The cost of immaturity

The business of protecting against computer-hacking is booming

The average time between an attacker breaching a network and its owner noticing
the intrusion is 205 days. Like most statistics touted by the cyber-security industry, such as
the supposed annual $575 billion global cost of 90 million cyber-attacks, it is little more than
a guesstimate. But there is no doubt that criminals and pranksters are thriving by attacking
computers and networks, that companies are struggling to cope and that businesses
offering answers are charging fat fees.

The penalties for getting cyber-security wrong are steep. Nortel, a Canadian
telecoms giant, went bust in part because hackers stole so much of its intellectual property.
Target, an American retailer, lost the credit-card details of 40 million customers. Some of
them are suing. Its share price plunged, and the CEO stepped down. TalkTalk, one of the
biggest phone and internet companies in Britain, is floundering after an attack last month
which leaked customer information—which was apparently stored unencrypted, on a
computer accessible through a public website.

Unsurprisingly, then, the cyber-security industry is booming. A report by Bank of

America Merrill Lynch reckons the market is $75 billion a year now and will be $170 billion
by 2020. Not only is demand soaring, but barriers to entry are low. Anyone able to spout a
bit of computer jargon can set up shop (it also helps if you can say you have a background in
an intelligence service or the military). Unlike, say, business based on engineering or
science, there are no standard qualifications, nor any established trade associations.

The range of products is bafflingly wide. Among those on offer are “threat
intelligence” (finding out who is planning to attack your company and why); “end-point
protection” (making sure that nothing is lurking on your computers or mobile devices);
“penetration testing” (hacking into your systems to reveal the security weaknesses);
“identity assurance” (making sure that only the right people get onto your network);
“incident response” (dealing with the aftermath of attacks); and “anomaly detection”
(spotting mischief by looking for peculiar movements of data).

Quality varies hugely. The worst products may appear to work perfectly, but do
nothing against the real threats. Anti-virus software, for example, can do a splendid job
against old malevolent software, but fail to spot new versions (especially because those who
invent malware fine-tune it to evade existing defenses). And they defend against only one
kind of attack. Other products do such a good job in spotting possible mischief that they
create a plethora of false alarms. Keeping up-to-date is hard—malefactors who spot
weaknesses quickly sell or share their knowledge.
 Ropier providers are helped by the fact that customers, especially at board level, are
usually ill-informed about what they are buying. Understanding how attackers work and
what they are after is hard. Few senior executives have enough of a technical background to
understand encryption or network design. Sharing data about attacks would help corporate
buyers to become more informed but carries risks of its own—you may breach customer
privacy by doing so, and publicizing an attack highlights what may look like incompetence.
(New laws pending in America and European Union should give some much-needed clarity
on what disclosure is required when cyber-attacks happen.)

All sorts of companies offer cyber-security services, from small, specialist, outfits to
giant arms companies such as BAE Systems (which TalkTalk has hired to sort out its mess).
The biggest firms are finding it hard to keep staff. As in the public-relations and corporate-
intelligence industries, if you know your stuff, you can make more money starting up on
your own. Venture-capitalists are not showering money on the industry as prodigiously as
they did a year ago, but the fast growth rate means that raising capital is still easy. The big
companies are still able to trade on their brand name (nobody gets fired for hiring IBM) but
the mammals are beating the dinosaurs.

Purely technical solutions are also going out of fashion. Even the best technology
doesn’t work if the humans who operate it are careless or ill-trained. Attackers often use a
mixture of computer hacking and “social engineering” (in effect, confidence tricks) to gain
access to their targets. People who obligingly click on links or open attachments in bogus e-
mails are the single biggest security weakness: even the strongest front door is insecure if
those inside open it to all comers.

Even the best cyber-security products offer little protection against employees who
are bribed or bullied to help the attackers, or who harbor a grudge against their bosses.
Weeding out such people requires an approach more like that of the spy world. Training
loyal staff to be sensible, while not infuriating them with restrictive rules or paralyzing them
with fear, is hard. Naturally, there are up-and-coming consulting firms which stand ready to
offer these sorts of service.

Security will get worse before it gets better. The “internet of things” –hooking up all
sorts of appliances to the web—offers new opportunities for attackers. Many companies do
not have a proper understanding of the threat they face. Eventually, they will become
choosier and thriftier. But for now, cyber-security companies of all kinds can feast on
misfortune.

(Economist Newspaper Group, from The Cost of Immaturity, The Economist, Nov. 5, 2015)