In a recent post, “Zero Trust Is What?” I shared some background on how the web came into being and how it was built upon implicit trust.
In this post, the goal is to show how certain events have created a market in which success is measured in dollars, damages, or destruction, or, put another way, that cybercrime is big business. According to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion (USD) in 2022 to $23.84 trillion by 2027
First off let’s go back to the near past when only large businesses had servers, networks, and complex software. We know that has changed and now it is hard to find any business which does not depend upon computers for day-to-day operations. From this explosion of servers and data came an equal opportunity for cybercriminals to make money. From a business perspective, this threat landscape was “easy” as the entry points to all the computer resources were known and could be controlled by special purpose devices known as firewalls or network protection devices in addition to a firewall. Then came cloud computing and the entry points exploded. Almost overnight employees were connecting to company resources from everywhere, at any time with many devices.
Even before cloud computing was embraced the single lone hacker or cybercriminal was being augmented by nation-state actors and cybertheft corporations. (SIDEBAR – For those really interested in an in-depth analysis and description of nation-state actors I recommend checking out Assessing nation-state-sponsored cyberattacks using aspects of Situational Crime Prevention.) What has transpired as a result of these nation-state actors is a whole new commercial enterprise. Cybercrime as a Service (CaaS). The industry is segmented into five different verticals: Access as a Service (AaaS), Ransomware as a Service (RaaS), Bulletproof Hosting, Crowdsourcing, and Phishing as a Service.
Whew! That is a lot of information, and it can be confusing too!
The executive’s summary is this: Securing your business has changed from attempting to repel all attacks to validating identity in order to access information. Below is a diagram to show how this works:
The purpose of this diagram is to illustrate that nothing is trusted! Everything requires validation. The validation process is very strict and has no automatic exceptions. Anytime the validation process yields any result, aside from approval, that must be reported and investigated as it could be a sign of an attack or compromise.
Stay tuned! The next installment in this blog series will address the validation process and how that is more than just software in modern business today. If you have questions about cybersecurity for your business and how to implement a more secure model, reach out! We’d love to help.