3 Strategies For Mitigating Cybersecurity Threats

Cybercrime Is Out of Control – But We May Be Looking at the Wrong Culprit!

When we see cybersecurity reporting, it’s think tempting to think that these are all the result of hackers coming up with some novel new zero-day exploit, and then going through heroics to compromise systems and do awful things. That’s what you hear about in the trade press, because it makes for a fun read. If it bleeds, it leads. 

Let’s take a look at some of the major breaches in 2024: 

• The National Public Data Breach exposed sensitive information belonging to nearly 2.9 billion individuals, including Social Security numbers and phone numbers. This was the biggest data breach in 2024, and possibly the most significant ever.
• The US Treasury Department was breached by APT27 through a remote support system.
• Change Healthcare had the largest health-related data breach of the year, losing over 100 million customer records. This could make it the largest healthcare breach in history
• In February 2024, TechCrunch reported a breach at UnitedHealth that could impact 100 million customers. If the numbers are accurate, this is likely the largest sensitive data breach in US History.
• Ticketmaster reported that hacking had extracted data for 40 million customers, thus making it one of the largest breaches in the entertainment sector
• Communications giant AT&T had not one but TWO significant breaches, with over 110 million and 73 million records lost, respectively.

If you examine all these attacks and read about how the attacks were performed, you might think that we are having a huge rash of zero-day exploits, high-profile attacks with all the hype… and if you’re patient zero, you’re basically hosed (to use the technical term). 

But the truth of the matter is that most of the successful breaches occur because of known vulnerabilities… exploitable vulnerabilities that we know about, that we know that adversaries use. 

We have databases of them, like the CISA Known Exploited Vulnerabilities database. The other thing is that breaches occur because of failures of structures or the adversary taking advantage of broken communication and organizational structures. 

Therefore, the premise I have is these are the things we need to fix – the siloes, the broken communications, and the known vulnerabilities. By doing so in a practical way, we can enhance our security posture. And we can do that in a more predictable way, without jumping through hoops or worrying about zero-day exploits or some novel attack scheme.

We Are Spending Record Amounts on Cybersecurity. But, Is It Working? 

Before we jump into the solutions, let’s look at the magnitude of the problem and then assess where things stand in 2025. 

In 2024, enterprises spent ~$185 billion on Cybersecurity, and it may reach $300 billion by 2029. 

However, what's shocking is that cybercrime losses stood at $9.22 trillion in 2024, projected to grow to perhaps $15.63 trillion by 2029. No, that’s not a typo. The losses are 50x greater than cybersecurity spending.  

All About the Money: Changing Motives Behind Cyberattacks

We also know the objectives and profiles of the threat actors. The profile of cyber attackers is predominantly organized crime. Ten years ago, it was mostly nation-states. The objective of organized crime gangs is mostly financial, whereas before it was stealing IP. 

Ransomware as a service provider, which first started appearing in 2015, is now commonplace. The point is that there are companies that help script kiddies succeed in their attacks. There are now ransomware franchises. Note that the average ransomware payment is now $800,000! This is a 12.7% year-over-year increase. 

Extortion continues to dominate the threat landscape. 

As far back as 2018, less than five percent of breaches involved monetization with ransomware. Today, extortion-ware has grown to 33 percent. That’s one out of three top threats in 92% of industries. 

You might say, ‘Robert! You said ransomware and then you said extortionware. What’s with the change?’ It’s because the criminals have switched things around. 

Ransomware is extortion, but people are realizing that the adversaries think the good guys – the defenders – have decent recovery mechanisms. 

So instead of encrypting it in situ, the adversaries will telemeter out sensitive intellectual property and then threaten to sell it on the black market, or publish it for all to see and/or use! It’s still extortion, but it’s now morphed. 

Back to Basics: How Adversaries Are Getting In

OK, so as we think about this, we need to pay attention to the basics. Let’s look at how they are making landfall. How are they getting into your computing estate? 

