The [Beatings] Ransoms Will Continue Until [Morale] Culture Improves

Chris Clements, VP of Solutions Architecture at CISO Global

• Most of our technology systems are best described as “accidents waiting to happen.” They are an easy target to pick on, but, for example, on its infamous Patch Tuesdays, Microsoft regularly fixes security bugs — so many bugs that they sometimes hit triple digits — every month. Some manufacturers do have better track records than others, but suffice it to say that routinely finding multiple security issues is more the norm than the exception.
• Even the systems that are “better” often have insecure default settings meant to ensure broad compatibility, but are trivially exploitable by attackers, putting organizations at risk of compromise.
• Scale. Every computer system, from laptops to servers, is a potential target in the ever-evolving threat landscape. Within each system reside hundreds of applications, from built-in utilities for basic system operations to third-party browsers with their own massive attack surface. Conceivably, every one of these applications can have flaws that are easily exploitable, making it simple for attackers to access data or gain control of the system. With tens, hundreds, or thousands of systems in your organization, this translates to a vast, interconnected attack surface.  Keeping all these applications securely configured, patched, and constantly monitored for suspicious activity is a monumental task. Even with these efforts, new vulnerabilities (zero-day exploits) can emerge, and insider threats can still pose a risk. 

On Rising Tides

I’d be remiss not to point out that we are seeing a positive trend, with many manufacturers, industries, and individual organizations prioritizing cybersecurity, evidenced by increased investment, better tools, and more secure defaults. I applaud these efforts to improve cybersecurity resiliency, but unfortunately despite this progress, breaches continue to be prevalent and will continue to increase seemingly unabated regardless of this growing focus on cybersecurity.

There are three main reasons why data breaches will likely persist. First, fundamental security weaknesses remain largely unaddressed. Patching, configuration, and monitoring are crucial but can’t catch everything, especially new vulnerabilities (zero-day exploits) or insider threats. Second, a critical knowledge gap exists across all levels of organizations, from leadership to technicians. A deeper understanding of attacker methods is critical for defense, yet many organizations continue to rely solely on security products. This reactive approach leaves them vulnerable if a single control fails. Imagine a sports team neglecting to learn offensive strategies — by always being on the defense, the team would undoubtedly fail. Unfortunately, that’s how some organizations approach cybersecurity.

Finally, we may not like to admit it, but cyber criminals are constantly adapting. Ransomware has become a multibillion-dollar industry, and while some attacks are simple, attackers won’t simply give up because we adjust and tighten security. They’ll invest in improving their hacking skills and develop or purchase zero-day exploits to keep the money train rolling. After all, cyber criminals know that with a few clicks on the keyboard, they can turn a half-million-dollar investment into tens of millions through extortion — it’s easy money and that’s savvy business. 

The Long-Term Solution: Culture

The good news is there’s an effective approach to staying resilient against ever-evolving cyber threats: a culture of cybersecurity. By adopting a culture of cybersecurity, beginning with executive leadership and extending throughout the business, organizations can ensure that everyone is working toward the common goal of keeping themselves and their customers safe.

What does it mean to have a “culture of cybersecurity”?  It’s about a shared commitment throughout the organization. It starts with leadership prioritizing cybersecurity and allocating resources for training and technology. This empowers employees at all levels to understand how cyber threats work and become active participants in protecting company assets. From reporting suspicious activity to using strong passwords, everyone plays a crucial role in safeguarding the organization’s data.

Flashy vendor booths dominate big conferences like RSA, giving a false sense of security (pun intended), yet ransomware is still an epidemic. While security tools play a role, a truly secure organization fosters a culture of cybersecurity. Building a holistic culture of cybersecurity goes beyond the flashy tools. It requires investing in less glamorous areas like system and application hardening, network segmentation and attack surface reduction. Educating users on the most frequent and effective threats can help reduce susceptibility to phishing and fraud tactics. Regular validation of the controls already in place with frequent vulnerability scanning, and penetration testing also helps address weaknesses or gaps, which expose the organization to risk. Finally, 24/7/365 monitoring with detection and response capabilities helps catch attacks that slip past other defenses.

Fostering a culture of cybersecurity requires consistent effort and investment, but the rewards are substantial. By prioritizing security across every facet of the organization, you can significantly reduce the risk of costly attacks that damage not just your finances, but also your reputation.