Pay-n-pray cybersecurity isn’t working. What if we just paid when it works?

Cybersecurity Pay-and-Pray

(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.

Like home security, people would often rather not think about cybersecurity once they’ve paid for it. They’d rather pay and pray.

But how do you know when a security company’s software is working? With all the billions of dollars poured into protecting ourselves and our businesses online, why do hacks seem to be increasing in regularity and damages?

We spoke with Oren J. Falkowitz, a former senior-level employee at the NSA and United States Cyber Command, who has a radical idea for how cybersecurity companies should be making their money.

The problem

Our modern cybersecurity fiasco has many causes. Maybe it’s a lack of government funding and regulation. Maybe it’s large tech corporations not caring enough about privacy. Maybe it’s just a matter of educating the public and explaining in simple terms what’s at stake.

“Companies spend about $93 billion on cybersecurity, with no end in sight …”

Falkowitz has a different take. He believes the real problem is that cybersecurity profits aren’t tied to performance. “For us, it means performance-based cybersecurity and paying for results, not a failure,” he told Digital Trends. “Companies should pay for cybersecurity only when and if it performs as designed.”

That’s not how it works today. Cybersecurity experts, companies, and antivirus software are presented and purchased like an insurance plan. You pay monthly and hope that nothing bad happens. If it does, they’ll help you pick up the pieces — and maybe try to upsell you on more security.

Area 1 Security, Falkowitz’ own cybersecurity company, takes the opposite approach. Area 1 calls out the fact that people “commit to security contracts running three to five years, spending six or seven figures. But they still don’t get what they pay for.” Falkowitz believes clients should pay only for attempted crimes that are stopped. It’s an idea similar to bug bounty programs, which encourage hackers to find – and then disclose – vulnerabilities.

“Companies spend about $93 billion on cybersecurity, with no end in sight, and what’s worse, no end to the severity or frequency of cyber attacks,” Falkowitz said. “Performance-based and accountable cybersecurity will ensure that results are what drive the future innovations and successful outcomes in business models.”

You might wonder how a company could stay in business if it constantly had to prove to customers that attacks are being stopped. Area 1 Security makes it work by focusing its efforts on a particular aspect of cybersecurity — phishing.

It all leads back to phishing

“Phishing is the attack that starts the attack, it’s the root cause for an astounding 95 percent of all damages,” said Falkowitz. “The key to performance-based cybersecurity is stopping phishing.”

“Phishing is a socially-engineered attack that relies on authenticity to evade detection.”

Phishing has become the bane of the internet’s existence. From malware to stolen data, phishing is often the entry point for the worst cyberattacks we’ve seen. It usually takes the form of a fraudulent email, sent to an unsuspecting victim under the guise of an official company or organization.

The email will then prompt the reader to click a link — and once they do, the attacker’s trap is triggered. Though simple, hackers have used phishing for everything from the Clinton campaign email debacle to the devastating 2017 WannaCry ransomware attack.

“Phishing is a socially-engineered attack that relies on authenticity to evade detection,” Falkowitz explained. “It’s designed not to be caught by anyone! That’s why it works so well. Besides being effective, it’s also incredibly cheap. That’s part of why it’s so good economically to be a bad guy on the internet. If you’re an attacker and you have something that works, that most companies can’t defend against, why not keep using it?”

Area 1 Security’s system claims to stop 99.99 percent of all phishing attacks, allowing them to keep a log of the attacks they’re preventing. Its philosophy isn’t to hunt down the criminals across the internet, but instead to stop the ones who are already knocking at our doors.

“Until we take phishing as a weapon out of the hands of attackers, we’ll continue on this increasingly dangerous and expensive trajectory.”

Maybe it’s time we started asking more from the companies that claim to protect us. After all, disarming the bad guys sounds like a much better plan than waiting for them to attack.

Gaming

Rockstar Games employees defend work culture following controversy

Rockstar Games employees have taken to social media to speak out about working conditions following the controversial comment about 100-hour work weeks made by co-founder Dan Houser in an interview.
Home Theater

Cutting the cord? Let us help you find the best service for live TV streaming

There's a long list of live TV streaming services available to help you cut the cord and replace your traditional TV subscription. Each is different in important ways, and this guide will help you find the best one for you.
Computing

Did your Windows 10 audio stop working after the update? Microsoft has a fix

Microsoft has released a small patch for its October 2018 Update build of Windows 10 following some users facing audio issues that resulted in no sound output at all. After this fix, that problem should disappear for good.
Social Media

Tumblr promises it fixed a bug that left user data exposed

A bug on blogging site Tumblr left user data exposed. The company says that once it learned of the flaw, it acted quickly to fix it, adding that it's confident no data linked to its users' accounts was stolen.
Computing

Microsoft patent highlights a potential VR text input system

A new patent awarded to Microsoft could lead to a new typing method for virtual reality and on Xbox consoles. The virtual radial dial puts letters within easy reach of joystick commands and offers predictive typing, too.
Computing

Ryzen shine! AMD’s next CPUs could beat Intel at gaming in 2019

AMD's upcoming Zen 2-based Ryzen 3000 CPUs could offer as much as a 13-percent increase in instruction per clock. With clock speed or core count increases, that could gave them a huge performance boost.
Product Review

Samsung’s Galaxy Book 2 is a Surface Pro alternative with one big advantage

The 2-in-1 form factor is clearly a big deciding factor for anyone looking to buy a new device, which is why Samsung is again getting in the action this year with the new Galaxy Book 2.
Computing

Samsung Galaxy Book 2 packs Snapdragon 850 into Always Connected Windows 2-in-1

The Samsung Galaxy Book 2 is set to go on sale at the start of November and should be a solid addition the collection of Always Connected Windows laptops. It packs a Snapdragon 850 and a 20-hour battery.
Computing

A ThinkPad tablet with a foldable screen could be in Lenovo’s future

Lenovo may be working on its own version of Project Andromeda. The company is reportedly working on a 13-inch tablet that can fold down to just nine inches for travel by leveraging LG Display's foldable screen technology.
Computing

Consider an extended warranty plan if you buy a Surface Pro 6

Though Microsoft offers a standard one-year warranty on the Surface Pro 6, consumers may want to purchase an extended warranty plan if they intend on keeping their tablet longer due to the device's low repairability score.
Computing

Samsung Chromebook Plus V2 vs. Google Pixelbook

Samsung's Chromebook Plus V2 attempts to answer the question: can you spend around half as much as on the premium Google Pixelbook and be happy that you saved some serious cash?
Computing

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step by step, whether you're running a MacOS or Windows machine.
Computing

'World's best gaming processor'? We put Intel's new i9 through the ringer

Intel has launched the first Core i9 for the average gamer. Despite some controversies around its release, it’s the fastest gaming processor we’ve yet tested.
Computing

Google Chrome 70 is finally getting a picture-in-picture mode

Picture-in-picture mode is finally coming to Google Chrome 70 on Mac, Linux, and Windows. The feature not only applies to YouTube but also any other website where developers have chosen to implement it.