The events of the present can often tell us a lot about the future. For a look into what the cybersecurity landscape could look like in the coming decade, we spoke with an expert who has had his finger on the pulse of the industry for the past 20 years.
Steve Morgan is founder and CEO at Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine. The cybersecurity research conducted by his firm is widely used by tech companies across the industry.
In our conversation, we discussed hot topics like artificial intelligence, personal data protection and the new wave of privacy laws taking effect in California and the European Union. Here’s the interview.
This week, a story broke about Microsoft having exposed data of 250 million customers over 14 years. Should companies with massive amounts of personally identifiable information face bigger consequences for negligent behavior?
The media has a tendency to sensationalize data breaches and cyberintrusions. Sometimes, the media will even take an incident and characterize it in a way where exposed data sounds like stolen data or even worse.
In my opinion, Microsoft shouldn’t be called negligent. Cybersecurity always has been and always will be a people problem. In this case, there was a misconfiguration. Not to minimize the magnitude of the misconfiguration -- it did, in fact, expose a massive amount of data.
But upon learning of it, Microsoft acted swiftly and did all of the right things. They disclosed to the public exactly what happened and they remediated the configuration. Microsoft also put their senior cybersecurity leadership out in public to explain exactly what occurred.
Honest, ethical companies will take accountability for their mistakes and learn from them. The idea of punishing Microsoft or any company for a misconfiguration, which unfortunately is common when it comes to database administration and management, is unproductive for everyone concerned.
Had Microsoft concealed the incident, or failed to take immediate action in order to remedy the misconfiguration upon learning of it, then that would be a different story. It is worth noting that Microsoft invests more than $1 billion annually into cybersecurity and they are heavily involved with protecting organizations of all sizes and types against cybercrime.
Are government regulations like CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) a net positive for consumers? How are businesses affected?
Historically, state and local government hasn’t done anything to protect its citizens' data and identities. CCPA is more than a net positive, it’s a giant leap forward. Consumers should not have to be entirely on their own, without law enforcement, in cyberspace.
For businesses, it’s either standard operating procedure or a nightmare. For companies that take governance, risk and compliance (GRC) seriously enough to designate an officer or an outside firm to advise on regulations as soon as they are available to the public, then they are likely to comply and already have the human resources in place to do so.
But for many companies, they ordinarily play catch-up when it comes to compliance. That can lead to fines and even dire circumstances, such as consumer lawsuits, which can force a small business to shut down. The importance of complying to CCPA and GDPR cannot be overstated.
How important is AI and machine learning to the future of cybersecurity?
Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs by 2021, up from 1 million positions in 2014. As the labor crisis in our field worsens, AI and machine learning hold out great promise for eliminating some positions and increasing productivity by an order of magnitude for others.
But the rub is that the world is facing a shortage of cybersecurity experts who know how to effectively evaluate, deploy and make the best use of these advanced technologies. AI and machine learning are not inherently cybersecurity technologies.
So, there’s going to be a big learning curve for organizations that adapt them for cyberdefense. There have been a myriad of groundbreaking cybersecurity solutions brought to market over the past decade and they haven’t reduced the worker shortage -- which remains our biggest problem.
What is the biggest cybersecurity threat to an average individual like me? What basic measures can I take to prevent an attack?
The biggest threat is that your email login credentials are for sale on the dark web. Once a cybercriminal has your email address and password, it can be game over when you think about what’s at stake.
Sifting through your email, what can a cyberthief find? More login credentials to your bank accounts, cryptocurrency accounts, retirement accounts and what else? This is what you read about in the news every day because it is really happening to people.
If you don’t want to be a victim, then turn on MFA (multi-factor authentication) a.k.a. 2FA (two-factor authentication) in your email and all other accounts. By doing this, a hacker will be asked for a secret code, in addition to your login ID and password, when attempting to access your email.
The code is texted to your cellphone when the login attempt is made. And only you have the code.
Your phone becomes a physical key to your email and other accounts. The other thing that you should do is to routinely change all of your passwords. Taking these two measures will defeat a large percentage of personal cyberthreats that you may be facing. Here’s a public service announcement I posted.
For those interested in a cybersecurity career, do you have any recommendations on where to start?
That’s a broad question because everyone is different in terms of how they learn -- reading, watching videos, online courseware and classroom training. But if someone has the aptitude for cyber, then they are probably a candidate for online learning and I’d recommend Cybrary, at cybrary.it, as a starting point. It provides free online cybersecurity training to anyone who wants it. It is an excellent starting point, and I’ve had great feedback from numerous people who have gone to Cybrary.
What is the future of cybersecurity?
That’s a question that gets a lot of hyped responses. But it shouldn’t. What we are witnessing is the ongoing development of an online society, cybercriminal activity and law enforcement -- no different than the evolution of offline society dating back to the beginning of time.
The big difference being how quickly the online world is developing. The more people who settle in one place, the more bad apples you have to deal with. And the more law enforcement that is required.
Cybersecurity Ventures predicts that the number of humans on the Internet will triple from 2015 to 2022 and reach 6 billion. And by 2030 that number will rise to 7.5 billion people.
The Internet is still very much like the Wild West. We lack local sheriffs and police who can cyberprotect us. Businesses are highly dependent on themselves and the private sector for incident response, cyberinvestigation and forensics, and resolving cases.
So, what will the future look like? Law enforcement will inevitably catch up and one day we’ll be able to dial 911 and report cybercrimes, the same as we would for any other type of crime. We are inching toward that future already, with local law enforcement in places such as New York City and Atlanta -- where the police departments are heavily invested in new technology and personnel around combating cybercrime.
If you enjoyed this deep dive into the future of the industry, you can subscribe to SmartBrief on Cybersecurity for more informative content. For even more quality news coverage, you can subscribe to any of SmartBrief’s 275+ free newsletters.
Evan Lauterborn is manager of audience development at SmartBrief. He focuses on audience growth, audience retention, content and managing the @SmartBrief Twitter account. Connect with him on LinkedIn.