Few people understand the sophistication of the global cybercrime community and the actors who play a role, understanding how attacks happen and why it is critical to build the proper defenses to secure the modern enterprise. The world is changing at an ever-increasing pace. The flywheel of technology innovation is spinning at such a rate that traditional change management is obsolete, and change leadership has become the norm. Each new technology that enhances the modern workplace presents new challenges for the teams chartered with securing the most important systems and information. It is impossible to predict the future, but by understanding timeless best practices, threats, and modern architectural techniques, it is possible to build a security posture that is flexible and resilient enough to meet current and future threats. Doing so is difficult and requires a deep strategic understanding of what you are trying to accomplish.

In this chapter, we will explore why cybercrime is appealing to criminals and the impact of cybercrime on the global community, introduce the core tenants of information security, and discuss the cybersecurity talent shortage. Throughout this chapter and the remainder of the book, we will explore example cases that provide real-world illustrations of the topics we will cover. At the end of each chapter, there are a few open-ended questions you should be able to answer in your own words after reading the chapter. After reading this chapter, you should be able to communicate these concepts to others and illustrate the main ideas with real-world examples.

In this chapter, we will cover the following topics:

• Why cybercrime is here to stay–a profitable business model
• The macro-economic cost of cybercrime
• The role of governments and regulation
• The foundational elements of security
• The cybersecurity talent shortage

In the year 2017, if cybercrime was a country, it would have the 13th highest GDP in the world, between South Korea and Australia. In 2021, according to a recent Cybercrime Magazine article, "If it were measured as a country, then cybercrime — which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world's third-largest economy after the U.S. and China." (Morgan, Cybercrime to Cost the World $10.5 Trillion Annually by 2025, 2020). The same article predicts that the number will grow to $10.5 trillion by 2025. Part of the reason for this growth is that cybercrime is an attractive proposition for attackers.

Cybercrime is a very profitable business with few risks. Think of a bank robber. Prior to the invention of the internet, if someone wanted to rob a bank, they would need to be in the same physical location as the bank and plan to physically enter the bank and demand money and get away from the bank with the money without being apprehended by the authorities. If someone were to undertake such a robbery and were not successful, there is a significant likelihood that they would be arrested, wounded, or killed. Cybercriminals can attempt to rob thousands of banks around the globe with little fear of repercussions. If their attack is unsuccessful, they can simply move on and target another bank. Compare the risks and effort involved with the example case given as follows:

Example Case: The GozNym Gang and the $100 Million Heist

In 2016, the GozNym gang, using a piece of malicious software known as a banking trojan by the same name, stole $100 million from individual bank accounts, mostly in the United States and Europe. The GozNym banking trojan was a piece of malicious software the gang could install that would wait for a user to log onto a bank account, and then transmit their credentials to a GozNym server. Once they had the credentials, "certain members of the GozNym crew then used the stolen credentials to access the victim's bank account, to steal money from it, and launder the funds via US and foreign bank accounts controlled by the gang." (Vijayan, 2019)

This case was one of the few where the criminals were pursued across borders, and most were brought to justice. The numbers in this case are staggering. As a criminal endeavor, what other means outside of cybercrime could a criminal gang use to steal $100 million per year? Cybercrime is profitable and has a relatively low risk because a clever piece of software can victimize thousands of people with little effort on the part of the attacker. Adding to the allure for cybercriminals, in all but the largest cases, is that it is difficult to get the international cooperation necessary to identify the members of a criminal enterprise, find those people, and extradite them to another country for prosecution. In many cases, it is an open secret that criminal gangs are operating, and there is little political will to stop them. It is worth noting that this criminal gang chose to use traditional currency and bank accounts, which made them much easier to track. Criminal gangs using ransomware and cryptocurrency for payment are far less traceable. While their exploits are generally less lucrative, their risk of being caught is also far lower.

The Romanian city of Râmnicu Vâlcea is a well-known hotspot for cybercriminals. In this city, the cybercriminals are very wealthy and are unafraid to flaunt their wealth, since there is very little fear that they will be arrested and brought to justice. Cybercrime and the internet, along with anonymous cryptocurrencies and few global authorities with the power to pursue international criminals across jurisdictions, create the perfect conditions for the growth of cybercrime. While steps could be taken to curb the rise of cybercrime, in the current environment, it is incumbent on people and organizations to protect themselves.

Most people do not realize cybercriminals benefit from an entire underground economy hosted on the dark web. The dark web is not a place but is essentially a secretive network. Think of it as the dark side of the internet. Just like the regular internet, the dark web is a collection of websites. Unlike the internet, these websites are not indexed by most search engines and require a special browser known as The Onion Router (TOR). The TOR browser is designed to make internet traffic anonymous, which is a key element for criminals in cyberspace to remain hidden. Most destinations on the dark web are not accessible to anyone who is browsing like they are on the traditional internet. The dark web is more akin to a collection of forums that have moderators and require invitations to gain access. The best example in the physical world is to think of the dark web as a network of speakeasies. Each has its own password and verifies the identities and intentions of its attendees, but once a person is accepted into a few and becomes a known entity in the underworld, they would have an easier time gaining access to other establishments.

The dark web itself serves two major purposes for cybercriminals. First, it provides access to marketplaces where stolen information can be bought and sold. Criminals may hack into a database such as Yahoo, for example, and steal millions of email addresses and passwords. The attacker may have no use for that information, so they can go to the dark web and offer it for sale. Other criminals can buy the information and use it for different purposes, such as launching a campaign against the list of email addresses to fool the user into clicking on a link or delivering a virus. Alternatively, attackers could use the email address and password combinations in popular sites to see whether the victim reuses their password so they can gain access to high-value sites to steal something of value. This underground economy provides an efficient marketplace where those who have the skills to steal data can profit from their work.

Second, the dark web offers marketplaces for criminals to purchase exploit kits containing phishing lures and malicious software or contract with other criminals for expertise they may not have. For example, if you wanted to deliver a ransomware attack, you could purchase the ransomware itself from one group, complete with documentation, instructions, and even technical support, and purchase a sophisticated phishing lure from another criminal and a list of potential victims from a third. TOR networks and botnets can be used to launch attacks to make their origins more difficult to trace. In fact, all you need to launch a relatively sophisticated and low-risk cyber-attack in the modern world is access to the dark web, a Bitcoin wallet, and a questionable moral compass.

Bitcoin and other cryptocurrencies make cybercrime more profitable and less dangerous. Whether you like or dislike cryptocurrency, there is little debate that its existence and the corresponding rise in the scale and profitability of cybercrime is no coincidence. Bitcoin is the most popular cryptocurrency. Cryptocurrencies operate on a technology known as blockchain. Blockchain is a distributed transaction ledger that allows the anonymous transfer of stored value between parties. For example, if you were to hold someone for ransom and asked them to pay you in United States dollars, somewhere there would be a record of that transaction, and with enough effort, the owner of the account, the kidnapper, would be identified. When ransoms are paid in Bitcoin, it is impossible to trace who the actual recipient of the money is or how they spent the money they received.

