show image

The evolution of cybercrime is affecting data security

Fundamental to digital transformation is that enterprises are simply generating more data than ever before. It’s part and parcel of a knowledge-driven economy and how enterprises create and deliver value. All of this data—stored in an ever-shifting array of locations and repositories—simply presents more opportunity to the cybercrime industry.

“Apps” are fundamental to digital transformation. They—manifested as mobile apps, customer portals, and websites and even as APIs—are now the defacto way enterprises interact with businesses and consumers. This exploding app universe is a direct gateway to enterprise data, and expands the potential attack vectors available to the cybercrime industry.

“Knowledge workers” now comprise over 100 million. For example, when bringing in a new hire, most managers extend an implicit trust so that person can perform their duties. The new hire is made privy to certain enterprise data assets. Also all the data security risks associated with using contractors.

Looking externally, enterprises strive to let customers easily and directly access a multitude of apps and the data available through them. This is in fact one of the ways enterprises generate the data that is so valuable. Paradoxically, this now turns consumers—coupled with all of their intrinsic security flaws (e.g., weak password reuse)—into an attack vector.

Evolution of data monetisation

In a knowledge-driven economy, enterprises have two core assets:

  • Data, which is their IP
  • Apps, which are the manifestation of their business processes

Since the origin of mankind, criminals have made money in two ways:

  • Extortion
  • Theft

Cybercriminals are no different, and the cybercrime industry makes its money targeting these two enterprise assets.

Extortion attacks directly targeting data didn’t exist at scale until the relatively recent ransomware explosion—such as those instances that targeted a number of hospitals in 2016. Ransomware targeting file servers is presently the most prevalent; expect cybercriminals to develop other extortion-type attacks (such as this or this) on a continual basis.

DDoS (distributed denial of service) is textbook extortion targeting enterprise apps, although perpetrators are also looking at other methods. Hackers can now lock all of the doors at a hotel and demand a ransom to unlock them. This gives new meaning to “denial of service.”

Direct data breaches of database repositories are ultimately an insider threat problem. In almost all cases, they involve either:

  • A malicious insiderwho already knows where the data is and has access to it, and has and takes the opportunity to steal it for their own gain
  • Careless or compromised users – while not malicious—take actions that expose either themselves or the data they can access to external cybercriminals

An asset-centric security posture

Information Security is different than any other IT problem because there is a financially motivated opponent. As long as there is money to be made—whether via extortion or theft—there will be actors constantly evolving their tactics. What they target remains constant: data, and the apps that front it.

We’ve seen the beginning of a shift away from focusing on the “attack du jour” (aka the latest tactic) and towards an emphasis on better visibility and protection of the core assets that cybercriminals target, regardless of what tactics they may use at any given time.

Application and data protection—whether protecting against extortion or theft—ultimately comes down to these essentials.


  • Protect apps wherever they are, in the cloud or on-premises.
  • Leverage actionable threat intelligence.
  • Automate blocking with accuracy.


  • Know where your enterprise data is located, who is accessing it, and when.
  • Frequently reassess whether data access on every level is acceptable.
  • Position ops teams to immediately respond to risky data access in order to contain the threats.

Are your core data assets protected?

The existence of the cybercrime industry is predicated upon the fact that your data has value. While cybercriminals will continually evolve their tactics, what they’re after won’t change. Here are ten questions we’ve seen organisations use to “self-assess” how well their core data assets are protected.

  1. Where specifically, is private data located?
  2. Who is accessing data? Should they have access to the data?
  3. Which users have access to the data, but do not use it?
  4. How do they access it?
  5. What level of risk is acceptable?
  6. Who is responsible if data is lost?
  7. Who is responsible for monitoring that data?
  8. Can you determine which data has been lost in a breach?
  9. Are the processes for answering these questions repeatable, scalable, timely and cost-effective?

Organisations that can satisfactorily answer these questions are in good shape to manage the risk posed by the cybercrime industry regardless of what tactics/attacks that industry is using at any given time.

Morgan Gerhart is vice president at Imperva