Tackling cyber complacency

Emerging Risks Interview: Daryl Crockett, CEO of ValidDatum.

Cyber-attacks have continued to hit the headlines in recent months with large-scale private corporation and government entities both targeted, especially by sophisticated criminal organisations with an often impressive arsenal of weapons at their disposal. Now the Biden Administration has launched a task force in an attempt to address the issue of cyber security, joining a worldwide effort to fight back against a recent flood of ransomware and cyber-attacks. Here Daryl Crockett, CEO of ValidDatum, talks to Emerging Risks about the latest trends in this area and assesses the risk that businesses face.

The emergence of cyber mercenaries is one of the most worrying trends. It’s really interesting and scary that now we have an organised crime faction that will sell themselves to the highest bidder for very specific attacks and targets. It’s not even that a country or group has to develop all of the skills necessary to infiltrate. We know have an evolving model of cyber-crime and cyber terrorism that can be paid for in almost a capitalistic model.

If you develop a specialty in a certain area, then that specialty can be put up for sale to various groups who might have specific targets in mind, or methods of entry that work nicely with the skillset of the cyber mercenaries.

That’s a game changer, because if you think about it, each entity or gang that wanted to do these attacks had to develop this in-house experience and all of these tools themselves. Now, we not only have talent for hire, we also have ransomware as a service. And that’s extraordinary. We have software as a service, data as a service, platform as a service. Now we have ransomware as a service, where software groups that specialise in developing this ransomware can then licence it out to distributors who will then go and find entry points using their craft, which is maybe phishing or other targeted types of entry points. And then, everybody is in a strange way – but actually a naturally evolved way – doing what they do best.

What that allows is for funding to follow talent, just as it does in the commercial world, and you have a much faster speed to market. When one areas is shut down you are able to switch teams or swap out skillsets much more quickly than you were before, in order to continue making headway and engaging in criminal activity or whatever it is that you are attempting to do with your software.

It’s been described as a 21st century business, given the level of sophistication. Would you agree?

Absolutely. It is a comparable business. But then ask yourself what is the goal of a commercial business? It’s goal is to make money for its shareholders. That is not the goal of these cyber attack businesses. Their goal is to take money from businesses, and what really concerns me is the economics of all of this. Because, if you think about it, now valuable resources within corporations are being diverted not to help the business become more efficient or to develop supply chains or more productivity, it strictly to defend what they have. And that is an expensive proposition; it is an enforced expenditure which has minimal economic benefit because it does not increase productivity per se, it really just strengthens the walls. So it’s a reduction in overall value and a wasted effort. It’s like repairing a bridge. Repairing a bridge really does us no good, but building a new bridge that can carry twice as many cars in an hour is an increase in our overall productivity and efficiency as a society.

Are you surprised by the vulnerability of organisations to cyber-attack?

I’m not surprised in the United States because we have had our head in the sand for a really long time. They are starting to change, but for the most part US companies have had the feeling that the odds were in their favour and that they didn’t really have anything worth stealing, and that if it came to an attack or ransomware demand then they had insurance. I think that model has emboldened the criminals because they know that they can go and attack US businesses and have a better chance of getting money if it’s ransomware in particular.

There was a certain degree of complacency then?

A certain degree? I’d say full-hearted complacency. In 2018 when the European Union implemented the GDPR, you enforced a level of data privacy regulation that was quite onerous, and one could argue an economic disadvantage to the EU compared to the rest of the world. That’s the way I viewed it at the time. But the somewhat unintended consequence of that has been a strengthening of data security to the point that I believe the UK and the EU has an economic advantage in that area. You have gone through the other side and you have these procedures in place. Yes, there is a still a risk, especially for the really sophisticated attacks, but for the less sophisticated attacks and even the more sophisticated ones, you are in a much better position than the US and the rest of the World.

ValidDatum specialises data management, cyber-security, data protection & privacy.

The emergence of cyber mercenaries is one of the most worrying trends. It’s really interesting and scary that now we have an organised crime faction that will sell themselves to the highest bidder for very specific attacks and targets.