When it comes to cybersecurity, corporations are in a catch-22. Most say they are better prepared than they were a year ago to confront cyberattacks — cybersecurity is the No. 1 technology spending line item — but at the same time, technology executives fear more kinds of attacks, and attacks hitting closer to home, from sources including rogue employees and rogue vendors.
The percentage of technology executives who said state-sponsored cyberwarfare was the most dangerous cyberthreat their company faced declined from 38% to 26% in the third-quarter 2019 CNBC Technology Executive Council survey. But concerns about rogue employees rose, from 14% to over 18% of executives citing it as the biggest danger. And for the first time, rogue vendors showed up in the results, with near-6% of tech executives saying this was their biggest cyberthreat.
The rising fears related to rogue employees comes in the wake of the July cyberattack on Capital One, in which more than 100 million customer accounts were stolen by a former Amazon employee — Amazon Web Services provide cloud computing to the financial services company. The CNBC Technology Executive Council survey for the third quarter 2019 was conducted from Sept. 9–Sept. 22 among 54 council members.
The role of the individual rogue employee sets that hack apart from other high-profile recent incidents, such as the Equifax and Marriott International attacks, which featured state-sponsored actors.
"This situation does bring this type of hack to mind with us," said Xerox chief information security officer Alissa Abdullah, a member of the CNBC Technology Executive Council. "Every breach disclosed reminds of things we need to either shore up in our own areas or further verify that we are doing enough. ... This is just a reminder that these type of incidents are happening all around us. The disclosure of an incident isn't the first time it has happened, nor is it isolated, so no CISO (chief information security officer) should think 'it can't happen to me,'" she said.
The survey was conducted well before the DoorDash data breach, which was revealed last Thursday, but an unauthorized third-party service provider blamed in that cyberattack highlights the risks posed by vendors.
What is the most dangerous cyberthreat to your company or organization?
"Encryption is failing us," said Tom Kellermann, chief cybersecurity officer of Carbon Black, a member of the CNBC Technology Executive Council.
Kellermann said that while companies are spending more on cybersecurity and may be better prepared, "most companies are insufficiently prepared to mitigate cybercrime."
According to Carbon Black research, the hacker community has dramatically increased its organization and level of sophistication in 2019. Most cyber-intrusions are no longer "smash-and-grab burglaries" but rather they escalate into "home invasions."
Victimized corporations' networks are used to attack their customers and partners via what Kellermann called "island hopping," which is occurring 51% of the time. Recent attacks that were a result of island hopping, including the attacks against 24 towns and cities in Texas; the Marriott International breach and, most notably, the Chinese Cloud Hopper campaign reportedly targeted companies including IBM and Hewlett Packard Enterprises to attack their customers.
Kellermann said this stark reality is compounded by the exponential increase in destructive attacks, or "virtual arsons," which have increased 160% since 2018, according to Carbon Black data.
"Cybersecurity must be viewed as a functionality of conducting business in 2019, not an expense. This is no longer an IT problem. This is a brand protection problem," Kellermann said.
"Recent cybersecurity incidents, inclusive of Capital One but also supported by Target, Equifax and the like, have moved cybersecurity from being an IT problem to a brand problem in most major enterprises, especially those who have significant brand to protect," said Wendy Pfeiffer, chief information officer of Nutanix and a member of the CNBC Technology Executive Council.
Pfeiffer said she is concerned about the increasing complexity of operations and how that is making it more difficult for organizations and their vendors to defend their digital domains. "Lack of visibility, poor perimeter control and insufficient ability to quickly detect and contain intruders remain core challenge," Pfeiffer said. "As companies make use of a hybrid cloud footprint (applications and their data running both on-premise and in one or more public clouds), the complexity and scope of all of these core challenges increases. Many companies are struggling to even map out or define their perimeter, and there are few vendors in today's marketplace who offer complete visibility and management across our hybrid cloud estate."
This is a fear echoed by Michael Gioja, senior vice president of IT and product development at Paychex, when discussing the Capital One incident. "The Capital One type breach was really on Capital One not managing their security perimeter effectively and the Amazon employee took advantage of that gap – this could have easily occurred if it was within their own data center and insider."
Kellermann and other top technology executives are concerned that too much focus on the role of rogue employees due to a recent hack like Capital One misses the bigger target.
"This should not be their biggest concern," Kellermann said. "Worst-case scenario in 2019 is for your network, mobile app or website to be commandeered and leveraged to attack your constituency via island-hopping. Your brand will be used against those who trust it."
Tech executives who say the rogue employee threat is overhyped are worried about the role of vendors.
"From my peer circle discussions, the rogue employee threat, risk, is not perceived to be on the rise or to be the primary threat. I believe the escalating theme is the threat of third parties and partners," said Kirsten Wolberg, chief technology and operations officer at DocuSign and a member of the CNBC Technology Executive Council.
"Every company today must rely on third parties and partners to do business, and for the most part, our collective ability to truly assess the security posture of those third parties has not kept pace with the needs and the changing threat landscape," Wolberg said. "That's an issue, and one that needs to be addressed swiftly and comprehensively."
Who is most at fault for the July cyberattack on Capital One?
A majority of executives responding to the CNBC survey did not hold Amazon responsible, even though a former Amazon employee was implicated in the Capital One attack. About a third of respondents say Capital One is most at fault for the breach, while a quarter put most of the blame on the former employee.
Regardless of quarter-to-quarter fluctuations in survey data, technology executives say the threats are everywhere.
"Insider threat is an important space to address. We are concerned about state-sponsored threats which are occurring outside and within the U.S. national boundaries. We certainly need to be very aware to protect ourselves from a hacker whose primary intent is to commit fraud by hacking into our client base and appearing as if they are now our client," Paychex's Gioja said.
One potentially encouraging piece of news for consumers — a group that, between the Equifax, Marriott, Capital One and DoorDash attacks, now numbers more than 700 million affected individuals — is that companies expect to be held accountable.
Overall, 83.3% of CNBC survey respondents say individual companies should bear the most responsibility for protecting consumer information from cybertheft.
Carbon Black advises organizations to be on the lookout for three forms of island-hopping:
Network-based island-hopping. The most typical form of island-hopping, in which an attacker leverages your network to "hop" onto an affiliate network. Of late, this has often taken the form of targeting an organization's managed security services provider (MSSP) to flow through their connections.
Websites converted into a watering hole. Victim's website is converted into a "watering hole," a technique aimed at ensnaring a victim's customers and partners. It's the greatest way to hijack a brand, and as such, organizations need to make this a brand protection issue. CMOs have to have their own cybersecurity strategy in place as it relates to their digital marketing footprint.
Reverse Business Email Compromise (BEC). This is a new trend, occurring primarily in the financial sector, where attackers take over the mail server of their victim company and leverage fileless malware attacks from there to those who trust it.