While leading a cyber incident response, a client asked me
how they could justify buying preventive security
equipment to their executives. This is the same story that
security professionals are faced with all the time. In companies where IT is not the primary revenue stream, security is
always, has always been, and will always be a pure cost. By pure cost, I mean that security
contributes no direct income to the bottom line. Of course, academics and IT gurus blog
frequently about risk and how security keeps the revenue stream from drying-up;
just look at companies that have lost millions due to cyber breaches. Unfortunately, in these cases, security can
only be described as having an indirect influence on the bottom line. Stockholders and members of the board (in my
experience) have a hard time understanding the minor nuances of indirect
influence on revenue. I’m not going to
go into the details on why business analysts and consultants make a ton of
money determining the true cost of anything, but suffice to say that direct
costs are easy to equate and indirect costs are more challenging. Of the indirect costs, security proves to be
one of the more difficult.
Recently we hosted a group of journalists at the opening of our new Forensics Lab in Columbia, MD. In characterizing the state of cybersecurity, I told them that I think we are at a very important moment which we are going to look back on and realize this is when the public and private sector came together to begin to deal with the problem of cyber threats and attacks a different way.
In the past year, we have seen a significant increase in the number of Android based attacks. Kaspersky Labs was first to report on a recent campaign where a series of attacks were unleashed using Android malware and it is not a surprising development. As the number of Android devices increase in the market, they become a much more viable target for malware-based attacks especially when one considers the number of financial transactions taking place from these devices. I do want preface this post by stating while Android-based malware is on the rise, we are not seeing a decrease in PC-based malware attacks.