These factors lower the barriers to entry for cybercriminals to get into a profitable business. Never in human history has crime had higher rewards with lower risk. In fact, in some places throughout the world, there is a technically skilled population whose best economic prospects are to become criminals.

There is also a significant imbalance between the proceeds of cybercrime and the cost of cybercrime, which means the attackers are more motivated than the defenders. For every dollar cybercrime costs an economy, it generates $3 for the attacker. It stands to reason those attacks would continue to proliferate until balance is reached. If I could purchase something from you for $1 and sell it for $3, I would make as many purchases from you as I could. The equation for cybercrime is similar. While these macro-economic forces are unlikely to change in the short term, there are measures we can take to increase the costs and risks of cybercrime to make these attacks less appealing to criminals. Currently, it is far too easy for attackers to infect systems. People and organizations fail to follow simple best practices that make it significantly more difficult for attackers to be successful. Those best practices are explained in detail in Chapter 4, Protecting People, Information, and Systems with Timeless Best Practices.

Many people ask why cybercrime is growing and attacks are increasing in terms of scale, complexity, and frequency. The simple answer is that cybercrime is good business. If a person does not take moral issue with cybercrime, the economic opportunity is attractive, and the risk is lower than other criminal opportunities. In fact, economically speaking, cybercrime is the most lucrative profession available to many people around the world. However, there is another side to the equation. While criminals can benefit from crime, the damage to individual victims and economies is serious.

The impacts of cybercrime on the global economy are significant. The impact of ransomware on infrastructure has been highlighted by the 2021 Colonial Pipeline ransomware attack, which is detailed in Chapter 3, Anatomy of an Attack. Colonial Pipeline supplied gasoline for large portions of the United States. With the pipeline offline, several states experienced gas shortages and gas prices rose significantly. The Equifax breach involved the personal information of millions of people, which contributes to the ongoing identity theft problem in industrialized nations. The American Semiconductor case, which began in 2011 and did not reach resolution until 2019, involved an existential threat to an American company that barely survived as a shell of its former self.

Each of these instances highlights the importance of cybersecurity in the modern world. Every organization, and even every person, has an interest and a responsibility in protecting their sensitive information.

While there are many direct and ancillary economic impacts of cybercrime, here are three major categories we should highlight. First, there is a global cost to identity theft. The implications for economies are significant, but behind the numbers are thousands of stories of individuals and families who have been hurt. Second, intellectual property forms the bedrock of Western economies. It could be said that all industrialized nations depend on intellectual property for prosperity; Western economies rely on personal property rights to power the economy. Finally, it is easy to lose sight of the damage done to individual companies and the employees who rely on them for their livelihood. When we look at the three major impacts of cybercrime, it is clear the damages can be devastating.

The global cost of identity theft

Identity theft has become a major problem globally. This problem impacts not only individuals but also entire economies. Personally Identifiable Information (PII) is information about an individual that can identify them from others and also could be used to impersonate them. National identifiers such as social security numbers, social insurance numbers, or other government-issued identifiers are commonly associated with PII, but other factors, such as names, phone numbers, and addresses, in combination can also be damaging. There is a well-established marketplace to buy stolen personal information on the dark web.

According to a CNBC article, "identity fraud cost Americans a total of about $56 billion" (Leonhardt, 2021) in 2020. Children are often victims and identity fraud costs generally fall directly on the consumer. As a result, a group of identity protection providers has emerged to help customers protect their identity, and if it is stolen, to pay legal fees to repair the damage. When companies lose large amounts of PII, the remedy is often to provide identity protection services for the impacted consumers.

Simply restoring an identity is not enough though. Many Western economies are consumer-driven, and if consumers are losing money to identity theft, they are not spending that money elsewhere in the economy. Therefore, the money lost to identity theft can be seen as economic leakage, causing downstream harm to businesses and individuals that are not victims of identity theft. In the United States, more than 1 in 100 people were victims of identity theft in 2020. The data privacy regulations discussed later in this chapter are the direct response from governments to this growing problem.

Intellectual property and Western economies

Most industrialized nations are built on the idea of personal property rights. Many times, those rights are dependent on the protection of intellectual property rights. It could be said, then, that the foundation of the global economy, with notable exceptions such as China, is the exclusivity of information and the ability for a person or a company to benefit economically from their ideas and discoveries. Theft of intellectual property threatens that foundation and if it cannot be protected, makes it less likely companies will invest in creating new inventions, and therefore the economy will not grow as quickly as it otherwise could.

To prevent this from happening, Western economies have developed intellectual property protections that encourage discovery and offer exclusive rights for a set period of time for the person or entity that made the discovery or created the work. Intellectual property comes in many forms, with varying time limits as well as degrees of protection. In some cases, an organization could protect intellectual property in different ways. For example, a secret recipe could be protected by a patent, which would give it strong legal protections for a set period of time, after which it would go into the public domain, and anyone could see the recipe and use it for themselves. Alternatively, the company could choose to classify it as a trade secret, which has limited legal protection but no requirement for disclosure. As a result, most companies who make recipes, outside the pharmaceutical industry, use trade secrets. However, using trade secrets requires a higher level of protection to keep it a secret. Protecting intellectual property appropriately requires an understanding of the property type and the legal protections offered. Let's have a look at them.

Copyrights

Copyrights are designed to protect works such as books, movies, and music. In the United States, a copyright must be registered with the Library of Congress for legal action to be taken, but copyright is granted as soon as a work is fixed in a tangible form, meaning committed to a hard drive, a piece of paper, or otherwise taken from an idea stage to a stage where it exists in the physical world.

Copyright grants five exclusive rights to an owner, which can then be licensed to others for the owner to earn income from their idea. Those five rights are the right to reproduce the work, publish the work, perform the work, display the work, or make derivatives from the work. Copyrights are normally long lasting, designed to last more than the lifetime of the person who created the work, but eventually, works do go into the public domain where others can use the work without paying the owner. Since copyrights are designed to protect the rights of the owner of a public work, there are few information security implications for protecting copyrights.

Patents

Patents are designed to give the owner an exclusive right to an invention for a relatively short period of time. After that time, the invention goes into the public domain and anyone can use it. The easiest example to understand is with medication. To incentivize pharmaceutical companies to invest capital in researching treatments and drugs, they are granted a period of time, generally between 10 and 20 years, where they are the only company that can sell that treatment or drug, and, within reason, they can charge whatever price they would like for it. When that time expires, other companies can access the formula and produce generic versions of the drug. When the patent for Tylenol expired, for example, anyone could use the formula to make generic acetaminophen, which is the same chemical formula as Tylenol; they just couldn't call it Tylenol because the brand name was protected by a trademark.

In the United States, patents must be filed with the United States Patent and Trademark Office, which is a lengthy process. There is a period of time between when something is being discovered and tested and when it is filed for patent protection, and during that time, that idea or invention is very sensitive and should be protected. Most countries around the world that offer patent protection have a similar patent office that allows inventors to register their inventions and apply for patent protection. Also, most countries that recognize patents will also enforce patents originating in other countries to encourage trade.

