The true cost of cybercrime revealed and how to put a dent in it

Governments face the difficult task of protecting their services from cyberattacks. Michael Mestrovich, Chief Information Security Officer (CISO) at data security company Rubrik, shares his thoughts on how government organizations can “up their cyber defensive posture.”
The risk of cyberattacks is something every government faces. It’s an increasing threat in a turbulent world as both hackers and rouge states work to undermine vital national infrastructure.
The scale of the issue can often be difficult to comprehend. But Michael Mestrovich, Chief Information Security Officer (CISO) at data security company Rubrik, highlighted one figure that puts the scale into startling context.
“The studies I’ve seen show that cybercrime is on track to be a US$10.5 trillion business by 2025, which would make it the third largest economy on the planet,” he says.
This would make the annual cost of global cybercrime larger than every economy on earth apart from the United States and China, and Mestrovich says the threat will only grow as a result of what he calls a “target-rich environment.”
“We’re more and more connected as a society. There’s just so much IT infrastructure out there, and so many people depend on information technology in the course of their daily lives,” he says.
Other factors that contribute to the growth of cybercrime include the rise of ransomware attacks—where hackers launch attacks with the aim of holding data and systems hostage for a payout—and the proliferation of cryptocurrencies that make tracing the money nearly impossible.
Another major challenge is that there aren’t enough cybersecurity professionals to match the scale of the problem, with Mestrovich sharing that there are an estimated 3.2 million unfilled cybersecurity jobs globally—a gap that can’t be closed quickly.
“So you’ve got a lot of susceptible technology and not necessarily a lot of cyber experts out there to secure it. This creates a vulnerability, and threat actors have jumped in to take advantage of it.”
Given both the scale of the threat and the scarcity of skills, Mestrovich says governments need to coordinate the global response. International meetings have been set up to help governments share intelligence, and Mestrovich says governments are also taking steps to work out how to share limited cybersecurity resources.
“[Governments are asking] how do we pool our resources to provide umbrella cyber coverage for a lot of organizations? Through offering cybersecurity services as a service that other organizations can buy into? That’s one model. Putting out playbooks so that organizations know directly how to implement good cybersecurity practices is another avenue.”
Getting your own online house in order
Governments also need to have their own cybersecurity up to scratch, given that data is increasingly vital for public services.
In the US, president Joe Biden signed an executive order in May 2021 that aims to improve the nation’s cybersecurity by removing barriers to modernizing cybersecurity standards across the federal government. It also specified the creation of a standard playbook for responding to cyber incidents and measures to better enable governments and private sector organizations to share information about threats.
Mestrovich—whose previous roles include being CISO at the Central Intelligence Agency—says that it is vital that all government organizations and entities “up their cyber defensive posture.”
“I am a big fan of collaboration among government entities, sharing threat intelligence and best practices. I think there’s a lot of stuff that governments themselves can do to up the game for IT infrastructure within government.”
However, he warns there is no simple cybersecurity checklist to follow. Building proper security requires “a lot of commitment of resources and a lot of commitment of time” to get right.
“It’s not cut and paste as every organization has built something a little bit different,” he says. “You have to secure bespoke infrastructure, so it’s not a trivial task. But security is ultimately the best defense.”
And that defense requires vigilant individual workers who need to be able to spot and report phishing emails and unexpected password reset requests, for instance. They also need adequate, up-to-date technology to ensure maximum security.
Mestrovich stresses that it is important organizations focus on what might seem to be the basics of cybersecurity.
“These basics are things like not running end-of-life hardware and software and having accurate accounting for all the technology that you’re responsible for: phones, laptops, servers, network switches.”
Once an organization has a full picture of the assets it has, it can then make sure the assets are patched with new security software and work out the extent of exposure to any new vulnerabilities.
“I make it sound simplistic, and obviously it’s not. It’s complicated and hard, but the basic foundations of good cybersecurity aren’t terribly difficult. We’ve just had a long, long history of not being able to implement them correctly at scale.”
Another key element is what Rubrik terms “Zero Trust architecture.” Mestrovich explains that this means thinking about how to balance what he calls friction—two-factor authentication and password resets for example—and usability across organizational systems.
“I come from an IT operations background, and we always wanted to reduce the friction on the user,” he says. “But Zero Trust really means that we shouldn’t strive for ease of use exclusively.
“Just because you log in once doesn’t mean you should have access to absolutely everything on the entire infrastructure. You should have access to it for as long as you’re logged in, and you should be forced constantly to reassess and prove who you are and why you need any bit of information.
“We want to do that in a way that’s not too invasive, but which gives us the accuracy we need to make an informed decision on granting access to data and applications.”
“Data is the crown jewel”
Although cybersecurity across all parts of an organization is vital, the critical layer of protection has to be around data, as ultimately, that is what the hackers are after, Mestrovich says.
“I’m not saying in-depth defense [in an organization] is bad; defense in depth is incredibly important. But it needs to include defense of your data, because that’s the crown jewels, and a lot of organizations have stopped short of securing their data,” he says. “There needs to be a concerted effort around putting protections in place so data is encrypted and backed up in an immutable file system. That’s the thing that people need to understand: the bad guys are after the data.”
Some organizations have been slow to wake up to this, he says. “If you’re a large government organization. and, for example, you’re processing tax records, then you know how valuable that information is and are doing everything possible to protect that information. But I think some other organizations are just waking up to the value of the data they have and realizing what’s mission-critical for them. I don’t think people have reached the same place mentally across the board.”
Indeed, most government organizations don’t know where their vital information is, according to Mestrovich, given the range of ways people work in the flexible working era—across shared and local drives and on work and personal devices.
“People are ingenious,” he says. “They figure out all kinds of different ways to use applications, which means they get data, they manipulate it, they may send it back, they may store it on their local personal drive. So, an organization’s data moves all over the place, and people are naïve if they believe they have a handle on where all of their data is.”
Protecting data is therefore Rubrik’s key service—to government agencies and beyond.
“Rubrik is not going to stop a ransomware attack from hitting an organization; that’s not where we play from a technology perspective,” Mestrovich says. “What Rubrik is able to do—if you are hit with a ransomware attack—is roll back your data so that you can resume business operations very, very quickly. We can also then help organizations understand how a bad actor got into their environment, where the malicious files were, and help customers understand where important data is in their environment.”
Helping public sector organizations protect their vital data was what attracted Mestrovich to join the company as CISO in May 2022.
Looking ahead, he says there is still a chance to put a dent in the cost of cybercrime before it becomes the world’s third-biggest economy.
“We’re seeing the threat landscape change, and Rubrik was really exciting for me in terms of its solutions to help drive down cybercrime. By denying the criminals the thing they need to make money—the data—Rubrik has a really sound technology that could make a serious dent in the trajectory of cybercrime.”