The idea that the spending needs to grow linearly with the growth is a damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry.
It’s not a popularly held mindset, either within the security industry or outside of it. This piece seems to be pitched at salespeople whose only job is to extract money from other companies.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
> Basic hygiene security hygiene pretty much removes ransomware as a threat.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
AFAIK the idea is to have backups so good, that restoring them is just a minor inconvenience. Then you can just discard encrypted/infected data and move on with your business. Of course that's harder to achieve in practice.
If the important data is in a web app and the Windows PC is effectively a thin client, this lowers the ransom value of the local drive. Of course business disruption in the form of downtime, overtime IT labor cannot be mitigated by just putting everything online.
The next step is just to move to security by design operating systems like ChromeOS where the user is not allowed to run any non-approved executables.
If tricking a single employee can cause an entire company to stall out, it's a process issue. Just like how a single employee should not be able to wire out $100,000.
Sleeper agent malware is a thing especially in high risk situations. If somebody has a dormant RAT installed since year X-1 it’s going to be impossible to solve that in year X by using backups
That does not work. They just infect you and do not demand a ransom for a few months as they encrypt all your data going to the backup. Now your backups are also encrypted going back multiple months and you have to discard months of work.
Modern ransomware are not just encrypting data but uploading them somewhere too, the victim is then threatened with a leak of the data. A backup does not save you from that.
> all mounted network shares where the user has write permissions
This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job.
Yes it does. A little bit of application control, network segmentation and credential hygiene (including phishing resistant MFA) go a long way.
> The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware,
Why are you letting employees execute arbitrary software in the first place? Application allowlisting, particularly on Windows is a well solved problem.
> not to mention AI agents.
Now this is possible only through criminal incompetence.
> And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
Relatively rare, likely to be caught by publisher rules in application control and even if not, if the compromise of a handful of endpoints can take down the entire business then you have some serious, systemic problems to solve.
> And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
Why are you giving individual employees such broad access to so many file shares in the first place? We’re in basic hygiene territory again.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.
Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.
It's not often presented as "we should be spending more", but it's absolutely true that cybersecurity is predominated by a reflexive "more is better" bias. "Defense in depth" is at least as often invoked as an excuse to pile on more shit as it is with any real relation to the notion of boundaries analogous to those in the context from which the metaphor is drawn.
The security industry absolutely has a serious "more is better" syndrome.
Serious professionals use one or more spending models to determine budget.
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
This is a similar fact in government. For instance in the UK with the NHS and other services, we often look at total spending and assume that spending has to stay at least constant in real terms or grow, when in reality you want some metric of spending per outcome.
Apply that to any other war or arm's race. "The fact that the US' defense spending needs to grow linearly with China's is a damning indictment of the mindset of the vast ineffectual mess that is the defense industry".
Do you just expect one side to magically be more dollar-efficient than the other? I'm confused.
I don't think there is a reasonable correlation, since stopping ransomware doesn't require that much of an increase in spending; it's a culture thing more than a money thing.
Companies spend a ton of money on very sophisticated, powerful, invasive, and expensive software to protect themselves against ransomware.
But the best antidote to many forms of ransomware isn't security software at all— it's offline backups.
Like so much in cybersecurity, an analysis by spending categories like this feels like vendors and their marketing teams driving the discourse. Even if we accept that dollars provide the right lens through which to look at this problem, companies that spend more on making sure they have good backups and good restore procedures aren't going to show up as spending more on cybersecurity in this kind of analysis.
Well, given that C levels see cybersecurity has a bad return on investment (read: insurance), Ive seen countless numbers of people laid off these jobs.
So yeah, I'm surprised its only 3x, and not even more.
A good abliterated local LLM is great at finding dumb exploits and writing ransomware code. And the cybersec professionals? Yeah, theyre pivoting elsewhere and gone.
There is a publication making a related point in the DeFi security context: as TVL rises, the incentive to attack rises too, and defenses do not (or cannot) automatically scale with it[1].
Stopping Ransomware is trivial if governments knew where the money goes. But cryptocurrencies and lax capital control pushed by the uber-rich makes it impossible.
The technology is there and it is used to track the average citizens every move. But when it comes to rich people then the money goes and comes without control (and without taxation).
Cryptocurrencies are a great solution to enable criminal activity. Their only use and highly appreciated by terrorists, criminals and dictatorial governments around the world.
If ransomware spending must scale directly with ransomware attacks then I don't see how companies could possibly keep up with the spending. A lot of the "gaps" in cybersecurity are essentially spending problems. Companies want to spend as little on it as they can.
Wait until companies try powering their businesses with agentic systems. Then businesses aren't paying a ransom to prevent privacy law lawsuits, but rather they'll be paying a ransom equivalent to the black market value of their business.
90 comments
> damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry
Cybersecurity is not about stopping issues but about compliance and liability. Attend RSA once, and you will see it yourself.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
> Basic hygiene security hygiene pretty much removes ransomware as a threat.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
The next step is just to move to security by design operating systems like ChromeOS where the user is not allowed to run any non-approved executables.
If tricking a single employee can cause an entire company to stall out, it's a process issue. Just like how a single employee should not be able to wire out $100,000.
> all mounted network shares where the user has write permissions
This is very literally what 'basic hygiene prevents these problems' addresses. Ransomeware attacks have shown time and again that they way they were able to spread was highly over-permissioned users and services because that's the easy way to get someone to stop complaining that they can't do their job.
> It does not.
Yes it does. A little bit of application control, network segmentation and credential hygiene (including phishing resistant MFA) go a long way.
> The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware,
Why are you letting employees execute arbitrary software in the first place? Application allowlisting, particularly on Windows is a well solved problem.
> not to mention AI agents.
Now this is possible only through criminal incompetence.
> And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
Relatively rare, likely to be caught by publisher rules in application control and even if not, if the compromise of a handful of endpoints can take down the entire business then you have some serious, systemic problems to solve.
> And no, backups aren't the solution either, they only limit the scope of lost data. In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
Why are you giving individual employees such broad access to so many file shares in the first place? We’re in basic hygiene territory again.
I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.
Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.
Now take limited time/budget and off you go making sure basic security hygiene is applied in a company with 500 employees or 100 employees.
If you can do that let’s see how it goes with 1000 employees.
The security industry absolutely has a serious "more is better" syndrome.
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
[0] https://en.wikipedia.org/wiki/Gordon%E2%80%93Loeb_model
Do you just expect one side to magically be more dollar-efficient than the other? I'm confused.
Is there some reason to believe that this isn't the best approach? And if not, then any theories as to why it hasn't been enacted?
But the best antidote to many forms of ransomware isn't security software at all— it's offline backups.
Like so much in cybersecurity, an analysis by spending categories like this feels like vendors and their marketing teams driving the discourse. Even if we accept that dollars provide the right lens through which to look at this problem, companies that spend more on making sure they have good backups and good restore procedures aren't going to show up as spending more on cybersecurity in this kind of analysis.
So yeah, I'm surprised its only 3x, and not even more.
A good abliterated local LLM is great at finding dumb exploits and writing ransomware code. And the cybersec professionals? Yeah, theyre pivoting elsewhere and gone.
[1] https://web.archive.org/web/20240911103423/https://www.bittr...
The technology is there and it is used to track the average citizens every move. But when it comes to rich people then the money goes and comes without control (and without taxation).
Cryptocurrencies are a great solution to enable criminal activity. Their only use and highly appreciated by terrorists, criminals and dictatorial governments around the world.
If your counter measures are effective, you would expect sub-linear growth, heck you should demand it!
The security industry is so fucked up.