Trade secrets

Trade secrets offer limited legal protection but have the advantage of never going into the public domain. In the beginning, trade secrets were protected only to the extent that the organization could keep them a secret. In 2016, the Defend Trade Secrets Act was passed in the United States, which provided a forum for victims of trade secret theft to bring lawsuits against those who have stolen or otherwise misappropriated their trade secrets if the secrets were intended to be used in interstate or international commerce. In the Act, a trade secret is defined as "all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing." (American Bar Association, 2016). There is a major caveat though, in the fact that the victim must prove they took reasonable measures to keep the information secret.

Therefore, if a company is a victim of trade secret theft and would like to bring a case, they must show what security measures they had in place to defend the secret. As a result, protecting trade secrets has become one of the most important parts of an information security program with respect to intellectual property protection. Since this is a young law, there is little precedent with respect to what qualifies as a reasonable measure. The most high-profile case so far concerns Uber and Waymo.

Example Case: Uber versus Waymo

In January 2016, a Google engineer named Anthony Levandowski left Google's self-driving car division, known as Waymo, to start his own self-driving truck business, named Otto. In August of the same year, Otto was acquired by Uber. Shortly thereafter, Waymo filed a lawsuit against Uber for trade secret theft. In 2018, 5 days into the lawsuit's trial phase, a surprise settlement was reached for approximately $250 million in Uber stock. Mr. Levandowski was eventually forced to declare bankruptcy and was sentenced to 18 months in prison for trade secret theft.

The story is not as simple as an employee leaving for another firm and taking information with him. It appears that the hiring of Mr. Levandowski was planned by then Uber CEO Travis Kalanick. "'I wanted to hire Anthony [Levandowski], and he wanted to start a company,' Kalanick said on Tuesday. 'So, I tried to come up with a situation where he could feel like he started a company, and I could feel like I hired him.'"(Larson, 2018). The question then became, was Uber part of Mr. Levandowski's plot to steal trade secrets from Waymo? Did Travis Kalanick have advanced knowledge of the theft? The case was among the highest-profile trade secret theft cases in history.

This is a classic insider threat case. Anthony Levandowski was a very talented and well-respected engineer. He was trusted by his friends and colleagues at Google, who he ultimately betrayed. When he was hired, it is unlikely he intended to cause harm to Google. At some point, his motivation changed and he became a malicious insider. The civil lawsuit between Waymo and Uber was settled, and the criminal case against Mr. Levandowski ended in a plea agreement, so we may never know exactly how Google knew he stole documents on his way out. According to an article about the case published on The Verge's website, "Levandowski stole 14,000 documents from Google containing proprietary information about its self-driving cars and downloaded them on to his personal laptop." (Hawkins, 2019). While the article doesn't explicitly state what evidence Google had to support its claim, the fact they knew the number of documents and the method of exfiltration tells us two important things. First, they had a system in place to monitor transfers from a repository where sensitive information was hosted, likely in the cloud, and second, they had their system configured to identify the difference between sensitive information and commodity information. In short, Google had an effective information protection program. If they didn't, Uber would likely be using the information to gain a competitive advantage over Google, and Mr. Levandowski would be a very rich, free man.

Defending trade secrets is difficult, but it is important. Many organizations dedicate significant capital to research and development. If the output of that research is not properly protected, an organization can fail to realize the full value of their discoveries. While Google had to spend money to defend their trade secrets in court, ultimately, they were successful in gaining both financial and injunctive relief and are free to compete in the marketplace without a primary competitor having the ability to compete against them unfairly. Now that you are aware of how trade secrets function, let's move on to trademarks.

Trademarks

Trademarks are a type of intellectual property designed to allow the provider of a good or service to distinguish that good or service from others. The intention of a trademark is to avoid customer confusion. The protection prevents someone from creating a product to compete with a well-known brand and making the name of the product and the look of the packaging so similar that the customer cannot tell the difference. Trademarks are designed to be as widely publicized as possible, so there is little need for an information security program to focus on protecting them.

Now that you have had a brief introduction to intellectual property, we should move on to the impact of cybercrime. Throughout the book, there are example cases that are designed to highlight specific concepts related to the topics we are covering. It is easy to look into the details of a case and forget about the real people behind the cases.

Micro-level impacts and responses to cybercrime

In addition to the macro-economic implications, the stories behind the headlines involve real companies and real people who are being hurt. We will examine some select high-profile example cases throughout the book to discover what happened, how similar attacks could be prevented, and just how damaging the attack was for those involved. It should be noted that many of these cases have been studied enough where root causes have been identified. While there are lessons to glean from others, I caution you against simply trying to build detection and prevention mechanisms for these specific attacks. Many security systems have tried such approaches in the past, with poor results. Trying to guess how an attacker will attack you and building an alarm to identify that specific attack pattern is ineffective. It is far more effective to identify what should happen inside your environment and build systems and processes to detect and respond to anomalies.

Each of the cases is an example of the devastating impacts of cybercrime for someone. As you read the cases, please try not to focus only on what happened technically and how these types of incidents can be prevented tactically; try to also consider the impact of the incident on the victim, the company, and the attacker. In some cases, the case seems to end well for the attacker. In many cases, it does not.

The impacts of cybercrime can be devastating, but the benefit to the attacker still outweighs the cost to individual companies. In many cases, the macro-economic damage far outweighs the direct cost to the company that failed to protect information, especially when dealing with PII. As a result, governments have introduced regulations in an effort to compel companies to protect information that has been entrusted to them.

In response to escalating costs associated with personal data theft and the identity theft that follows, governments and industries around the world have passed regulations to compel companies to take their security programs seriously. While meaning well in their intentions, new regulations have led to a disjointed patchwork of requirements global organizations must comply with, which can be counterproductive. However, regulations will need to balance the equation between the costs of cybercrime and the benefits to attackers if they hope to stem the tide of cyber-attacks and the growing impact cybercrime is having on the global economy.

Industry regulation

Historically, information protection regulations were created on a per-industry basis. For example, in 2004, the world's largest credit card companies' council, known as the Payment Card Industry (PCI) Council, released the first Payment Card Industry Data Security Standard (PCI-DSS). This guidance was applicable to anyone who sought to store, process, or transmit payment card data and set certain requirements based on the number of transactions a company was involved in during a given year. In 1996, the United States passed the Health Insurance Portability and Accountability Act (HIPAA), which included privacy regulations for health-related data.

Industry regulations are often prescriptive and specific when defining what types of information should be protected and how. For example, PCI-DSS has 6 control objectives that organize 12 specific requirements for anyone storing, processing, or transmitting credit card information. Because the scope of data to be protected is so narrow, giving specific guidance to companies is feasible.

As time has passed, additional industry-specific regulations have given way to broader data privacy regulations passed by governments who were interested in curbing the economic effect of identity theft. Additionally, many of the regulations are designed to establish the rights of people to exert control over data used to identify them and define the responsibilities of the organizations that collect their data.

