocurrency like Bitcoin. However, the malware has become increasingly sophisticated, and broke into the headlines last year with WannaCry, which infected hundreds of thousands of vulnerable Windows PCs and attacked such major companies as Nissan Renault, FedEx and Telefonica until a kill switch was found for it. WannaCry also spawned an array of new ransomware that built off its success. (See WannaCry: How the Notorious Worm Changed Ransomware.)
Security firms such as Check Point have noted that incidences of ransomware have waned a bit from 2017 as threat actors are focusing more on stealing PC CPU cycles to mine cryptocurrencies, but warned that doesn’t mean ransomware is no longer a threat, as the cities of Atlanta and Baltimore learned earlier this year.
WannaCry and other ransomware attacks caught the attention of many customers, Mason said. Cisco's Security Advisory Services group is seeing an increase in requests from companies for help in learning how to protect their corporate networks and data and how to respond when an attack occurs.
The top requests are for tabletop exercises, where participants are put into a low-stress environment and walk through scenarios of potential emergencies to learn and discuss such aspects as operational plans, responses, dealing with stakeholders and communications.
And what most customers want to run tabletop exercises in is ransomware, he said. They're less interested in situations like someone stealing their IP. They want to know what to do if someone takes over their systems and takes control of their data. Many companies can use the training, Mason said. Not many have deep expertise in Bitcoin and some haven't backed up their data, but they understand that if ransomware hits, it's not just about having to pay to regain control of the data, but also the lost productivity. (See Bitcoin & Other Cryptocurrency Prices in Flux Following Hack.)
"Literally, customers with tens of thousands of machines down," he said. "You cannot do work, you cannot run your business, you cannot operate."
The shift toward customers becoming more proactive about security has become pronounced over the past couple of years, with Mason estimating that the split in the security services team's work hitting 70% proactive and 30% reactive.
"It used to be more reactive," he said. "You look at a couple of years ago, it used to be fire, fire, fire, fire, but now it's really starting to shift the other way. That's a good thing. The reactive work is not going away, but we're having more and more asks and requests [for proactive help]. It's actually kind of nice to see that over the last couple of years it's been ticking up more. [Being proactive is] planning ahead for your worst day. That day will come eventually. It's going to happen."
Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.
Cisco's security services group also has the ability to leverage the work of the Cisco Talos threat team, which looks at issues around the globe.
"While we're focused on maybe one customer or two customers or whatever number it might be, they're off looking at thousands upon thousands of customers and pulling down data and trying to figure out, 'OK, how can we get ahead of this?'" Mason said. "We may be with a client and may see one thing going on, and we take what little information we may have and say, 'Hey, Talos, what are you seeing?' They see a lot more than we would just see. They might say, 'Guys, this is XYZ,' or, 'This is new' or 'This is old stuff,' or, 'Whoa, we need to get ahead of this.' My team tends to see things nobody else sees quite yet."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.