December 9, 2015

Ask the Expert: 'We Are Losing the Game' Against Cyber Threats

The cyber security industry faced steep challenges in 2015, and the battle against hackers and other threats to corporate data looks bleak, according to Natalya Kaspersky, co-founder of Kaspersky Lab. Kaspersky shared her thoughts on the topic with Byron Acohido, editor-in-chief of ThirdCertainty. Kaspersky served as CEO of the lab before becoming CEO of InfoWatch and acquiring a stake in G Data Software.

Q: Have company decision-makers begun to take IT security more seriously in the past year or two?
I don’t see significant improvements. The board of directors and the top management, especially, always have something else to do, and security is not the No. 1 priority. They always think the business is more important. Quite often they start to think about security only when an accident happens. Then they ask, ‘Why haven’t we been protected?’ And usually the answer is, ‘You didn’t (provide) the budget,’ so that’s why.
Q: Meanwhile, the bad guys keep innovating and advancing.
We still witness plenty of virus attacks, and G Data rejects many of those daily. But also we see more targeted attacks, where an enterprise is being attacked from different angles. Quite often the attackers use insiders to get internal information about the organization. They use any method that allows them to go through, and that’s very dangerous and something that is very difficult to protect.
One of my companies recently found a massive targeted attack, which developed very quickly through the whole network in a large Russian bank. We called them immediately. They didn’t have a clue. They had an anti-virus system installed; they had everything installed. But that attack was specially developed against this particular bank and used the vulnerabilities that the bank had in its IT systems.
Q: Protecting the network perimeter is hard if you aren’t clear where the perimeter begins and ends.
Right. The Bring Your Own Device trend is abbreviated BYOD. I like to read that to mean Bring Your Own Disaster. At the moment there are 4,500 different devices with different operational systems. People come with their own devices, and they’re unprotected. This is a big hole in the enterprise protection.
The cloud is another big problem. When you put your information into the cloud, you actually don’t know what happens to this information. You may feel more secure if you encrypt it, of course. But even then, there could be a man-in-the-middle attack, or some other attack, so the information goes outside of the cloud.
Q: But we rely on cloud services. Companies like Google have made it very easy.
And they do business on that, they sell you the goods through Gmail. Basically they monitor what you’re writing and get advertising. That represents another problem with the security of personal information and identity security. Somebody knows everything about me, or too much about me. Of course, many people would like to maintain their privacy, but they don’t even know that their privacy is somehow violated.
Q: And the cloud also provides more avenues for data leakages.
Q: You’ve been in the security game a long time. Where are things heading?
Honestly speaking, we are losing the game. The black side is working faster, and they are always one step ahead. That’s the problem with any protection methods and software and tools. It didn’t get better, unfortunately. I would love it if it got better, but I don’t see any trend.
Q: Getting back to company decision-makers, do you see any signs that they could become more proactive?
I think there is a need to teach them. We need to somehow change this prioritization in the minds of people; maybe then the world could be become better.
Q: Aren’t security vendors, your companies included, trying to help close the gap?
Some time ago, I had an idea when I sold my Kaspersky shares, I thought I would create the company that would protect against different threats. We searched the trends and found the threats we thought would be the most popular. And we were trying to find the protections against those.
And now I understand that that’s a game that is impossible to win. Because there are more and more new technologies, and with any new technology, there are new threats. And you need to have another solution to protect against this new, particular threat. Unfortunately, the efficiency of the security software—I can’t say about the total protection, which includes services and organizational methods—but the security software is less and less effective.
Q: What can be done?
I don’t know what to do. Maybe in the future I can invent some other new other way. But I think the security industry stands in front of a big challenge right now. We’re not able to effectively deflect the majority of possible threats. And we need to somehow change ourselves, maybe invent new solutions, and maybe do some absolutely unexpected steps in this fight, because we are not winning.

Byron Acohido is editor-in-chief of ThirdCertainty, where this article originally posted.