“Security is a process, not a product.” - Bruce Schneier
From the mainframes of the '60s to today's complex networked world, cybersecurity has been an intrinsic part of our digital evolution. Most cybersecurity professionals will agree it has been a relentless game of cat-and-mouse, as security experts continuously fend off cyber threats while hackers look for the next loophole to exploit. However, an interesting pattern emerges if we take a closer look at the ever-evolving cybersecurity landscape.
Historically, our approach to cybersecurity has often been much like dousing a fire, reacting to attacks, and then strategizing defenses. But what if we could predict the flame before it even sparks? What if we could change the game and become the proactive cat, anticipating the mouse's moves?
As we look back at the evolution of cybersecurity, our defenses are transforming from reactionary to increasingly proactive, paving the way for a more secure cyber future. In this article, we reflect on the evolution of cybersecurity, what we’ve learned, and explore the next era of risk management.
The 1960s: The Dawn of Cybersecurity
Cybersecurity was almost nonexistent in the 1960s, and the concept of a "cyber threat" was largely unheard of. At this stage, computers were massive and costly, used mainly by military entities and academic researchers. These systems were shared among multiple users, creating a need to prevent unauthorized access to sensitive data. And thus, user passwords were born, one of the earliest data security efforts.
The 1970s: Networking, Worms, and the First Antivirus
The need for cybersecurity heightened in the 1970s as computer networks were launched. The Advanced Research Projects Agency Network, better known as ARPANET, came to life in this period, the first network to allow computers in different locations to “talk” to each other. While ARPANET was a major breakthrough, it also brought new challenges. As computers began to share information, the question of how to keep that information safe became more critical than ever.
The 1970s also saw another significant event in the history of cybersecurity - the birth of the first computer worm, AKA the "Creeper."
While Creeper was not created to be harmful, its ability to replicate and spread autonomously presented a new potential threat, leading to the development of what could be considered the first antivirus program, "Reaper."
Takeaway: The 1970s demonstrated that as networks expand and technology becomes more complex, so does the nature of potential threats. Little did IT teams know at the time, but ARPANET, Creeper, and Reaper would set the stage for the future of cybersecurity.
The 1980-90s: The Birth of the Internet & Malware
As computers became more prevalent, so did the threat of malicious software and hacking. The 1980s witnessed the emergence of the internet, followed by (not surprisingly) computer viruses. The infamous Morris Worm highlighted the vulnerabilities of early networked systems. Antivirus software was developed to detect and neutralize the threats, marking a significant step in protecting computer systems from malware, although the solution would become antiquated in a few years.
Now that the internet was more accessible to consumers, users started adding their personal information online– an open invitation for hackers. Towards the late '80s and into the early '90s, America Online (AOL) customers became targets of phishing attacks, tricking them into revealing their passwords and resulting in unauthorized account access. The malicious messages were one of the earliest phishing attacks, a common threat today.
Lessons Learned: The Morris Worm incident and AOL phishing attacks were early wake-up calls about the vulnerabilities of the internet and the precautions users must take for safe internet usage. Responses to the new threats were reactive and understandable since the cybersecurity and data protection journey was still in its infancy.
The 2000s - The Turning Point in Cybersecurity
In 2000, with computers now mainstream and email an essential communication, the most destructive computer virus of its time was unleashed. Originating from the Philippines, the ILOVEYOU virus was transmitted via email with the subject line "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." The virus impacted millions of computers worldwide, overwriting files and emailing itself to everyone in the user's address book. The incident crippled communications of investment banks, public relations firms, and the Dow Jones Newswire and took down servers at the UK House of Commons, AT&T, Ford Motor Company, and even Microsoft. All told, the estimated damages amounted to $10 billion.
Lessons Learned: The incident further illustrated the scale of potential cyber threats, the speed at which they could spread, that humans are the first line of defense, and the importance of backing up your files. The sheer scale of ILOVEYOU and the damage it caused also marked a turning point in how cybersecurity threats were perceived and handled.
Industry Response: The incident prompted numerous reactive security measures, including:
- Security Software Improvement. Software companies accelerated the development of heuristics-based detection methods to allow antivirus software to detect new, unknown viruses by looking for known malicious behavior patterns rather than relying solely on virus signature databases.
- Email Client Security. How email clients, including Microsoft Outlook, handled attachments changed. For instance, Outlook started blocking certain types of attachments by default, including those with a .vbs extension, which was the type used by the ILOVEYOU virus.
- User Education. Security awareness training, anyone? The incident led to a broader awareness of phishing and the importance of educating users about malicious messages.
- Legislation and Regulation. In the Philippines, where the virus originated, there were initially no laws under which the creator could be prosecuted, prompting the enactment of the E-Commerce Law in 2000 to penalize various cybercrimes.
- Incident Response Planning. Organizations started to realize the importance of having a proper incident response plan, including identifying and analyzing potential threats, implementing protective measures, establishing detection mechanisms, and creating a comprehensive response and recovery plan.
The 2010s: Rise of Ransomware & Third-Party Data Breaches
By this era, cyber criminals were upping their game, increasing the volume of hacking attempts, targeting big brands, and using third parties to infiltrate networks. Remember the Target breach of 2013 in which hackers used an HVAC vendor to breach the retailer? Or the 2014 Home Depot breach from cyber criminals stealing credentials from a third-party vendor?
