Tenable : Data Security is a Global Economic Imperative

It's time for government and industry to define and follow a cybersecurity-first approach to protecting the precious data driving global commerce.

Data makes the world go round. It's the grease keeping the machinery of modern global commerce moving quickly and efficiently. Without it, global supply chains would grind to a halt, stock markets would cease trading, and the simplest of consumer transactions would become untenable.

According to a 2017 McKinsey study, the volume of data flows, measured in terabits per second, has multiplied by a factor of 45 since 2005, to reach an estimated 400 terabits per second by the end of 2016. The McKinsey researchers find 'the global flows of goods, services, finance, people, and data have raised world GDP by at least 10% in the past decade, adding US$8 trillion of GDP by 2015.'

An IDC White Paper, sponsored by Seagate, Data Age 2025: The Digitization of the World from Edge to Core (November 2018), defines three primary locations where digitization is happening and where digital content is created: the core (traditional and cloud datacenters), the edge (enterprise-hardened infrastructure like cell towers and branch oces), and the endpoints (PCs, smart phones, and IoT devices). The research firm calls the summation of all this data -- whether it is created, captured, or replicated -- 'the Global Datasphere,' and predicts it will grow from 33 Zettabytes (ZB) in 2018 to 175 ZB by 2025.

You'd be hard-pressed to find any business or government leaders who would argue against the value of data in driving today's global economy. When crucial data is rendered inaccessible -- as was the case in the 2017 ransomware attacks involving NotPetya and WannaCry -- the financial and human consequences are undeniable. This Wired article puts the total damages due to NotPetya at more than $10 billion, while WannaCry is estimated to have cost between $4 billion and $8 billion.

Yet, we continue to see organizations in the public and private sectors alike taking a cursory, and often misguided, approach to addressing the cybersecurity risks inherent in our digital supply chain. We see this manifesting in three key ways:

1. Magical thinking. Organizations continue to invest in a vast array of tools in pursuit of a technical silver bullet, yet they continue getting hacked because they're overlooking the basics of cyber hygiene. According to the 2018 Attacker's Advantage report from Tenable Research, cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims, potentially siphoning sensitive data, launching ransomware attacks and causing extensive financial damage before organizations even take the first step to determine their cyber exposure and whether they are at risk. In the case of some major headline hacks of recent years, attackers were lurking undetected in data systems for as long as two years. This tells us organizations are failing to do the most basic blocking and tackling.
2. Asymmetrical responses. In most cases, a cyber attack -- whether by a nation-state or an individual hacker looking for financial gain -- is akin to a mouse chewing on a cable to bring down the electric grid. Sure, you can use heavy artillery to kill that mouse, but at what cost to your infrastructure? The most mature organizations use a highly strategic approach to assessing vulnerabilities. They conduct frequent vulnerability assessments with comprehensive asset coverage, as well as targeted, customized assessments for different asset groups and business units. In other words: they're hunting the hacker mouse with sharpshooters not bombers. Yet, the 2018 Cyber Defender report from Tenable Research finds only 5% of organizations follow the most mature, 'diligent' style of vulnerability assessment.
3. Poor prioritization. Cybersecurity teams face an avalanche of alerts every day, yet current methods of assessment make it difficult to understand and, therefore, prioritize the CVEs which present the greatest business risk. The 2018 Vulnerability Intelligence report from Tenable Research reveals 15,038 new CVEs were published in 2017 in total, versus 9,837 in 2016, an increase of 53%. The count of 2018 CVEs is still underway and likely to continue for a few months. We estimate 2018 to be on track for just under 18,000 new CVEs, an increase of approximately 15% over the prior year. Almost two thirds (61%) of the CVEs enterprises are finding in their environments have a CVSSv2 severity of High (7.0-10.0). Yet, public exploits are available for only 7% of all CVEs. The reality is that, for most CVEs, a working exploit is never developed. Of those, an even smaller subset is actively weaponized and employed by threat actors. Finding and fixing the 7% is critical to improving an organization's cyber exposure -- and still difficult to accomplish.

The 2018 Global Business Risks report from the World Economic Forum ranks cyber attacks as the No. 3 global risk in terms of likelihood, behind extreme weather events and natural disasters. However, cyber is still under-resourced in comparison to the potential scale of the threat. Indeed, the 2018 Cyber Risk Report, conducted by Ponemon Research on behalf of Tenable, reveals that 58% of more than 2,400 survey respondents lack adequate staffing to scan vulnerabilities in a timely manner. More than half (51%) say their cybersecurity teams are further hindered by a reliance on manual processes.

A recent Harvard Business Review article notes: 'As the digital economy continues to develop, cybersecurity will play a critical role in international trade. Instead of considering security only a regulation issue, governments need to consider ways to avoid unnecessary confrontations, and organizations should become proactively involved to address concerns and influence policy to improve outcomes for everyone.' Along these lines, Tenable joined with other industry partners to advocate for more effective cybersecurity language in the recently announced US-Mexico-Canada trade agreement, which updates the NAFTA agreement. This language recognizes the critical importance of cybersecurity in enabling modern international trade and inhibits signatories from using cybersecurity policy to unfairly restrict trade.

We believe an even stronger approach is needed, one which starts at the board level and incorporates the business discipline of Cyber Exposure across all organizational activities. It's time for government and industry to define a cybersecurity-first approach to protecting the precious data driving global commerce. We believe this approach requires organizational leaders to commit to a strategy that ranks cybersecurity as a top economic risk, alongside natural and manmade disasters. As stated in the World Economic Forum's December 2018 report, Our Shared Digital Future : 'Even beyond the economic implications (e.g. on intellectual property or financial stability), better security is necessary in order to protect the integrity of a wide range of societal values, such as basic rights, privacy and democratic processes.' We couldn't agree more.

I'll be discussing these and other cybersecurity concerns with global leaders from the public and private sectors on January 22 during the Cyber Future Dialogue 2019 conference in Davos, Switzerland. I looking forward to sharing insights and highlights from the event with you hereand on social media.