What can stop the cybercrime tsunami?
This post was originally posted on CyberNews.
In the last two years, fraudsters, cartels of all shapes and sizes, and state-sponsored hackers have tarnished the online world. There seems to be no end in sight for the cyber plight of privacy and digital wealth. However, we might still see the tide turning, even though not as soon as we’d like to.
The current cyber landscape has been everything but pretty. The 21st-century mafia, cybercrime cartels, have learned to steal a colossal amount of money with little to no repercussions. Just in the last six months, cyber-attacks have increased by 29% as threat actors continuously exploit the pandemic. Groups that exploit ransomware tactics have entered a golden age, with the use of the technique growing at a breakneck pace of 93% in less than a year.
Even though the period seems dire, there’s some light at the end of the tunnel. Bart McDonough, a cybersecurity veteran and founder of Agio, a hybrid managed IT and cybersecurity services provider, admits that the situation will get worse before it gets better. The silver lining is that the crime wave will recede.
“I think it’s going to get worse before it gets better. I think we’re still on the upper slope of this hockey stick curve that’s been occurring in the last few years, but I do see hope that we’ll start catching up. We, being the good guys, start catching up within this kind of five-year window,” McDonough told CyberNews.
He thinks that with the advent of AI-powered cybersecurity, shrinking attack surface, and demise of decades-old technology, the cyber neighborhood might once again be safe enough for a digital stroll after dark. We discussed whether artificial intelligence would replace humans in the cybersecurity sector, the cybercrime ecosystem, and what can make it all change.
With whole ecosystems forming around cybercrime development, some even call this age a gold rush for cybercrime. What’s your outlook towards the current cybercrime climate we live in?
I think what’s so interesting about the environment right now is that there are two different forces at play here. As I see it, you have this criminal ecosystem that’s flourishing. There have been hackers since computers were invented, but there weren’t many ways to monetize it.
And what we’ve seen over the last five years is an explosion in the ability to monetize crime, headlined by ransomware. But there have been other ways to monetize these hacking skills, and criminal networks formed.
But in the last ten years, we also thought a lot about surface area. You could only protect what you know, and the larger the surface area is, the harder it is to protect. And if you think about the surface area, since the iPhone came out in 2007, there has been a massive proliferation of surface area.
Not only do devices go from enterprise devices to more consumer devices, things like iPhones and iPads, but we’ve also seen a proliferation of applications.
We used to have one primary work password. Now you have several. That means the surface area is exploding. And this really accelerated with COVID. A client of ours told me that they suddenly had 170 remote offices overnight because all of their employees went to work from home.
So the proliferation of devices and apps is even greater with newly added locations. That explosion is why there is excellent technology coming out every day. It’s wonderful, but I don’t think it’s outpacing what’s happening in the criminal ecosystem or with the overall technology proliferation.
I think it’s going to get worse before it gets better. I believe we are still on the upper slope of this ‘hockey stick’ curve that’s been occurring in the last few years, but I do see hope that we’ll start catching up within this kind of five-year window. I think things will level off.
But there’s going to be a lot of money and data stolen between now and then. I’m not saying it’s going to stop in five years. It might level off and not grow quite as exponentially as it is right now.
“The thing that I think every business should do is run a tabletop exercise, run a mock event. Consider you got breached by ransomware. What will you do?”- Bart McDonough
Why is that? Why do you think the crime wave will eventually start stalling?
I think at some point, some of the proliferation slows down. What we’ve seen in a lot of industries is consolidation. And I think with all the mergers, we’ll start getting back to this idea of one work password, as opposed to 60, and that will help narrow that surface area.
I also think we’re going to see the decreased use of some old technology. Think about it. Email is a 40-year-old technology. It’s still based on protocols that were written in the ’70s. And that is where a lot of bad actors are perpetrating their crimes.
That’s going to start moving away as things like teams and slack and others just kind of take hold.
In your 2019 book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity, you say that on the internet, we all live in a bad neighborhood. Did your outlook change over a couple of years?
