So I start out, very simple question: when it comes to data breaches, who is more likely to be the origin of the threat that leads to the data breach? Is it an external actor or is it the internal actor, or an employee, a contractor, an intern? So who is more likely to cause the data breach, internal or external? Starting with Alexei.
I am absolutely sure it's the internal guy. It's always the malicious internal, simply because they have so much more opportunity to do that. And you know, even with like, even with the real life murders, it's always like the immediate member of the family. And I guess the same applies to cybersecurity as well.
Okay, agree. Marina?
Yes, actually, I believe it is internal, not just because someone actually can steal the data or agree with someone else to steal the data, but also it could be, you know, from people who are not really technical. Maybe they are not aware of, for example, of some threats. They just click, you know, so on the wrong email or log in into the wrong website or something like that. And you know, the attacker is already in. So I would say it is internal most of the time.
Well, you didn't really say, whether you meant malicious insiders or just human error people like you say clicking on the links etc. But you could argue that it's always outsiders, isn't it? I mean, you might blame the Insider for clicking on that phishing link, but it was the outsiders that created that in the first place. So I'm going to go left field on this one and say it's the outsider.
Okay. Okay. Because I was also surprised. So the source is the Verizon 2023 Data Breach Investigations Report, and it says that 83%, so the vast majority of data breaches, external actors are responsible. So it's only 19% for the internal ones, which surprised me as well. That's the reason why I picked it as a question, of course.
It's really, I'm really curious, like, do they count breaches which were all like reported through a third party or what about those which have not been discovered yet?
Okay. So, the unknown unknown always is an issue, so I don't know. These are the official figures that I took from there, from their statistic. And as it was really surprising to me, I think 19 or something, 19% for the internal ones is still much too high. So this is cybersecurity Awareness Month, so fight to 19%. But this was surprising to me as well. So where the basis is, I could check that. But these are the official figures from the Verizon report.
But then like Paul’s perspective, you know, so initially in the first place, who created the attack was an outsider. Regardless of the person who clicked it or not, right? So then it is actually good perspective. I didn't think about that before, but Paul...
Yeah, but a data breach can also occur if somebody just discloses a S3 bucket unwillingly. So that does not need an external attacker. This is just misconfiguration or yeah, just error.
Absolutely. Yes.
Well, I'm glad I was right. It makes up for my duff interpretation of the Akamai report. So I've gained some credibility back.
Yeah. And you can even try more because it's your next question.
My question then is: security awareness training, which we all love, can help you save money on buying security platforms.
Can I start?
Marina. Yeah, sorry.
I, I would say it depends what you want the platforms for. I mean, if the platforms are to have like a better supply chain risk management, for instance, then you will need to spend it anyway. So the security I mean, like the training that we have in cybersecurity is a kind of another tool that we use. But I don't really think that they will actually save money for that. It will actually prevent for the attacks to happen. But companies still need to actually put in place other measures as well.
So. So you're saying it wouldn't. You can't say...
Marina
No, I say it is not true. Yeah, that's my answer.
As for me, I really have like really mixed feelings about this whole security awareness training, I think, people tend to overestimate its usefulness massively. Simply because, well, I mean, judging by the platform we use ourselves internally, this is, you know, really this is a kind of knowledge that goes into your left ear and goes out of your right one 10 minutes later and you remain none the wiser. It’s just not something which people are really incentivized to learn, though probably with different tools, with much more developed, like social and even financial incentives, it could work. But the way it's done in the majority of companies, no, it doesn't help at all.
Okay. Yeah. I take the other way, actually. I think it makes sense to do so. And even more importantly, I think leading by example, especially for us is an important thing to do. So learning from each other and teaching more cyber hygiene in general, it's of importance. When this is done through such a platform, it might have the effect that Alexei described, that it really is something that really needs to be hammered in, otherwise it gets lost. And hammering it in has its own faults and flaws. But I think not doing anything would be even more wrong. So I would go for, it can achieve something and one should do something. But leading by example, helping your own team to be better is even more constructive. This is Cybersecurity Awareness Month and I think being aware and learning every day a bit more about that, should be the way to move forward. Leaving it all to technology is surely not the way to move forward.
