What is the most critical area needing cybersecurity defense? Is it your home and family? Is it the healthcare sector? Does one or more area — transportation, the power grid, water supply, etc. — collectively referred to as “critical infrastructure” demand the most attention? I mean, the description of infrastructure as being critical makes it’s components rate pretty high by definition. Could it be the final frontier, space, with all its communications satellites and future prospects?
My hunch is that if you’d stop nine strangers asking what needs the most protection from hackers you could get at least a half dozen answers. None of them would be a wrong answer because we must know that no single area operates in a vacuum. If we, or more precisely the security firms and government agencies, focused only on one area, that protection would be in vain. Eventually, because everything is connected to everything else, those other areas left untended would be compromised, and every newly weakened link thusly compromises everything else including the hyper-focused area.
Maybe then it’s a matter of efficiencies. To know that every potential system or function is part of the broader network of systems and functions is the fundamental starting point. To protect all of them requires prioritization and organization. This might have security types first look for the most urgent, imminent risks. Or, they could first protect the areas that have the most connections to other areas. Another approach could follow Maslow’s hierarchy, in a sense, such that food and water protection take priority. Starving and dehydrated people don’t mind so much that their debit cards got hacked, some might say.
There’s an argument to be made that money, in a word, is the most critical area. “Money makes the world go ‘round” isn’t just a Cabaret lyric. It’s a well settled principle, ugly as it may seem, because across the world money can be exchanged for goods and services, and that model has been in place since seashells were used as currency. To be fair, and more pleasing, some might correct me and say that the phrase is “Love makes the world go ‘round.” I see the logic in that posit, but it doesn’t fit into the question of what deserves the greatest cybersecurity protection (Love? Hmmm. Interesting hacker target, I suppose.).
If you can see how money as a system or function or area within modern society needs cyber-defenses, then we can forestall the debate over whether it should come first. Let’s agree that because money is a ubiquitous force the world over, and because it may be the ultimate target for most hackers—outside the egoist’s yen for renown among thieves — it is worth exploring as the primary area needing defense. How are we doing in this category of security, then?
Of all the components within our critical infrastructure, the financial systems are as important to protect as any based on my premise above. The enormity of our infrastructure requires that more than mere IT departments in any given bank bear the sole duty of defense. We cannot simply create rules requiring Wall Street to hunker down and fend off attacks. I’m implying, here, that as in most other areas of critical infrastructure the U.S. government must assist.
The notion of “assistance” necessarily involves two parties. For securing the money area, those two are the financial institutions and the government, at minimum. Recently, a 2018-2021 Identity Breach Report published by Constella Intelligence bodes none-too-well for the banking industry’s portion of the duty. In this sector, the average company loses over $18 million each year due to hackers and security incidents, and during COVID the costs ramped up. Four out of five financial institutions — a term of art including banks, credit unions, insurance companies, and related businesses — reported increases in cyber-attacks across the time of the study. I’ve written before, and you should realize, that not every incident gets reported because companies are not always willing to disclose their foibles. The money businesses are required by law to report most of these incidents, but there is still a sense that not everything makes its way into reports such as Constella’s.
During the three years of the study almost 6,500 breaches occurred in the finance sector and over three million records were stolen. Two out of three records included our personally identifiable information, which can then be leveraged for further crimes and fraud. How did all these incidents unfold? It’s complicated, and there is no single strategy in play. The bad players are creative and sophisticated and always outrunning the law. The one, common factor was that corporate login credentials were part of the story. Users. The users are always the base of the problems, as any jaded security expert will quickly divulge. Can’t secure with them, can’t secure without them.
What’s more impressive is the report’s findings about how, exactly, those oh-so-precious security devices — usernames and passwords — were exposed. Was it the aforementioned sophistication of the hackers? Were they so crafty as to sneakily hack a password database? Was it espionage? Nope. Users. Financial institution employees’ login credentials were exposed via their [mis-]uses at Amazon, Best Buy, and other retailers. They were compromised because they were [mis-]used for news websites, online gaming, or entertainment purchases and accounts. Social media, education activities, banking (ironically?), and scads of other misuses reflected across the 6,500 incidents. Users.
Let’s agree that the banking sector has a way to go when it comes to their share of the security responsibility. It’s only one of many critical areas, but has such wide impact. Is it the most critical? Dunno. The one thing it shares with every other area is the user factor. That’s you and me! Maybe there’s your criticalest of areas: The user, critical but flawed as we are, needs the greatest protection.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org