The growing need for data privacy regulation

The invention of computers and digital storage changed the nature of data collection and control over information. The digital age has made copying data and sharing it with others easier than ever before. As technology changed and outsourcing specific functions became more prevalent, individuals lost control over who had access to information that could cause them harm. There were a few rules related to how data could be handled and who it could be shared with. Furthermore, there was little transparency when a person provided their information about how it would be used and who it would be used by. Over the years, countless data breaches caused harm to individuals. In many cases, the organization that was breached had information belonging to individuals who had never provided their information directly. In response, governments began to pass regulations designed to establish data subject rights and severe penalties for those who violate them. The European Union's General Data Privacy Regulation (GDPR) has been the most impactful and well-known data privacy regulation.

GDPR

In 2016, the European Union sought to broaden regulations related to personal data and passed GDPR, which went into effect in 2018.

GDPR is made up of 11 chapters and 99 articles. It covers a wide variety of topics and seeks to establish data privacy as a basic right for European citizens and to give control to data subjects over how their data is used and processed. The 99 articles and 11 chapters of GDPR are detailed on the following website: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.

Originally, much of the conversation about GDPR was about the harsh penalties that are laid out in the legislation. Companies can be fined up to 4% of their global revenue for violations of GDPR. However, the supervisory authorities have been mostly collaborative with companies who are trying to comply and protect data subjects' personal data and associated rights. Willful negligence or a failure to exercise due care with personal data can be punished severely.

Parts of GDPR are groundbreaking and have forced companies to adopt new best practices. For example, GDPR sets limits on how long data can be retained and forces companies to map how personal data flows throughout their organizations. Both are best practices for all types of sensitive data, but prior to GDPR, few companies understood their data well enough to comply with these provisions.

Unlike PCI-DSS, GDPR must cover a broad spectrum of companies and data types, so the requirements are far less specific. Also, the regulation was written to establish rights and responsibilities, so as technology changes, the methods of protecting information can change without amending the legislation.

Example Case: British Airways

British Airways suffered a data breach in 2018 that affected 400,000 customers. The Information Commissioner's Office (ICO) is the GDPR supervisory authority in Great Britain and therefore is assigned to British Airways. After the breach was made known, the ICO investigated the factors that led up to the breach of sensitive information. The ICO determined British Airways had security weaknesses in systems processing personal information that they knew about and failed to address. In addition, the ICO determined that more people were affected than necessary based on British Airways' failure to discover and remediate the issue in a timely manner. After the investigation, the ICO said, "Their [British Airways'] failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine – our biggest to date." (Page, 2020)

The source of the breach was a known vulnerability in a third-party piece of JavaScript known as Modernizr, which British Airways used as part of its payment processing site. A hacking group was able to exploit the vulnerability to redirect personal and payment information to a website they owned, which caused criminals to gain access to crucial customer information. In many cases, companies claim they are the victim of an advanced attack when a breach occurs, but that was clearly not the case in this instance. According to a Wired article, "The vulnerability in Modernizr is a well-known one, and BA had not updated it since 2012 – long after problems were known to exist." (Stokel-Walker, 2019). Even after the breach, the ICO found British Airways had failed to take adequate steps to secure their website.

The fine was significant because it was determined that British Airways was not only a victim of a cyber-attack, but they also failed to exercise due care to protect customer information, and as a result, consumers were harmed. This was the exact situation GDPR was developed to address. The legislation provides a method for supervisory authorities to compel companies to take the protection of PII seriously.

While the fine was record-breaking, it was reduced after an appeal by British Airways citing the COVID-19 pandemic and the damage it caused to their business. The original recommended fine was £183 million. Part of the reason for the reduction between the proposed amount and the settlement amount was in recognition of the improvements that British Airways made to prevent similar events from happening in the future.

For many years, organizations have ignored security best practices and put individuals' information at risk. Because of the pace of cyber-attacks, the brand damage is often short lived, and the cost of securing information could outweigh the benefits. The implementation and enforcement of GDPR has ensured securing personal information belonging to consumers is good business and not securing information appropriately carries severe consequences.

While GDPR is the best-known privacy regulation, there are several others around the world with similar goals that are also enforced. One of the challenges for multinational enterprises is keeping up with all the global regulations they are subject to and the changes to each.

Next, we will look at a law older than GDPR that is being updated to place a greater emphasis on individual rights to data.

Act on the Protection of Personal Information (APPI)

The next consequential legislation, Japan's Act on the Protection of Personal Information (APPI), predates GDPR. However, since the passage of GDPR, APPI has been updated to establish the rights of data subjects and the responsibilities of companies to protect personal information.

Japan's APPI predates GDPR and was originally passed on May 30, 2003. It has been amended several times, but the most recent amendment, passed in 2020, comes into effect in April 2022. The International Association of Privacy Professionals (IAPP) often writes about changes to international privacy regulations. You can find an article on the recent changes to APPI at the following link: https://iapp.org/news/a/japan-enacts-the-act-on-the-protection-of-personal-information/.

There is commonality between the objectives of APPI and the objectives of GDPR, but the rules are different. As a result, companies operating in Europe and Japan must build their security programs to meet the requirements of both jurisdictions.

California Consumer Privacy Act (CCPA)

It is difficult to operate globally and comply with different regulations between countries and regions. However, in the United States, the situation is much worse. In the absence of national data privacy regulations, many states have begun passing their own patchwork regulations. The most comprehensive and well-known is the California Consumer Privacy Act (CCPA), but there are separate pieces of legislation across many states that further complicate compliance efforts. CCPA was largely based on GDPR. However, it has fewer articles and has expanded the definition of personal information to include information that can be used in machine learning datasets. There is a good summary of CCPA provided by Thomson Reuters Westlaw at the following link: https://govt.westlaw.com/calregs/Browse/Home/California/CaliforniaCodeofRegulations?guid=IEB210D8CA2114665A08AF8443F0245AD&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default).

When studying regulations around the world, some common themes emerge:

• Data subjects own the data that identifies them. People who store, process, or transmit it are granted the license to do so only through consent and they do not own the information.
• Companies who collect information cannot sell or share that information without the consent of the data subjects.
• Data subjects should know exactly how data about them is being used.

There are many companies, such as advertising companies that curate lists and social media companies that trade free services for information about individuals that they can profit from, that are under direct attack through this type of legislation.

There are several other privacy regulations passed by individual countries, such as PIPEDA in Canada and Australia's Privacy Act. Most new regulations deal with personal information and many of the objectives are similar. However, the responsibilities a company has under each law can be contradictory. Multinational enterprises struggle with a regulatory tapestry that grows in complexity with each passing year.

There is no doubt that identity theft is a major problem globally. However, the patchwork of regulations around the world makes it difficult for short-staffed security teams to comply with the regulations. Furthermore, security begins where compliance ends, and if security teams are spending all their time on compliance initiatives, there is little time remaining for those teams to focus on their primary mission.

While data privacy regulations are growing in popularity, data sovereignty regulations also exist. The primary difference between data privacy and data sovereignty is that data privacy is designed to control who can access information, whereas data sovereignty primarily regulates international data transfers.