If you walk to work every day and someone tried to pick your pocket once a week, you would find a new way to get to work. You would stop walking that way, or you would get a car. You would do something. The reality online is that someone tries to steal from us four or five times a day.
By that analogy, we live in a bad neighborhood. We live in a worse neighborhood than we did in 2019 when the book came out. I think we will get our neighborhood safe, and if we’re going to continue this analogy, it might get better in a few years. But it’s going to continue to get worse before it gets better.
Do you think the current cyber landscape is different for individuals and businesses? Is the neighborhood dangerous to us all?
My answer would have been different 18 months ago than it will be today. I think businesses have it worse off today because of the rise in ransomware. Two years ago, I wouldn’t have said that.
I would have said that it was pretty random. We called them drive-by attacks. You were just an IP address on the internet, whether you were a business or a person. The hackers really didn’t know. But I think they do now. Companies are paying, even if they pay $10 thousand.
The fact is most businesses don’t use a service like ours, where we manage their IT and cyber. And even when they do use an IT service, they often neglect their cyber. They still have lousy password policies. They have bad multifactor policies, and they have horrible patching policies. These things leave them very vulnerable to ransomware.
Recently you introduced AI technology in your business model. Could you tell me what made you lean towards AI and how does it help cybersecurity?
What we were looking for was a force multiplier. We have a group of these talented humans, but at the same time, there’s a shortage of really good IT talent.
So, how do I utilize these incredibly talented individuals on my team but have the most impact? We wanted to couple them with technology that allows them to scale and to have a greater impact. And so, we started looking at force multiplier technologies.
At its core, AI is good at prediction models. And in cyber, we want to know if there’s a problem, i.e., is this behavior risky, is this malicious behavior, and so on. AI can find that needle in the haystack and then allow humans to improve on top of that with their ingenuity and unique skills.
That allows them to take it over and do the rest of the investigation. We weren’t trying to find a place for AI in particular as much as we were trying to find a way to make our people more productive. We just so happened to find AI to be a great tool to make that happen.
However, there’s quite a lot of fears regarding AI’s entry into the job market. Would you think AI-powered security solutions can outpace humans, especially within the cybersecurity field?
I don’t. I’m going to look at a time horizon of 10-20 years but stop there. Where I think AI is incredibly powerful is threat detection and threat hunting, even threat remediation. I think being able to determine if an attack and action are malicious, AI will do it in a few years.
AI can do an excellent job at finding anomalous activity and then determining whether it’s also malicious, although it’s going to be a little bit before it’s deterministic there. One area where AI is lacking and will be for a while is spotting suspicious activity.
Let’s say you give someone rights to a machine. It could be, or it could not be malicious. I think AI is going to have a hard time making that decision. But I think we will get there right in the next three to five years.
Now, why did I say no to the original question? If I say these three big areas of attacks: malicious, anomalous, and suspicious, we think AI can do well. I believe AI will have a hard time at risk management, making all of those decisions, and that’s where humans will step in and play that decider role, even if augmented heavily and supplemented heavily by AI.
When we get to the point of making risk-based decisions, humans are going to need to make those decisions, those judgments, aided by a lot of great insight provided by AI.
If you could give one crucial piece of security advice to individuals and businesses, what would that be?
If I had one piece of advice for an individual, I’d advise you to make sure you have two-factor authentication on all of your critical websites. I’d start with email, banking, any investment sites, social media. We don’t have a silver bullet, but if there is one, this is the closest thing to the silver bullet we have now.
For businesses, I’m going to assume that they have two-factor authentication. The thing that I think every business should do is run a tabletop exercise, run a mock event. Consider you got breached by ransomware. What will you do? Who will you call? What’s your legal response? What do you have to do from HR? You have to contact clients, but do you know how to reach clients? Practice.
The more you practice it, the better you get. My number one advice to business owners and operators is to practice a cyber incident. Practice your response.