Okay, well, there is no scientific correct answer on this. It's more like what Alexei was saying. I have a personal kind of bugbear about a lot of security, so-called awareness training, and that it, like, literally is pointless. So I think a lot depends on how you do your security awareness training and how often. And I personally think, endlessly sending out pretend emails or pretend phishing emails, after a while, people get very tired of that and cynical about it. And my opinion is that, thinking that you can rely on awareness training, certainly not on its own, but rely on it to somehow mean you don't have to buy technology is is very, very false economy. So, I think, I mean, whole companies have been built around security awareness training and they tend to all do the same kind of thing. You know, everybody says, don't click on a link, but look what happens when, you know, the person at MGM, they probably had some security awareness training. And the first thing they say, yeah, your password is one, two, three, four, five, six, seven. Okay, have a nice day. So yeah, but as I said, there's no scientific answer, I just wanted to, you know, bring it up because I think it's -
Going back to my earlier question for a second, I mean, this whole training has to start much earlier in life.
Yeah, that's a good point. Yeah. Yeah. And it shouldn't just be, it shouldn't just be a work thing. Like it affects your home life as well. So, yeah, it's a really good point, Alexei.
Okay. So then next question. The second to last question is Alexei.
Okay. My second question would actually be somewhat related to generations as well. So looking back to, let's say our current world we live in postdigital information, A.I., whatever, and compare it to the situation where we had like ten years ago, like the emergence of cloud services, mobile devices, and 20 years ago, before all this has even started. When was the cybersecurity situation the worst? Was it like 20 years ago, ten years ago or now?
Yeah, I would say ten years ago. Only because I think security technology has developed quite a bit. I think especially on the identity management side, also on like the first line of defense, things like, you know, web firewalls and all that stuff that's kind of just most mature now. Although there is, you know, the number of, like you said, you know, so 500,000 a day get produced and there is probably more attacks, but I think it was probably worse ten years ago simply because we still had the same kind of attacks. But the the defensive software was more primitive. And I think we've starting to get terms with the cloud and cloud security as well. So I'm going for ten years ago, was worst.
I would say twenty years, actually. But you know why? Because the only thing that we need to be a target of a cyber attack is to be online. And actually the main boom for Internet started in 2000, I would say. Even though Internet already existed in the nineties, that's what they would think. But again, like I'm not sure. This is, I am going through my logic as, I think as Paul did
Fair enough.
What do you think, Matthias?
Okay. I hope today is also an option for an answer, because I think today is the cybersecurity situation is - it's a game of the threat actors and the protective measures competing with each other and but we have such a large number of attack surfaces. We have such a large number of growing attacks and threats. And it's just by them by the mere numbers how many people are, and how many devices, how many systems are exposed to some kind of network, be it the hostile, the evil Internet or something else is so much bigger than before. So I think just from the math, I would say today is the worst situation. Even with growing cybersecurity.
Okay. Well, we have three different opinions. And of course, again, kind of there is no one true answer to this. But there is one really interesting metric I believe, that reflects a lot in this regard. Basically, the single largest, the most catastrophic cybersecurity event in the entire history of cybersecurity has actually happened basically 20 years ago, in 2004, it was the so-called MyDoom virus attack and its direct damages are estimated to be almost $38 billion. So nothing, not even modern strains of ransomware has come even close to that. So I believe 20 years ago it was like, yeah, the Wild West, the fresh frontier. There was no cybersecurity basically in the world. Now we’re doing much better.
That's, that's true. We don't seem to have those kind of we used to call them worms or, that doesn't seem to happen so much now. Like a virus that spreads from company to company and you know, remember your floppy disk people used to, you know, and USB sticks. That was a good way of spreading malware. And now it seems much more criminal focused on ransomware and targeted attacks, so like MGM - I keep mentioning MGM, I'm sorry, MGM, I love MGM's Casino personally. Very, very big hotel - So... so that's good. But what about ten years ago, Alexei? Was I right? Or did it get worse again and then go down again? Do you know?
Well, I mean, when did we have those like biggest ransomware attacks like NotPetya and something? I think it was around 2017 or something. So it wasn't really like ten years ago, but close. In any case, we are doing definitely noticeably better nowadays, right? Simply because we have, I guess, better tools, better technologies and maybe a little bit more cybersecurity awareness in the general public.
Yeah. Matthias, I'm sorry, this is supposed to promote cybersecurity awareness, and I've said it's a complete waste of time, but it isn't a complete waste of time,
It isn't. I don't think so.
So keep sending those. Keep sending those fake phishing emails.
Even better ones. So final question, final statement, final contributor is Marina of this game of fact and fiction.
Yes, well again I would go with the numbers and let's see what you think: In 2022, the United States reported the highest number of cybersecurity incidents worldwide. Do you think it is true or false?
Well, that's a bit like the last question, isn't it? That's false. Clearly, that's false.
Why?
Well, because Alexei just said it was much worse ten, 20 years ago, But incidents doesn't translate into actual, into success, you know. So maybe it's true, but yeah, all right. It's true.