Data sovereignty regulations

Many regulations are designed to control the flow of data between countries. In most cases, data can be transferred under certain circumstances. The stated purpose is to ensure private data is not transferred to countries where the government can infringe upon privacy rights. Countries such as China and the United States, where the government has the power to compel companies to share information about individuals without their consent, are often primary targets of data sovereignty rules. There are differing opinions about the right to privacy among countries around the world. As a result, many countries seek to limit the flow of information across borders. However, these regulations often create complexity in the modern world. Information does not respect terrestrial borders, and cloud services are designed to optimize performance, not to operate in specific jurisdictions. As a result, the unintended consequence is to make it more difficult for companies headquartered in countries with restrictive data sovereignty rules to be competitive globally. Few new regulations include data sovereignty elements, but many restrictive data sovereignty rules still exist.

Another area where governments have regulated business affairs that relates to information security is the idea of workers' councils. Workers' councils are designed to represent the interest of employees and balance power between labor and companies. While these councils serve many functions, among them is reviewing a company's plans for employee monitoring and electronic surveillance.

Workers' councils

In several countries, such as Germany, Switzerland, and the Netherlands, workers are granted rights and representation that allow them input into how employees are monitored in the workplace. These workers' councils often hold significant power and must be consulted before a company can implement security controls that monitor employee communications and behavior. The rules and objectives differ between jurisdictions, but the councils are in place to prevent employers from using electronic surveillance in an oppressive manner.

However, to protect information and comply with relevant regulations, organizations must implement forms of electronic monitoring. As a result, these conversations become an important element of a security program. The types of issues raised by workers' councils are often related to whether the systems can monitor worker productivity, invade their privacy with respect to personal communications, or present the opportunity for human bias to influence the security program. Security professionals operating in these areas must listen to the workers' councils and become skilled in explaining what the intention of their controls is and how they will protect workers' rights throughout implementation and operation of their controls.

These types of regulations allow governments to exert influence on how data is collected, stored, processed, or transmitted. They have been implemented to correct an imbalance or to compel organizations to secure information properly. Simply complying with regulations does not constitute an effective security program. Compliance regulations set rules for what an organization can and cannot do. Security is the art and science of protecting people, information, and systems.

Many people look at information security as a highly technical field and allow themselves to be distracted by technical jargon or complex attack tactics. Security is quite simple. Many of the concepts that apply to security have corollaries in the physical world. Throughout human history, people have been protecting assets of value. Knowing what you are trying to protect is the first step. The foundation of security is protecting people, information, and systems. While strategies, tactics, and technologies can be technical and confusing, the basic underlying principles are easy to understand. Albert Einstein once said, "If you can't explain something simply, you don't understand it well enough." I challenge all security leaders to learn to explain their strategies and tactics in simple terms. In order to do so, we need to go back to the basics.

People

There is a major misconception that information security is all about technology. Technology plays a role, but ultimately, every security breach starts with a person, and the vast majority of attackers launch their attack against an individual person as well. The real story of security is one of people attacking people and it is as old as humanity itself. From the beginning of time, as soon as one group of humans amassed something of value, it became necessary to protect it from other humans who would take it from them if they could. As we organized into tribes, societies, and ultimately nations, the concentration of wealth grew.

The internet has connected the world and changed it forever. For many centuries, access to knowledge was a source of wealth. In the modern world, anyone with an internet connection and a device can access any information they desire. This connectivity has offered great benefits to society and the global economy. However, with great power comes great responsibility. Since information can now move more freely than ever before and can be replicated across systems in microseconds, it can be stolen or otherwise exploited just as quickly. However, people don't adjust their habits as quickly as technology accelerates.

People are fallible by nature. Most exploits are delivered through the applications people are most familiar with and trusting of, such as email. Many attacks are designed to trick people into doing something they would not normally do. All these types of attacks are collectively known as social engineering. Social engineering is simply an attempt to convince someone to do something that is not in their interest for the benefit of the attacker. We will discuss social engineering types in detail in Chapter 5, Protecting against Common Attacks by Partnering with End Users.

Since people are often the weakest link and the last line of defense, educating and supporting people is the first pillar of an effective information security program. Additionally, looking for behavior patterns is an effective way to identify attacks early and mitigate their impact on a person or organization.

The unfortunate truth is not all security challenges related to people are accidental on the part of the trusted insider. There are three categories of human-based insider threats to an organization. First is the well-meaning employee, who accidentally puts information or systems at risk. This can be due to seeking the most expedient way to accomplish their job function, a failure to adhere to best practices, such as reusing passwords between personal and corporate accounts, or negligence in terms of their responsibilities in handling sensitive information. The second is the compromised account. This threat is based on an attacker gaining access to an employee's credentials in some way and using those credentials to masquerade as the employee. There are many ways accounts can be compromised, and if there is a program in place to identify signs of a compromised account early, there are effective ways to mitigate the risk. However, if an attacker can compromise an account and remain undetected, they can cause massive amounts of damage in a relatively short period of time. Finally, there are malicious insiders. These are people you have provided access to who intend to do harm to the organization. It is important to note that most insiders don't start as malicious; they become that way based on changing circumstances.

It is important to understand the categories of insider threats and respond to them appropriately. If you treat a malicious insider as a well-meaning employee, you will give them time and insight that will allow them to do more harm to the organization. If you treat a well-meaning employee like a malicious insider, you will alienate them at best. The objective should be to identify the type of insider you are dealing with and respond appropriately.

Information

The term information security indicates that the point is to protect information, but many programs inexplicably deprioritize the information-specific controls in their security programs. Many security practitioners have become enamored with technology and tactics and forget about what is most important. People is the first pillar of security because it is people who are attacking systems to steal information, and it is often people that are being exploited by attackers to get into the environment. Information is a close second, because that is the target and that is the valuable item the program should be trying to defend.

There is a well-known information security concept known as the Confidentiality, Integrity, and Availability (CIA) triad. Data breaches are attacks against the confidentiality of data. Although less common, attacks where someone is trying to modify a record, such as if you were to hack into your bank and lower your credit card balance, are an attack against integrity. Ransomware is an attack against availability. The key point to remember is what matters is the confidentiality, integrity, and availability of information. As a result, an effective program understands what information is important, where it resides, and how it should be protected.

With respect to understanding information and how it flows inside an organization, there are three aspects to consider. First is the content. What is the information we have that we should protect? How do we define it? What makes it sensitive? Second is the community. Who is authorized to interact with the information? Who should not interact with the information? Are those that are allowed to interact with the information allowed to share it with others? If so, whom? The third is the channel. When information is moving, how should it move? What are the authorized repositories for the information? Putting these three elements together allows you to understand the authorized behavior of information and the acceptable use of sensitive information by people in your organization. Once you have identified who in the organization will be handling sensitive information, you can support those people with additional training on what their responsibilities are and how that information should be handled and used. Since you have defined the authorized behavior of the information, you now can implement technologies to detect unauthorized movement of data and unauthorized interactions between information and people.

