The threat posed by ransomware and other modern cyber attacks has cast a spotlight on the need for good cybersecurity hygiene across all sorts of organizations.
Recent reports estimate ransomware attacks cost more than $30 billion annually. And ransomware groups aren’t just targeting big corporations, military or industrial organizations. They’re also going after schools, hospitals and other targets that are an essential part of everyday life, points out Eric Trexler, the senior vice president for U.S. public sector at Palo Alto Networks.
“It’s impacting hometown America,” Trexler said on Federal News Network “It’s expensive. And they’re not equipped, both in personnel and funding, to deal with it effectively today.”
Government agencies and other organizations are having to defend against ransomware and other cyber threats amid a cybersecurity workforce shortage, while also shifting to new tactics like zero trust security. Artificial intelligence and other emerging technologies create further opportunities and challenges for organizations.
Trexler pointed to the Cybersecurity and Infrastructure Security Agency’s “Stop Ransomware” website as a useful resource for any organization wondering how it can stop threat groups from locking up and ransoming their data.
“It’s an amazing page to really help individuals and also organizations better protect themselves and better understand the problem,” Trexler said. “It’s a great benefit from our government.”
Rather than rushing to buy a cybersecurity product or service, Trexler said organizations should start their cybersecurity journey by understanding the risks to their organization and their “high value assets.” War gaming and other exercises can help them understand how exactly an adversary might target them and what they’ll need to do in the event of a cyber incident.
“Too often, we’re in conversations where we’re working with the cybersecurity teams and they can’t articulate why they’re trying to do something or why they want to buy a product,” Trexler said. “It’s not about products. It’s about protecting the organization, the agency, town hall, the hospital, whatever it may be.”
Zero trust is a journey
Federal agencies and big corporations are increasingly setting up their cybersecurity strategies around implementing a zero trust architecture. Zero trust is based on the principal that organizations should never trust, but always verify when someone or something is seeking to access its networks or data.
Trexler said organizations still need to go through the basics of baselining their cybersecurity risks and then defining what they need to do with a zero trust architecture to address those risks.
“It’s not a product problem,” he said. “It’s what do you want to accomplish? What are the business outcomes you’re looking for? Understanding those and then applying technology and capability. And you need to do it in the construct of modernization and consolidation.”
Trexler said zero trust is a “journey,” not an end state that can be reached by ticking off the boxes on a checklist or buying any one product or service.
“Too often, I see people who ask us to ‘zero trust’ a part of their business,” he said. “I don’t even know where to start with that. So we have to do a lot of discovery to understand, what do you mean? What are you trying to protect? How are you trying to protect it? Why are you trying to protect it? And then we can bring technology to bear.”
Cyber workforce shortages
Even as they attempt to defend against quickly evolving cyber threats and implement new paradigms like zero trust, organizations of all shapes and sizes face a massive cybersecurity workforce challenge.
CyberSeek, a research project funded through the National Institute of Standards and Technology, estimates there are more than 570,000 cybersecurity job openings nationwide.
“There aren’t enough people in the industry, so we’re still learning as we bring new people into the industry,” Trexler said. “It’s getting back to business. It’s not a technology problem, per se. Cybersecurity exists to protect the business from adversarial activity.”
Beyond traditional IT skillsets, Trexler said there’s an opportunity for creative individuals to break into the cyber industry.
“The creativity that I’ve seen brought into the industry, from people who don’t have an IT or a computer science degree, is incredible,” he said. “So many times, their minds are more open to the art of the possible. That’s where innovation comes from. So there’s an endless amount of opportunity.”
AI can be ‘friend or foe’
Meanwhile, agencies and companies across the world are considering how they can apply artificial intelligence and machine learning to their operations. In the cybersecurity arena, AI technologies pose the potential to be “friend or foe,” Trexler said.
“Adversarial activity with AI is speeding up. It’s getting creative. Think about deep fakes. Think about someone who doesn’t speak English very well, who can use an AI tool to write a phishing email that you and I might actually click on it,” Trexler said. “So the adversary is using it very heavily to attack us and creating a faster time to penetrate the targets.”
However, cyber defenders are also finding utility in AI and automation to help address security challenges, especially amid the shortage of cyber talent.
“We’re using it in our technology, our tools with our customers, to lower meantime to detection, and meantime to remediation,” Trexler said. “How do we how do we respond and then fix that? We don’t have enough humans. Humans can’t get to all the alerts that are out there. So we have to look at machine based ways to get the really hard problems to the humans, but just machines handle everything else, because the adversarial activity is speeding up significantly.”