Well, if you believe that it is false, then it's false. You know, like we would see in the end.
No, I've changed my mind. It's true, but it isn't actual successful attacks.
If you really are talking about the number of incidents and especially it's the number of reported incidents, then it could very well be true because, well, I mean, better reporting even shows that we are actually doing better in terms of overall security awareness again, and visibility than before.
Right. So then then final answer from my side. I think this is a difficult, difficult thing to answer, because just configuring a firewall rule better prevents cyber attacks because they don't get through. And the same is true if you translate that from the stupid little firewall rules over to more sophisticated cybersecurity mechanisms that we as analysts are talking and researching all the time, this is difficult to answer. I hope then that the number is shrinking and then the statement would be true, but it's shrinking not because the overall number would be smaller, but because there's much better protection. So that would be my point of view here. But yeah, it's difficult to answer. I would say just for contradiction, I would say no, there are much more today, but they go unnoticed or they are prevented. So I would say no.
And then, Matthias, we are going to the eternal problem of every analyst. Defining things. Like what is an incident? Is it like a single detection event, including the statistical noise and false positives? Is it a real malicious activity happening? Is it a blocked malicious activity, like do we count those, for example, or do we only count those who actually succeeded in breaching your perimeters or whatever? This is like the biggest problem we are facing and this is the biggest challenge for, again, cybersecurity awareness, because we have to ensure that we talk the same language as the vendors and general public and everybody else in the industry. And unfortunately most of the time we don't. And this is what we have to address.
I agree on that. But what you need to think is if it is something that has been reported, probably it has to be escalated somehow. For example, through cyber insurance policy or so, you know. So then if you need to claim for some compensation, maybe you need to actually have your incident reported. If you don't need it. There are many companies still that don't do this just because they don't want others to know that they were a target, for instance.
Okay. But what's the answer?
Well, the answer is that it is true. The United States was a country with the highest number of cybersecurity incidents. But in 2022 and this is the curiosity detail, let’s say, India was actually pretty close to the United States in terms of their reported cybersecurity incidents. It is very common to think that it could happen only in the United States because of the large online presence and the various threat landscape that they have. But, well, apparently there are other countries that are also being targeted.
I guess the more interesting question would be which country actually generates the largest number of those incidents? As in where do they originate from? Do you have any kind of statistics on that? Is it North Korea, China or Iran or Russia, maybe?
Why always there?
Well, that's what we constantly hear from the press.
Well, not always, but I have to - I have to have a look on that. And then I will come back with some accurate numbers.
I am going back to statistics on cybercrime, and there were a few years ago, every conference you went to and every speaker would say that the cybercrime industry is now worth more than the global drug trade. And everybody picked that up and went with it. But there's never been any statistical evidence for that. I think literally some guy once said because it would help sell a few more appliances as he realized that this is now bigger than the drug trade. And it because it sounds sexy and, you know, thrilling, everybody started saying it and there was no proof whatsoever because how do you how do we even know what the drug trade is worth, let alone the cybercrime industry? So -
Yeah, what’s the street price of an incident or cybersecurity breach?
Yeah, yeah, exactly. The other one, like an incident costs you $4.5 per person or something, and it's all driven a lot by vendor marketing because statistics sell products.
True. But cybersecurity awareness, this is the reason why we did that little game. And first of all, we learned that even us analysts do not everything perfectly. And and there are questions that answered wrong. And if this is true for everybody, then maybe cybersecurity awareness is still something important to look into. Maybe not cybersecurity awareness training is the way in the way that they are usually done, but maybe there are better ways to do that. So there's room for improvement for that. But learning more about cybersecurity and being more aware in this month of October and beyond is of course of importance and going beyond of course,
But beyond this cybersecurity awareness month, of course, I want to highlight our upcoming cybersecurity event in Frankfurt in mid of November. I think all of us will be there. So cyberevolution in Frankfurt will be a great event combining cybersecurity, but also other emerging technologies, including AI, machine learning, but also very traditional cybersecurity threats and how they are tackled. So that will be an interesting part or aspect to look at. So thank you very much for being contestants in this fact or fiction game today.
I think at least for me, it was really fun. It was great to meet you. It was great to have some answers right and not so great to have some answers wrong. But nevertheless, we are still all in the process of learning and getting better, to that. Of course, when you look at that video and maybe you're looking at this on YouTube, leave your comments below and also maybe contradicting statements to what we said because there was a lot of opinion in there as well in the answers.
So I'm really looking forward to that. Maybe if you think we should do this more frequently, this was just a one off, let us know. And with that, I think we can close down that call, that show, that quiz, Thank you very much. Bye bye.