The other key element of information is understanding its life cycle. The first aspect is to understand how information comes into the environment. Is it created by our organization as is often the case with intellectual property? If so, who creates it and what is its journey from the idea stage through legal protection in the form of a patent or copyright? If it is a trade secret, protecting it becomes even more important because there are few internationally recognized legal protections for trade secrets. In other cases, such as PII, the organization does not create the information, rather it is entrusted with the information by a data subject or a customer. In that case, it is important for the organization to understand the mechanisms it uses to collect information. What are the ways a customer could provide their information to us? Do we have safeguards to ensure sensitive information isn't inadvertently provided through other channels? Once the customer provides their information to us, where do we store it? Storage is the second stage of the information life cycle.

Storage refers to where and how information is stored inside and even outside your environment. Some organizations outsource the storage and processing of information to third parties. This type of arrangement has become popular with credit card information, especially for smaller organizations that do not have the proper resources to comply with the rigors of the PCI-DSS. Other organizations use cloud storage offerings such as Software as a Service (SaaS) or Infrastructure as a Service (IaaS) platforms. While these solutions are often seen as an extension of the organization's environment, there is also a shared security model that must be understood by the organization, so it is clear what responsibilities they have and what responsibilities the service provider has in the arrangement. In every arrangement, controlling what information is stored in which location and who has access to that information is the responsibility of the organization. Those responsibilities cannot be transferred to the cloud provider. It is also likely that different security tools and controls will be necessary to secure cloud environments. Since the organization does not own the infrastructure, many of the traditional tools used to secure information on-premises will be impossible to deploy, ineffective, or both.

The third stage of the life cycle is transmission. Most information will be transmitted at some point throughout its life cycle internally, externally, or both. While sensitive information is in transit, it can be vulnerable as not all transmission methods are created equally in terms of security. It is important that individuals and organizations understand the risk posed with each transmission method against the need for efficiency of the transmission. Generally, more secure transmission methods are more onerous for the users involved in the transmission. For example, sending an email with an attachment is very expedient, but it isn't the most secure transmission method. This is likely acceptable for most email exchanges containing commodity information. If the information should be protected but the communication is still necessary, such as when my doctor's office sends me health information, a secure message is likely an acceptable solution. This requires me to log in to view the encrypted message and is more secure than a traditional email. When more sensitive information is being shared, a secure share with multifactor authentication is likely more appropriate. This method will require the recipient to take multiple steps to access the information but will be a much more secure transmission method. These are just a few examples. There are countless methods of transmission to choose from. Choosing the right transmission method requires an analysis of the sensitivity of the information, the need for expediency and a seamless end user experience, and the frequency of transmission. It is important that a thoughtful analysis is conducted and methods are selected for each sensitive information type. By being intentional about authorized transmission methods, the organization can put more meaningful controls in place to identify deviations from acceptable practices.

The final stage of the information life cycle is data destruction. At some point, retention requirements only stipulated a minimum amount of time information should be retained. As a result, most organizations simply didn't delete anything. This led to a scenario where over-retention was often the largest source of residual information risk in an organization. Europe's GDPR seeks to put maximum limits on data retention. GDPR states that data subject information must only be retained if it provides business value, consent to the information is not withdrawn by the data subject, or retention is required by law. GDPR stipulates that organizations destroy data that no longer has business value. As a result, organizations must plan when they collect PII from European citizens why they need the data, how long they need it, and how it will be destroyed when it no longer has business value. While this regulation is only required by GDPR for European citizens' PII, it is in the organization's best interest to apply this discipline throughout their information protection program.

Systems

The ability to secure systems has been impacted significantly by the rapid adoption of cloud-based technologies. Systems security falls into three major categories: securing on-premises workloads, securing cloud workloads, and securing endpoints. Each of these categories poses its own challenges based on the access and responsibility of the organization to provide security. Each category also has specific technology solutions designed to help an organization fulfill its responsibilities given the level of control it has over each environment.

Example Case: Citibank and Lennon Ray Brown

Lennon Ray Brown was a trusted Citibank employee who had privileged access to Citibank systems. In December 2013, Mr. Brown had a discussion with his supervisor about his performance. Reports vary with respect to whether the discussion was a scheduled performance review or simply a discussion about Mr. Brown's performance at Citibank. Regardless, Mr. Brown did not like the conversation. In response, "Brown caused the transmission of a program, information, code and command, causing damage without authorization to a protected computer." (Department of Justice–Northern District of Texas, 2016) Mr. Brown had knowledge of the network and completed his actions with malicious intent.

"Brown knowingly transmitted a code and command to 10 core Citibank Global Control Center routers, and by transmitting that code, erased the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90% of all Citibank networks across North America." (Department of Justice–Northern District of Texas, 2016) After he took down most of the Citibank network, Mr. Brown went home. It is not immediately clear why the last router did not go down, taking the entire network down with it, but Mr. Brown's intention was to damage the systems he had access to.

Ultimately, Lennon Ray Brown was sentenced to 21 months in prison and ordered to pay restitution of $77,000. Mr. Brown did not make good choices, but the case highlights the fact that any trusted insider could become malicious based on circumstances that may not be foreseen. It is important to apply the concept of least privilege and the separation of duties to ensure a single rogue employee cannot cause catastrophic damage. Monitoring privileged employees is also important. Monitoring employees may not prevent them from doing something damaging but may dissuade them from doing so knowing they will be held accountable if they do. As the saying goes, good fences make good neighbors. To be clear, there is no evidence Citibank did anything wrong in this case. The fact that a case was made and justice was served indicates that Citibank had the proper monitoring of privileged users in place. However, the key lesson is you cannot always anticipate where an insider threat may come from. If Citibank thought Lennon Ray Brown was likely to do something like this, they would have never hired him. Malicious insiders don't often start out malicious, they become that way.

This case also highlights the fact that insider threats don't always leave an organization with data. Many common perceptions revolve around the theft of intellectual property, as was highlighted in the Uber versus Waymo example case. However, sometimes malicious insiders target systems and intend to cause damage to avenge a perceived slight, rather than targeting privileged information for personal or financial gain.

Protecting systems is very important. Most organizations put protections in place to prevent intrusions from outside the organization. The preceding example case highlights the additional challenges posed by insider threats. When protecting systems, there are two major categories of systems that need to be protected, on-premises workloads and cloud workloads.

Securing on-premises workloads

On-premises workloads are easier to secure than their cloud counterparts because all aspects of securing them are well understood by the security team. Also, the workloads are under the full control of the organization. From physical security to network security and through the application stack, solutions and best practices for security exist.

The traditional on-premises layered security approach starts at the perimeter and flows through the network, endpoints under the control of the organization, applications, and ultimately to critical information. This approach is antiquated for most modern organizations. For most practitioners who are familiar with the recent changes in the IT reference architecture for organizations, a major challenge is immediately apparent. Organizations no longer own their perimeter since there is no meaningful perimeter between on-premises workloads and cloud-based workloads. Organizations also no longer own their networks since remote work was beginning to be normalized before the COVID-19 pandemic in 2020 but has now become the standard mode of operation. While some companies may have staff return to the office full time after the pandemic is over, many will continue to provide flexible work arrangements, remote work arrangements, and hybrid work models to their employees.

