Article

Security analytics staff need better pay, weaponisation of AI, ransomware authors’ salaries...

Here are the must-read security stories that should be on your radar this month.

By Jo Best

Sun 13 Aug 2017 @ 12:29

While the WannaCry and Petya/NotPetya ransomware outbreaks made headlines months ago, they're still having an impact on businesses worldwide. Companies continue to report earnings that are affected by the after-effects of the attacks.

In related news, malware writers' earnings have been coming to light – and they may not be as large as you think. On the flip side of the coin, while some people are enjoying a substantial payday thanks to the rising tide of cybercrime it also looks like security professionals with the right skills could be set for a wage increase.

Here are the must-read security stories that should be on your radar this month.

Security analytics: Not enough staff, not enough wages

You know a technology has really come of age when it generates its own skills shortage. This month's case in point: security analytics. According to a study from ESG Research, there's a sense that the use of analytics in businesses is now being anchored by a few key individuals, and that CSOs need to retain those skilled staff with incentives such as substantially increased pay. Good news for security staff all round, then.

Can you trust your third parties?

A salutary lesson, if one were needed, from Australia: it's not just your staff that can put sensitive data at risk, it's your suppliers and other third parties, too. The Australian Red Cross Blood Service managed to expose the personal details of over 550,000 would-be blood donors after the company it hired to manage its website backed up the data to a public-facing server. According to the Australian Data Commissioner, there weren't stipulations in its contract with the website management company to protect the data adequately.

The weaponisation of AI is on its way

While the IT industry wants to see artificial intelligence used to protect against cyber-attacks, it turns out security professionals expect the bad guys to also try to harness the power of AI. A survey of information security staff found that 62 per cent of them expect Ai to be weaponised in the next 12 months as cybercriminals use it to orchestrate more complex attacks.

Insider threats going ignored

Around half of data breaches are thought to have been caused by a human action, carried out either by negligent or malicious employees. However, very few businesses believe insider threats are worth concentrating on, and even fewer have plans in place to deal with them. Research by the SANS Institute found around one third of companies said they had no effective way of detecting insider threats and just 18 per cent had plans in place for how to deal with them.

How much do ransomware writers earn...?

While the FBI estimates the cost of ransomware is around $1bn a year, just a comparatively small part of that cash is reaching those behind the malware. According to a talk given by Google at Black Hat, cybercriminals have earned around $25m from ransomware during the last two years. The relative imbalance between what the ransomware writers get from their work and the economic damage that they wreak was further illustrated recently: the writers of WannaCry finally emptied their Bitcoin wallets of the ransom money, three months after the attack - making off with around $140,000.

...And how much do their attacks cost?

The financial effects of recent high-profile ransomware attacks are still with many of the victims. UK consumer goods company Reckitt Benckiser recently said it didn't expect its operations to be back to full functionality until the end of this month after falling victim to Petya/NotPetya, and the attack has cost it revenue as a result. FedEx has also said being hit by malware has harmed its bottom line.

UK government increases the cost of a data breach to £17m

The GDPR won't come into effect for nine months, but its ripple effect is already being felt across Europe. The UK government has announced plans for a Data Protection Bill that will strengthen the penalties watchdogs can hand down to organisations that don't look after customer data properly. If the bill becomes law, it will give the Information Commissioner's Office the ability to fine organisations up to £17m or four per cent of their annual turnover.