Have global economic factors obstructed the fight against ransomware?
Sort by:
Cybersecurity companies largely are incentivized to sell a remedy and not a cure. And that's something that we don't talk about enough within the community. The moment COVID began, I said, "There's no way any company will invent a one-shot and you're done, smallpox-type of vaccine. It's not profitable; if you owned the business, you just wouldn't do it. Maybe you would if you were doing something for the good of the world but cybersecurity companies don't, and we don't even ask them to.
For example, I asked software vendors, "We have this list of 200 of the dumbest passwords in the world every year—why are those passwords not hard coded in software to be prohibited?" It's an easy fix. Every vendor could do it but none of them will because security leaders aren't asking them to. And the market's not going to pay them to do it. They're just selling the next feature instead of adding 200 hashes and then we get into this situation where the tools and solutions are a remedy that solves the ailment. But so much of the SMB market will never be able to have the commensurate level of spend.
In the US 46% of GDP is the SMB. Global cyber spend is $167 billion and $85 billion of that is within the top 1,500 companies plus the US government. The rest of it is across every other company in the world. That is such a fragmented market that it's not appealing for cyber vendors to try to solve that; the cost of acquisition is too high. So managed security service providers (MSSPs) that can do this and provide a service are the only way that mass market consumers will be protected unless it’s mandated and Google says you have to do it for them, which I don't think is realistic.
There has to be some monetary motivation. How difficult is it to add the hash? I know some places already require you to have something complex and won’t allow you to use “password” or your name.
Those are great points and I would argue that that's unlikely to change soon. I'm assuming that these companies are not doing it because they know that what they're doing is wrong, but because it's the only avenue to a customer. A large, "endpoint security company" makes money on that strategy and yet, most of us would agree that a typical in-depth endpoint to the center security strategy doesn't work anymore. But it's the best way to show some sort of value: People have to put in two factor authentication, their clients get scanned for viruses daily or weekly, they get patch updates and have a firewall, etc.
I’ve seen successful companies that are okay with cannibalizing their own cash cow. Certain firewall companies will just add more things to their firewall product so it can be everything to everybody. But these vectors and actors are new and novel. They already know all the locks and the keys of your firewall.
Which company out there is monetarily motivated and okay with cannibalizing some of the products that they already have out there? Security is fickle and to come up with something new impacts their bloodline or their cache line. The money piece is a big motivator.