As a result, it should be assumed that any controls dependent on a user being connected to the corporate network are partially effective at best. Also, with the rise of easily accessible SaaS solutions, most organizations allow access to workloads from employees' personal devices, either explicitly or by default because they lack the ability to stop employees from logging in from non-corporate devices. While Cloud Access Security Broker (CASB) solutions offer controls to only allow connections from corporate devices with up-to-date security software and settings that comply with the corporate endpoint security posture standards, most organizations have not deployed that level of control.

Additionally, applications are no longer exclusively on-premises and neither is information. This means that this entire model, while useful for building the on-premises portion of an information security program, is no longer a comprehensive framework for information security. In the modern world, cloud security must also be considered as part of systems security, and congruent capabilities for both should be deployed so people, information, and systems are protected comprehensively regardless of the source location or destination location of the connection.

In addition to the layers in the traditional model, much of the traditional monitoring and response capabilities have been focused on on-premises workloads. Both System Incident and Event Management (SIEM) technology solutions and Security Orchestration, Automation, and Response (SOAR) technology solutions have been built on log aggregation. Both solutions are designed to aggregate information and, in some cases, allow organizations to take action across multiple technologies. Cloud-native solutions and Managed Detection and Response (MDR) capabilities are beginning to replace legacy on-premises systems, but many similar monitoring and response capabilities for cloud workloads remain delivered by disparate systems. Due to how different securing on-premises workloads is from securing cloud workloads, many organizations keep those disciplines separate. Doing so presents both efficiency and efficacy challenges to an organization. While it is necessary for tactics and technologies to differ across on-premises workloads and cloud workloads, the overarching capabilities and objectives should be congruent.

Securing cloud workloads

Many organizations struggle to properly secure cloud workloads because they lack a fundamental understanding of the shared security model. The shared security model shows what organizations are independently responsible for and what their cloud platform vendors are responsible for with respect to security. Understanding the shared security model requires a basic understanding of the basic flavors of cloud services.

SaaS includes thousands of offerings that allow applications to be consumed as a service, rather than deployed on servers. SaaS platforms were the first to be adopted and have the largest market share of any of the cloud platforms. Microsoft Office 365, Box.com, and the Customer Relationship Management (CRM) portion of Salesforce.com are popular examples of SaaS applications. In a SaaS environment, the vendor takes on most of the responsibility for security because the consumer has limited capabilities to secure their own SaaS environment.

IaaS includes a smaller number of offerings, the most well known of which are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). IaaS offerings offer many styles of computing power that can be rented monthly or provisioned in a way where you are billed for what you use, like an electricity utility. Since you are given significant control over this environment, you are responsible for far more of the security stack than you would be for a SaaS platform.

Platform as a Service (PaaS) confuses many people because it sits somewhere in between SaaS and IaaS. To further confuse the matter, most of the popular PaaS offerings are offered on platforms that also have SaaS or IaaS elements. For example, Salesforce is a SaaS offering, but the underlying Force.com platform is a PaaS offering that offers a suite of tools and capabilities to develop custom applications that can go far beyond CRM. Also, there is a marketplace where developers who have developed applications on the Force.com platform can sell their applications to other Salesforce customers as add-ons. Popular add-ons to Salesforce include commission tracking software, Sarbanes–Oxley (SOX) compliance software, and even ticketing systems. Also, AWS has several offerings that could be considered PaaS offerings. Their generic compute workloads, such as Elastic Compute Cloud (EC2), are clearly IaaS offerings, but offerings such as Lambda and Elastic Beanstalk, also offered by AWS, are clearly PaaS offerings.

Distinguishing PaaS from IaaS has significant security implications as will be demonstrated by the shared security model. What is the difference between PaaS and IaaS? IaaS provides underlying infrastructure and operating systems only, while PaaS also provides a development environment to allow developers to focus on coding and not on deploying and managing the software necessary to create the environment. It is the middleware between the operating system and the application that is being developed that distinguishes PaaS offerings.

Due to the differences in the models, it stands to reason that the provider would be responsible for different aspects of security in each. Conversely, the consumer of the services always has some responsibility as well. While awareness is growing, there was an early misconception in the wave of cloud computing adoption that when an organization moved to the cloud, security was solely the cloud provider's responsibility. Some elements of a security program, such as physical security and network security, become the cloud provider's responsibility in all cases. Some elements of security, such as governing access to the environment and securing the data inside the environment, are always the responsibility of the consumer. Gartner and others have published statistics that state most cloud data breaches are likely to be the customer's fault. This has been proven true. There are a few cases where cloud providers failed in their responsibilities, but many where the customer failed to meet theirs. Some of the failures are due to poorly deployed and configured controls. Others are due to a lack of understanding of who was responsible for each security layer. There are many versions of a shared security model that can be found, but the following is mine. Regardless of which model you refer to, it is important to understand your responsibilities:

Figure 1.1 – Shared security model for various cloud computing environments

In response to the growing adoption of cloud computing, security solutions have been developed to help customers meet their responsibilities. Traditional on-premises tools could not be deployed in a SaaS environment, for example, so new tools had to be developed and deployed. Since SaaS solutions were the first to be widely adopted, CASBs were developed to help customers meet their specific responsibilities in SaaS models. However, as many organizations embraced IaaS solutions, they tried to apply their CASB solutions to their IaaS environments. While CASB solutions will integrate with the Application Programming Interfaces (APIs) of popular IaaS environments, they were developed to help with information protection, data classification, and access control, the customer's responsibilities in the SaaS model. They were not developed to address application security, operating system configuration and patching, host security, or network security. As a result, many organizations have significant gaps in their security posture. In Chapter 6, Information Security for a Changing World, we will explore the cloud security landscape in detail and revisit the shared security model.

Next, let's move on to securing endpoints.

Securing endpoints

Securing end computing devices or endpoints is a part of security that has received significant attention and investment over the last decade. Originally, antivirus technology, such as McAfee and Symantec, would detect malicious software based on signatures. Essentially, when a new type of malicious software was identified, the team at McAfee or Symantec would build a profile of that malicious code and look for it on machines where the endpoint was installed. There are two major problems with this approach. First, there is a period of time between when a piece of malicious software is developed and a signature is created. Malicious software in this period is called a zero-day threat. Traditional approaches offer no protection against zero-day threats. Second, and a more common problem, was over the years, the number of different types of malicious software packages has grown to the extent where matching against an increasing number of signatures becomes inefficient, and the antivirus software was consuming an increasing percentage of the host resources, which were needed to perform the intended function of the device.

Starting in 2011, next-generation endpoint protection platforms began to emerge. These platforms, such as CrowdStrike, Carbon Black, and Cylance, deployed techniques such as machine learning, advanced response capabilities, and scanning for indicators of compromise rather than simply looking for virus signatures. These more feature-rich endpoint protection platforms have significantly increased the security of corporate endpoints when compared to their predecessors.

