WannaCry meant big bucks for cybersecurity companies. The cybersecurity event that dominated headlines for days last month led to significant share spikes for top cybersecurity companies like FireEye and Sophos. While the WannaCry ransomware attack, which hit hundreds of thousands of computers across 150 countries, was a wake-up call for companies everywhere without adequate cybersecurity measures, these incidents are becoming less of a surprise – less a shock, and more of a reminder that companies need to double-down on their security efforts.
“Honestly,” said Dan Larson, vice president of product marketing at CrowdStrike, “it’s getting easier over time to improve corporate awareness of cybersecurity needs. You see both the pace and the cadence of security-related headlines coming to the forefront.
“It seems like a never-ending onslaught,” he told PYMNTS.
You may recognize CrowdStrike as the cybersecurity company used by the Democratic National Committee to investigate a Russia-linked breach, or from the news last month that it raised an impressive $100 million from Accel.
Or, you may just recognize the name because cybersecurity companies are top-of-mind for many professionals lately.
According to Larson, that’s the result of a massive overhaul in enterprise security in recent years.
“For the past 15, 20 years, if you’re an organization, a business, a government entity, whatever, the rule of thumb was to get antivirus software and have a firewall,” he said. “That was the gold standard for a long time. The problem is that that has remained the standard, and even simple attackers, not even sophisticated nation states or highly skilled adversaries, just about anybody can now easily bypass those two things.”
The highly cited Target breach of 2014, quickly followed by the Home Depot breach, set off a renewed focus on enterprise security for many companies, he said. Unfortunately, many businesses, though aware of the risks, have yet to upgrade from that basic antivirus software/firewall combination.
“There are some companies less mature in their security journey that have no idea,” he said of the lack of awareness some enterprises have when it comes to their exposure to a cyber attack. “Even recent events like WannaCry – when something like that happens, it’s a dead giveaway that companies are still using the old approach, that until it showed up in the headlines, companies haven’t been compelled to reconsider their security posture.”
Unsurprisingly, there’s a problem to only paying attention to cybersecurity strategy when a major event like WannaCry occurs. Larson warned that for companies that scramble to implement safeguards following some type of attack, they’re probably going to be left vulnerable, because a single software or technology couldn’t possible protect an enterprise 100 percent.
“If anybody promises to be 100 percent effective at stopping attacks, they’re lying,” he stated. “Even the most sophisticated product in place, something like ours, will never be perfect.”
That’s because cyber attackers aren’t just using automated, malware-first approaches to their crimes anymore.
Take the Business Email Compromise, for example. A company can have a robust cybersecurity tool in place, complete with data analytics capabilities, and yet when an employee mistakenly gives sensitive corporate data or credentials to a seemingly legitimate professional at the request of a seemingly legitimate email, that cybersecurity approach goes out the window.
According to Larson, there is an increase in malware-free attacks like these that demand cybersecurity strategies to not only involve a prevention strategy, but to include technologies like behavioral analytics – or what CrowdStrike calls Indicators of Attack – to be able to identify when an employee and correspondents may be compromising the enterprise.
“Our data shows 60 percent of the time, a successful attack happens when there is no malware,” he said. “Attackers were using a sophisticated technique that would require behavioral detection, whether you’er a giant corporation or a small business. Those more sophisticated attacks are now a reality.”
He emphasized that statistic as yet another key to understanding why so many corporations’ cybersecurity strategies today fall short.
“If all you’re worried about is viruses, then you’re completely missing the boat,” Larson says
In addition to behavioral analytics, a cybersecurity strategy should also acknowledge that, because no one solution is 100 percent effective at preventing an attack, there needs to be technology and practices in place to identify and mediate a breach. In part, that comes from a cybersecurity provider, Larson said, with CrowdStrike adding event detection and response capabilities into its solution – an act, he said, of “humility.”
But it also comes from within the corporation itself and acknowledging the need for better training and education among employees.
“A really solid security plan involves people, process and technology,” he explained. “People play a role. We definitely encourage training and educating people about good email hygiene, not clinking on links or files, things like that.”
After all, assuming a cybersecurity solutions provider would allow a CEO to completely hand off their organization’s security concerns is a fatal mistake, Larson says.
“If you are a business owner and you think there’s a silver bullet out there, that if you just buy this new technology and all your problems will go away, that’s not the case,” he said. “Any cybersecurity vendor who claims otherwise should probably not be trusted.”