Something is wrong in the broader Enterprise cyber security landscape. As a whole, organizations are devoting growing sums of cash to thwart cyber criminals. In 2018, international cyber security spending could reach $96 billion, according to Gartner — an 8 percent increase over 2017.
The number of data breaches is also skyrocketing. In 2017, there were more than 1,579 publicly-disclosed breaches in the United States, according to the nonprofit Identity Theft Resource Center. That’s a 44.7 percent increase over the 1,091 breaches against Enterprise targets in 2016. The cost that such cyber-attacks inflict also is rising. According to 2018 research from the Ponemon Institute, the average total cost of a data breach across the globe is $3.86 million, which is 6.4 percent higher than the year before.
The causes of the simultaneous increase in Enterprise cyber security spending and data breaches are multifaceted, but one core reason is this: Many businesses’ cyber security teams are struggling to keep pace with the modern risk climate. In a nutshell, cyber criminals as a whole are outpacing companies’ ability to thwart them. Frequently, many business leaders are ratcheting up digital business initiatives while demanding that cyber security professionals keep up. In addition, as Internet of Things (IoT) adoption matures, a growing number of cyber security professionals must now worry about managing the identities of thousands of new network endpoints. What’s more, many of these IoT devices are designed to have a long lifespan. It’s not uncommon for industrial equipment and medical devices to be in use for a decade or longer. When those devices are shipped with IoT functionality, that means that even if they are reasonably secure today, they might not be in 2028. What’s more, many IoT devices have limited computing horsepower, making it difficult to update them cryptographically without sufficient upfront planning. It’s no wonder that the 2018 Cost of a Data Breach study from the Ponemon Institute found that organizations with extensive use of IoT devices tended to suffer more-damaging breaches (costing $5 more per compromised record) than those that are not reliant on IoT devices. For a small-scale breach involving a limited number of files, the difference may be minimal. But for a breach with thousands or millions of lost files, the difference can quickly become costly. On the flipside, companies making extensive use of security automation suffer markedly less damage than those that don’t. According to the Ponemon study, the average cost for an organization in the former camp is $2.88 million. For those without, the average damage was $4.43 million.
Complicating matters further is the fact that the power of established cryptography tends to recede over time. There are several reasons for this. Security researchers may uncover cryptographic flaws in systems thought to be robust. And even when researchers discover a weakness in a standard encryption algorithm, the transition to an updated algorithm can lag. Look at what happened with Secure Hash Algorithm 1 (SHA-1), which was broken in 2005. Nearly a decade later, the algorithm was still frequently used. In the first half of 2014, nine out of ten SSL certificates on the internet were still using SHA-1. The algorithm’s ultimate expiration date was January 1, 2017.
Admittedly, for an adversary to break SHA-1 in 2005 required that they be well-heeled. But the financial costs and time needed to do so fell steadily over the years. In 2010, the German security researcher Thomas Roth cracked 14 SHA1-encrypted hashes in less than an hour by renting computing horsepower from AWS. The cost? $2.10.
In years to come, other encryption algorithms will see similar fates. The eventual rise of quantum computing will only exacerbate the problem. In 2016, researchers at MIT and the University of Innsbruck came close to cracking RSA encryption. Gartner predicts that, by 2022, quantum computers can break RSA in near real-time. As commonly used cryptography algorithms are rendered obsolete, security professionals will need to be swift in removing such certificates, keys and trust stores, while quickly installing quantum-resistant alternatives. (For more on the subject, check out the free eBook titled Crypto-Agile PKI for the Future.
Estimates vary for when quantum computing is ready for prime-time. But whether that happens in five years, as IBM expects, or whether it is two decades from now, the time to plan for crypto-agility — along with security automation — is now.