Microsoft shares have gained 133% since November 2015, outperforming a tech "basket of unicorns" over that stretch.Technologyread more
The president's state visit comes amid tensions with carmaker Toyota over potential auto tariffs. Trump has repeatedly threatened Japanese and European carmakers with tariffs.Traderead more
Buybacks have gotten a bad rap from both Republicans and Democrats. But stocks would be trading at a massive discount without them.Marketsread more
The IRS is about to release a new draft of Form W-4, which will more closely reflect the changes stemming from the Tax Cuts and Jobs Act. For workers, that means they'll need...Personal Financeread more
Fiat Chrysler and France's Renault could soon partner up to take on the sweeping changes to the global auto industry, according to a report in the Financial Times. The...Autosread more
When commercial real estate investor Manny Khoshbin spent $2.2 million on the fastest production car in the world, he had no idea it would very quickly also become the...Autosread more
The Mega Millions jackpot has spilled over $400 million. It would be the ninth largest winning since the game began in 2002.Personal Financeread more
Trump was speaking at a meeting of Japanese business leaders in Tokyo during his state visit to Japan on Saturday.Marketsread more
The biggest U.S. gasoline price surge in years is running out of steam just in time for the start of the summer driving season.Energyread more
The federal minimum wage has remained $7.25 per hour since 2009. But several states, and even some companies, have since taken matters into their own hands to pay employees a...Workread more
Stocks rose on Friday, but notched weekly losses as investors worried the U.S.-China trade war is hurting economic growth.US Marketsread more
The cybersecurity vendor marketplace is growing so crowded that some companies have been resorting to extreme tactics to get security executives on the phone to pitch their products, including lying about security emergencies and threatening to expose insignificant breaches to the media.
The aggressive tactics come as the cybersecurity market expands dramatically, with a "long tail" of thousands of vendors with niche specialties. These sales tactics can make it harder for overworked cybersecurity execs to find and stop real threats. It can also result in overhyped publicity about breaches and hacks that are actually minor, which confuses customers and consumers.
CNBC spoke with four top cybersecurity executives at Fortune 500 finance, health care and payments firms about unsavory practices from vendors. These executives all said they have been pressured by vendors and researchers who claimed — rightly or not — to have found a cybersecurity problem at their company. Some hinted at the possibility of negative news coverage if the executive did not listen to the vendor's full pitch.
Complicating the picture, many ethical hackers use their contacts with the company to report legitimate problems. One executive complained the noise makes it difficult to pinpoint the legitimate reports of infrastructure flaws that need to be fixed.
It's hard for cybersecurity companies to get noticed. Smaller vendors particularly struggle because top corporations already have contracts or strong customer relationships with the biggest companies.
This is where the threat of negative media coverage comes in. Exposing a security flaw, no matter how small, can garner big headlines if it's at a big company. Enough press coverage can spark weeks of outrage and land top leaders in front of Congress.
However, breaches that actually cause damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don't expose important company or customer information.
For instance, all four executives said vendors tried to draw their attention to potentially exposed data on Amazon and Microsoft Azure cloud servers. None of this data included any current material information.
In one case, a database housed business plans for a 10-year-old project that had already been reported on and was now irrelevant. In another case, the data included information about customers — but only their names and the fact that they had attended a technology conference several years earlier. There were no further personally identifying details, Social Security numbers or other data that would have raised the ire of regulators or even senior company executives.
But the representatives pressured the execs on the phone, saying they had repeatedly tried to warn them about these minor issues and were ready to go to media outlets.
Fearing negative publicity, these execs typically agreed to spend around an hour allowing the vendor to offer "free services" to fix the problem, followed by a bigger pitch for paid services.
Two of the executives also said vendors used questionable tactics just to get through to their phone. Vendors have called in to report "emergency" incidents, then once they got past the company's gatekeepers, turned the "alert" into a sales pitch. They have also lied to administrative staff about their reasons for calling, characterizing their call as a matter of grave security importance, only to present a sales pitch once they'd worked their way up to the right executive.
All told, this results in a great deal of wasted time. Worse, as one executive said, "I distrust most of them, so it's possible I miss the people who may be trying to raise actual issues."
Cybersecurity vendors also often try to scare executives based on the type of perpetrator launching a given attack.
These pitches often work on board members or less technically inclined executives, who are scared of the prospect of defending their networks from Iran, China, North Korea or Russia and impressed at the vendor's purported investigative skills, the executives said.
But for the vast majority of companies, attribution doesn't matter at all, they said. That's because no matter who did it, the vast majority of private-sector data breaches can be attributed to the same basic security weaknesses that all hackers exploit.
"If you're vulnerable to SQL injection," said one bank chief information security officer, referring to a basic type of hack that often is used to steal consumer data, "then you're going to fall prey to SQL injection. It doesn't matter if some kid in the basement does it or the PLA [China's People's Liberation Army]."
Regulators don't particularly care, either, the bank official said. If you have a weakness that you should've fixed, regulators will focus on that weakness.
"Unless you're the NSA, attribution doesn't matter," the security head said.