Tax cuts could help to curb cybercrime - interview


There's no magic bullet to end cybercrime. With losses mounting, governments could start incentivizing businesses willing to protect themselves.

According to the FBI, cybercrime-related losses grew almost three-fold from 2016 till 2020, reaching $4.2 billion last year. There's little doubt 2021 will be another record-breaking year for cybercrime as recent months have been ripe with major high-profile cyber attacks.

The SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya have entered the popular discourse.

Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone. Governments around the globe need to start thinking out of the box, going beyond targeting threat actors.

"There are things that governments can do on the legislative side and the tax side to help companies hire security people and to pay for all those services and hardware and software."

-Rich Murr

According to Rich Murr, a veteran IT security executive at Epicor and an ex-Marine, it might be high time authorities thought of tax cuts for implementing cyber security solutions.

"I think there's definitely room for the government here in the US and the EU, and elsewhere to offer some federal tax treatment that makes it easier for companies to purchase solutions and implement them," Murr told CyberNews.

We fired up a video conversation to discuss whether recent arrests aimed at the leaders of ransomware cartels can turn the tide, and what governments and businesses can do to start punching against a relentless wave of cybercrime.

Authorities targeted several well-known ransomware groups in the last few months with some degree of success. Do you think arrests and sanctions will help to turn the tide?

No, I don't think a few arrests will change the situation. That's nice to see, but it's very easy for hackers to obfuscate their identity and make it unclear what their allegiance is. They're really smart hackers, and in my opinion, they're never going to get caught. The Internet makes it too easy to hide.

There's a push from Western governments for businesses to inform authorities in case of an attack. Why do you think some companies are reluctant to do so?

I'm not sure that all companies are reluctant to do that, but I think those who remain silent don't want that information to get out to their customer base. They don't want to indicate an attack until they feel like they have a handle on the problem and can go back to their customers with facts versus speculation.

Rich Murr
Rich Murr.

What more could governments do to help businesses feel more confident in standing up against cybercriminals?

One of the things that could really make a difference is to make it easier for companies to acquire and implement solutions like cyber intrusion detection and prevention systems.

And I do think the government does have a role to help on the education side and make sure just across the board that we're educating more students who are coming out of colleges, high schools, or trade schools and can take on cybersecurity roles inside organizations.

Yes, every company absolutely should be educating their employees on, for example, how to identify a phishing email, how to respond to it properly, making sure that they're putting in tools that allow blocking malicious emails.

But the heavy lifting is really with the technology team and making sure that there's enough of a skillset to implement and operate what can be very complex systems you defend and remediate those kinds of attacks.

But even technical personnel can fail. Some research shows that inability to communicate between on-prem and off-prem teams leads to breaches.

I think it's possible. However, I'm less concerned about companies having security issues as they transition from on-prem to cloud. Both those solutions can be insecure, and they can both be secure. There's really an effort required to make sure both those environments are understood, the security tools and processes are put in place. But I don't think there's anything inherent about that transition that is insecure.

"I don't think a few arrests will change the situation. That's nice to see, but it's very easy for hackers to obfuscate their identity and make it unclear what their allegiance is."

-Rich Murr

My firm belief is that companies, especially smaller companies on the SMB side that don't necessarily have the resources to secure an environment, they're much better off going into the cloud. I would encourage any company that has security concerns, to take a hard look at the cloud. You're going to be able to move your systems, the data in the cloud and very likely to have a better security experience than if you held them on-premise.

There have been several major attacks against multi-million-dollar companies that were not ready to face a cyber-attack. Do you think small and medium businesses (SMB) can be safe if large corporations don't seem to have the necessary resources to protect themselves?

Companies count on available resources to protect against threats. However, you still have to know how to deploy those resources and have security expertise to implement and operate those solutions. When large companies get attacked, it's typically more sensational, the attacks are more impactful, and they're more likely to make the news.

But I think the best bet for smaller companies is to move to the cloud. When you move to the cloud, you're typically taking advantage of economies of scale as a cloud provider. And cloud providers usually have dedicated security teams. That's not a part-time job for cloud providers.

Number one is cloud. Number two is, even if you're small, have a plan. It's making sure you have somebody assigned to that role that understands and has a really clear set of goals to protect the company's assets and has a credible plan.

A real clear set of tasks they're going to execute to make sure that their on-premise systems are as secure as possible. And I think a lot of SMBs typically need to lean on consultants and vendors for that. They don't often have that skill set in-house.

Critical vulnerabilities in major cloud companies were disclosed this year. How can SMB's feel safe if large companies can't seem to waterproof their systems?

I think what it shows is that you have to assume you're going to be successfully attacked. The approach we take is to prevent the attack. But if it happens, you need to be able to identify and remediate as quickly as possible. Large companies, they're very big, right. And all it takes is one vulnerability for a hacker to get through. That's why it is essential to make a very concerted effort to defend it.

And I think the key is to be able to detect it. There are many excellent tools and tooling out there that, if you implement properly, your security team will see it and be able to remediate it quickly. Where companies really suffer is when they get hacked, and they don't detect it. And that allows a hacker to run free through their environment for an extended period of time.

I think making sure you've got the right team in place and the right technologies and being very vigilant and disciplined around your cyber security efforts is very important.

I do, however, believe in partnership. There are things that governments can do on the legislative side and the tax side to help companies hire security people and to pay for all those services and hardware and software.

But I don't think there's an easy button on this one. It requires a very talented skill set and a lot of hard work to ensure that you take all the steps a company needs to take to test systems and protect data.


More from CyberNews

Security teams are now using open-source intelligence to protect against insider threats

Another record-breaking DDoS attack spotted - Cloudflare

Warfighter exercise will show what would happen if China ordered TikTok to spy on US Military

Governments pay millions for 0days: more harm than good?

The rise of the cobots: robots that collaborate, rather than compete with humans

Subscribe to our newsletter