If you look at this chart, stolen credentials as being the largest followed by phishing, followed by exploitable vulnerabilities. But when you look at the trend chart on the right, Known Exploited Vulnerabilities are on the rise, whereas the other types of compromises are actually flat or trending down. 

This should alarm us. Why? Because of the three major ways into your estate, the management of known exploited vulnerabilities should be 100% under our control! 

Think about it. There’s a published CVE. Then there’s a database of Known Exploited Vulnerabilities. 

To get onto the CISA database of Known Exploited Vulnerabilities, the following MUST be true. One, we know it has been used in attacks. Two, it has some form of effective remediation, usually a vendor patch. Three, it has a government due date for US agencies. 

But, as straightforward as this sounds, we’re not doing a good job. Check this out: It takes most of us 55 days to remediate half of the CISA KEV catalog. However it only takes the bad guys five days to start using the CVE once it arrives in the CISA KEV catalog. We are a magnitude slower than the bad guys! 

Here’s a graph from HCL BigFix Product Management Research. 

Look at the spike in the number of unique vulnerabilities discovered and published per year. It took a huge jump from 2019-2020, and it just keeps increasing. What happened? 

Well, we sent millions of people home to work remotely, and we wrote a significant amount of new code to enable that. However, we made a lot of mistakes in coding. This is the main reason we can’t remediate all vulnerabilities in our computing estates to zero. There are just too many vulnerabilities, and AI coding methods are making this worse. 

The reason why AI is making it worse is that AI doesn’t know what it’s doing. It’s simply giving you the statistically best answer to your coding request. But it’s using code it has stored in its learning model, and that model has vulnerabilities embedded too! 

The point is, I don’t think that this graph is going to point downward any time soon. 

Let’s continue piling on! 

The situation is now so bad that directors are no longer treating cybersecurity as a wholly technical problem. They’re holding business leaders responsible for fixing it. Just one huge problem. Business leaders lack tools to make informed business decisions that measure and control cyber risk. 

What’s the Solution to All This?

First, we need to understand the root causes of the problems. 

A giant one is that we are all victims of Conway’s Law. Way back in 1967, Melvin Conway observed that organizations produce designs that are a copy of their organization’s communication structure. 

On the left is a funny cartoon that illustrates this.  We’re all familiar with these companies, and the diagrams are funny because they reflect how companies are organized and how they communicate amongst themselves. 

Well, the same thing happens with us. 

We have groups of defenders. Do they talk to each other? The vast majority of us do not talk on a regular basis, if at all. 

Did you know that in 2024, 33% of all the 24,000 newly-announced CVEs were categorized as urgent? 

However, only 9% of all CVEs were used in attacks, including medium and low priority categories. 

So, we are communicating about these in the wrong way. That’s Conway’s Law. Let’s compare this with the way adversaries work.

Adversaries focus on the objective. They focus on achieving the objective. They think in terms of paths, patterns, and mechanisms. Remember the examples from the Mossad pager attacks? They thought in terms of how to leverage vulnerabilities. It didn’t matter whether the vulnerabilities seemed small; if it leads to the objective, it’s up for putting into the plans. 

We need to think this way as well.

Effective Strategies Based on Pain Points

Taking all this into account and analyzing this, we know the following:

1. Teams are overwhelmed.
2. Stakeholders are misaligned.
3. Tools and processes are disjointed.
4. Conway’s Law is at work.

Therefore, we should take the following strategies. 

If we are overwhelmed, misaligned, and disjointed, we should accelerate, collaborate, and consolidate. 

This is what I mean. 

• Accelerate: This means we increase the number of cybersecurity things we can do without thinking about them or expending any additional effort.
• Collaborate: This means we need to find ways to bridge the gaps among Security, IT, and C-Suite. We must find ways to measure cyber risk and control security outcomes using business decisions, tooling and processes.
• Consolidate: We must think like our adversaries. Think in terms of unified patterns and paths. We must find ways to unify teams, tools, and processes to defend these paths and patterns. Break down the siloes.

I respectfully submit that, with these three strategies, we can achieve our desired objectives in defending our computing estates.