The risks that third-party vendors pose became a painful and expensive reality, with the Target and Home Depot breaches costing nearly $1 billion combined. Additionally, ransomware attacks increased in the latter half of the era, with the notorious WannaCry entering in 2017. WannaCry infected an estimated 230,000 computers across 150 countries in just hours, spreading through computers running Windows with unpatched EternalBlue software and demanding ransom payments in Bitcoin.
In response to the devastating incidents of the era, we saw the rise of cybersecurity insurance, advanced encryption techniques, multi-factor authentication, and of course, third-party risk questionnaires. More proactive solutions, like the MITRE ATT&CK framework, also debuted in 2013 to help illuminate the various stages of a cyber attack, detailing the tactics, techniques, and procedures (TTPs) that attackers use to breach networks. To this day, MITRE helps organizations better prepare for, detect, and respond to cyber threats. Shortly after MITRE was introduced, the NIST Cybersecurity Framework was unveiled, offering organizations guidance on preventing, detecting, responding to, and recovering from cyber threats and a standardized language to talk about the risks.
Takeaway: The 2010s brought a wave of change for cybersecurity. The need for cybersecurity became widely recognized, third-party risk management gained attention and priority, and overall, it was a hell of a decade for data protection.
The 2020s: Attack Volume and Sophistication Grows
Enter the 2020s, when a global pandemic changed how we work, organizations became increasingly reliant on third-party technologies and applications, cyber-attacks rose to unprecedented levels both in volume and sophistication, and cybersecurity talent was (is) in short supply. Vigilance is the name of the game, and the stress levels of cybersecurity leaders run high.
Without question, cybersecurity isn’t for the weak at heart, and fearing the risks is futile; we can only learn from them, adapt to the changing threat landscape, and continue to iterate and innovate, recognizing that legacy security practices are quickly becoming antiquated.
Additionally, the lines between cybersecurity and third-party risk are becoming blurred. Our biggest risk today is cyber risk, and to survive, organizations need a better, more efficient, and seamless way to manage it, whether a first-party or third-party threat.
Enter the new era of risk management and a bold and proactive announcement from CyberGRX and ProcessUnity.
A New Era of Third-Party and Cyber Risk Management
2023 and Beyond– a new era of risk management– in which resource efficiency, risk focus, and innovation are key themes– and precisely why two third-party risk management powerhouses have merged.
Together, CyberGRX and ProcessUnity bring to market the industry’s most powerful platform to uplevel an organization’s ability to identify, assess, analyze, and ultimately reduce risk within its ecosystem. The combination of ProcessUnity’s premier platform for accelerating TPRM program processes, and the world’s first and largest global cyber risk exchange created by CyberGRX, backed by validated third-party data and advanced cyber risk intelligence, centralize and standardize vendor risk management and enable leaders to directly and proactively respond to the most significant risks facing global enterprises today: third-party and cyber.
Organizations must adapt to the changing market conditions and evolving threat landscape, including:
More Efficient Use of Cybersecurity Resources
Vendors, overburdened and fatigued due to resource restraints and the exponential growth in assessment requests each year, can now:
- Complete fewer assessments while satisfying more customer assessment requests
- Keep complete control over what assessment information is shared with each customer
- Lower customer due diligence and compliance costs
- Win new business faster and retain more clients
Meanwhile, customers short on staff with an increasing third-party ecosystem can leverage artificial intelligence, machine learning, and natural language processing abilities to work alongside third-party risk teams to accelerate vendor due diligence, onboarding, and offboarding processes. How so?
- Predictive Risk Profiling: Anticipate how a given third party will answer assessment questions with up to a 91% accuracy rate.
- Automated Inherent Risk Scoring: Prioritize assessment strategies based on the likelihood a vendor will have a cyber incident and its potential impact.
- Policy Evaluation: Scan and score vendors’ policies, procedures, and supporting documentation against common frameworks, regulations, and standards to reduce inconsistent, time-consuming, manual document reviews.
More Focused and Effective Risk Mitigation
One of the biggest challenges to risk management has been knowing where to look and identifying the most significant risks. This, too, is shifting to advanced data intelligence, allowing organizations to see which third parties do not meet control standards, where the biggest security gaps lie, and where regulatory compliance is insufficient.
The combined CyberGRX-ProcessUnity platform enables the ability to:
- Complete periodic post-contract due diligence on-demand
- Conduct baseline cyber program maturity and prioritize security improvements for risks, controls, and policies in collaboration with their third parties
- Monitor the severity, likelihood, and impact of third-party risks
- Align audit and certification efforts across one or multiple frameworks
- Make smarter cybersecurity investments with real-time budget data
- Deliver board-level summaries of third-party cybersecurity program effectiveness
With a more focused approach to cybersecurity, security leaders can reallocate resources from chasing assessments to analyzing and proactively mitigating risks, protecting their organizations confidently.
The Journey Ahead
The evolution of cybersecurity from a purely reactive discipline to a more proactive one mirrors the growing complexity of threats. Learning from our past, we can forge a more secure future where anticipation, proactive mitigation, and innovation are central to our defense strategy. As we advance into the next cybersecurity era, we’ll be better equipped to handle increasingly sophisticated threats– we’ll be able to predict the flames before they spark. And we’re well on our way to becoming the proactive cat who spots the mouse’s moves.
To learn more about CyberGRX and ProcessUnity, schedule time with our team.