However, an increasing amount of information and workloads that belong to an organization is being accessed by endpoints they do not own or control. Bring Your Own Device (BYOD) has become popular for mobile devices in most organizations because cloud computing makes data accessible from anywhere and most employees don't want to carry a separate phone for personal and corporate use. While Mobile Device Management (MDM) solutions exist, they are not as feature rich as endpoint protection platforms, and they are not widely deployed to employees' personally owned devices. As a result, securing endpoints in the modern world has become a more difficult challenge.

To add to the problem, there is an extreme shortage of cybersecurity professionals to help organizations defend themselves. According to a 2019 Cybercrime Magazine article, "there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014." (Morgan, Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally by 2021, 2019). To add to the challenge, even when an organization hires a cybersecurity analyst, they don't stay in their role for long. According to the National Cybersecurity Training Academy, "The typical tenure for an IT Security Specialist is less than 1 year." (National Cybersecurity Training Center, 2021). If we are to meet the cybersecurity challenges of the future, we need to attract and train talent to fill these positions at an unprecedented level.

While the talent shortage remains a major problem, cybersecurity challenges are becoming a board-level conversation for most organizations. The news cycle continues to raise awareness of cyber threats. However, while major attacks against large companies grab headlines, little is done to communicate the scope and breadth of the problem to the average person. For every data breach or ransomware attack that makes headlines, hundreds go unnoticed. Worse yet, many attacks by truly sophisticated attackers may never be detected. The future of information security as a discipline is dependent on the ability to attract and retain new cybersecurity professionals. It is important for current professionals to be ambassadors to the next generation. There are few career paths with more opportunities or better job prospects. If you are considering a career in cybersecurity, please join us. We need you.

The challenges facing modern security teams are immense and rapidly evolving. As many security practitioners lament, the security team must be right 100% of the time and an attacker only has to get lucky once. While attackers can and do get lucky from time to time, assuming attackers are attacking organizations or individuals blindly is a misunderstanding of the current threat landscape. In most public cases, attackers are not getting lucky. They are launching their attacks using well-researched tactics against the weakest parts of an organization's security posture. Many times, the source of the breach is an employee who was not supported properly by training and technology and made a mistake, or a system that was left vulnerable long after a patch for a security vulnerability was available. It is true that no matter how well a security program is built and managed, it will not be impenetrable. However, there are many best practices and strategies available that will limit the likelihood and impact of an attack.

After reading this chapter, you now understand why cybercrime is attractive to criminals and the impacts it has on the global economy. You've learned about costs associated with identity theft and the different types of intellectual property, and how the proper protections for a piece of intellectual property vary based on the type of intellectual property and the associated legal protections. You have learned about how governments are responding to cybersecurity challenges around the world across data privacy, data sovereignty, and workers' councils. Finally, you learned about the foundational elements of security and the cybersecurity talent shortage that is making it so difficult for organizations to secure their environments. This knowledge will help form the basis of your understanding of cybersecurity and provide you with a framework to understand and articulate security concepts.

In the next chapter, we will specifically cover the human side of cybersecurity. Cybersecurity is fundamentally a people problem where people are attacking people. Understanding the people behind the attacks and the tactics is a critical element to establishing a cybersecurity foundation.

1. What makes cybercrime attractive for criminals?
2. Why is cybercrime damaging to companies and the larger economy?
3. What are global jurisdictions doing to convince organizations to harden their defenses?
4. Choose a case from the chapter and describe what happened in your own words.
5. What are the three foundational elements of cybersecurity?

• Banta, R. (2021, August 30). State of California Department of Justice. Retrieved from California Consumer Privacy Act (CCPA): https://oag.ca.gov/privacy/ccpa
• Department of Justice–Northern District of Texas. (2016, July 25). Former Citibank Employee Sentenced to 21 Months in Federal Prison for Causing Intentional Damage to a Protected Computer. Retrieved from United States' Attorney's Office Northern District of Texas: https://www.justice.gov/usao-ndtx/pr/former-citibank-employee-sentenced-21-months-federal-prison-causing-intentional-damage
• Hawkins, A. (2019, August 27). Ex-Google and Uber engineer Anthony Levandowski charged with trade secret theft. Retrieved from The Verge: https://www.theverge.com/2019/8/27/20835368/google-uber-engineer-trade-theft-secrets-anthony-levandowski-charged
• IAPP. (2020, June 09). Japan enacts Amendments to the Act on the Protection of Personal Information. Retrieved from IAPP: https://iapp.org/news/a/japan-enacts-the-act-on-the-protection-of-personal-information/
• Intersoft Consulting. (2021, August 30). General Data Protection Regulation. Retrieved from Intersoft Consulting: https://gdpr-info.eu/
• Larson, S. (2018, February 10). What we learned in the Waymo v. Uber case. Retrieved from CNN Business: https://money.cnn.com/2018/02/10/technology/waymo-uber-what-we-learned/index.html
• Leonhardt, M. (2021, March 23). Consumers lost $56 billion to identity fraud last year—here's what to look out for. Retrieved from CNBC: https://www.cnbc.com/2021/03/23/consumers-lost-56-billion-dollars-to-identity-fraud-last-year.html
• Morgan, S. (2019, October 24). Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally by 2021. Retrieved from Cybercrime Magazine: https://cybersecurityventures.com/jobs/
• Morgan, S. (2020, November 13). Cybercrime to Cost the World $10.5 Trillion Annually by 2025. Retrieved from Cybercrime Magazine: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
• National Cybersecurity Training Center. (2021, September 01). CyberSecurity, IT, and Network Security Salaries. Retrieved from National Cybersecurity Training Center
• Northrop Grumman. (2013, April 8). Developing a Framework To Improve Critical Infrastructure Cybersecurity. Retrieved from NIST: https://www.nist.gov/system/files/documents/2017/06/02/040813_northrop_grumman_response_part2.pdf
• Page, C. (2020, October 16). U.K. Privacy Watchdog Hits British Airways With Record-Breaking £20 Million GDPR Fine. Retrieved from Forbes: https://www.forbes.com/sites/carlypage/2020/10/16/ico-hits-british-airways-with-record-breaking-fine-for-2018-data-breach/?sh=2871f5481ac0
• Sebastian, C. (2018, March 23). Chinese trade secret theft nearly killed my company. Retrieved from CNN Business: https://money.cnn.com/2018/03/23/technology/business/american-semiconductor-china-trade/index.html
• Stokel-Walker, C. (2019, August 07). A simple fix could have saved British Airways from its £183m fine. Retrieved from Wired: https://www.wired.co.uk/article/british-airways-data-breach-gdpr-fine
• Thomson Reuters Westlaw. (2021, August 30). Chapter 20. California Consumer Privacy Act Regulations. Retrieved from California Code of Regulations: https://govt.westlaw.com/calregs/Browse/Home/California/CaliforniaCodeofRegulations?guid=IEB210D8CA2114665A08AF8443F0245AD&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)
• Vijayan, J. (2019, May 16). US Charges Members of GozNym Cybercrime Gang. Retrieved from Dark Reading: https://www.darkreading.com/attacks-breaches/us-charges-members-of-goznym-cybercrime-gang