Stephen Cobb is a senior security researcher with ESET North America. He serves on the IT Security Community Executive Council for global IT trade association CompTIA, as well as the National Cybersecurity STEM Education Advisory Board. Cobb publishes extensively and speaks on privacy and cybersecurity topics worldwide. He is also a FHOOSH Security Advisory Board member.
“CISOs are looking for automation and scale in cybersecurity technology. To the extent that security technology develops in a way that requires less of a human component, that technology will be more likely to succeed.”
Q: What drives your focus on cybersecurity?
A: The positive potential of digital technology drives my interest in protecting the technology from abuse. That positive potential was apparent to me from the first time I saw a spreadsheet, on a KayPro 2 computer that I bought in 1982. In one night I was able to build a spreadsheet that did something the state central data processing department had spent nearly a year trying to do on IBM mainframe (build an auditing program for petroleum taxes). Not long after that I got a job teaching computer skills to business people and then started writing books on how to use software like spreadsheets, databases, and so on.
When I got a call to help a business whose computer had been stolen, it alerted me to the critical nature and value of data. And the first time a client asked me to install a network, I realized that once you start connecting systems to share data, you introduce many more possibilities for malicious activity and the core challenge becomes controlling what you share, so that you only share with authorized people.
I started writing about these challenges to help people enjoy the benefits of technology while helping to defeat the downside of that technology. A lot of computer security in the early days dealt with protecting against natural disasters, system failures and errors. But even when I published my first security book in 1991 there were plenty of cases of fraud and theft around data.
Q: What trends do you see affecting data security most this year?
A: Criminal activity is the major data security concern today, as it’s a low-risk/high-return proposition for the criminally inclined. The cybercrime industry, as with all industries, gets increasingly efficient in carrying out operations. Within cybercrime, different types of attacks tend to come in waves. One crime that’s big now is ransomware. We saw it start as very crude attempts to hold people’s info hostage, but now criminals can simply buy or rent an effective and highly scalable ransomware program.
There’s security community chatter about whether we’re seeing targeted ransomware, or just random ransomware. For example, in a case like Hollywood Presbyterian Hospital in Los Angeles, which is reported to have paid criminals $17K to get keys to their data back, was it random or were they targeted? I think most of today’s attacks are still general, pushed out through email or by infecting websites that victimize targets of opportunity: someone clicks on a malicious link and becomes a victim. If the victim is using a company computer, then they potentially jeopardize company data. But there’s no doubt some ransomware perpetrators are now going after specific targets rather than a using shotgun approach.
Ransoms can vary based on what price a criminal thinks the victims will pay, and they are typically paid in Bitcoin, because it’s harder to trace and identify the person reaping the benefit. Once a ransom demand is made, the targeted organization does a value calculation: the amount of the ransom vs. how long can they go without access to all of their data. If they have a full backup and an efficient recovery system, they can restore everything without paying the ransom. If not, or if backups aren’t working, then organizations lean toward fee payment. In most cases, you do get the keys if you pay.
Q: What are the biggest security challenges facing companies you work with?
A: The top challenge is finding enough qualified people to carry out the work that needs to be done. It’s clear that organizations of every type could do a better job securing their systems. Until there is some diminution or cessation of cybercriminal activity, organizations are going to have to up their game to protect their systems. Doing that requires scarce resources: one is money; another is human resources. It is often hard for information security to get more of the budget, and even if it gets the money, it’s going to be hard to find the right people to implement the technology.
We are going to see advances in cybersecurity technology in the next few years, but the challenge for many will be how to implement those improvements given there is a shortage of skilled personnel. CISOs are looking for automation and scale in cybersecurity technology. To the extent that security technology develops in a way that requires less of a human component, that technology will be more likely to succeed. Even then, you’re still going to need some people who can implement the solutions. SMBs will tend to use full-service MSPs who will provide hardware, software and security expertise.