PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, examines the circumstances surrounding some of the high profile cyberattacks that have occurred globally, and offers his perspective on the impact and what we can to help ourselves (and the companies we work for) to try and avoid being impacted by online fraud.

By David Dungan

Cybersecurity is a massive industry.

According to a recent report, the global cybersecurity market size was estimated at $245.62 billion (USD) in 2024 and it is projected to grow at a compound annual growth rate (CAGR) of 12.9 percent between now and 2030.

Amid all of this growth, there are a multitude of companies – here in Indiana, across the country, and globally -- that host their own cybersecurity programs. There are those who specialize in everything from incident response, intrusion detection and prevention, to monitoring and more.

With so many programs out there to help us with our cybersecurity behind the scenes, it’s easy to wonder how big companies even get hacked in the first place. After all, they have copious amounts of money with which to buy these security solutions. But perhaps, therein lies the problem.

As we’ve learned, large corporations are appealing to threat actors because they have large amounts of money and assets. Successfully executing a cyberattack on a large company can lead to the loss of critical data from clients, customers, employees, vendors, and associates. In 2024, according to the FBI’s Internet Crime Complaint Center, reported losses due to cybercrime in the United States reached a record $16.6 billion; that’s a 33 percent increase from the previous year. In the same report, it was noted that there were 859,532 complaints, with the most significant losses reported in cases involving investment fraud, particularly involving cryptocurrency – totaling more than $6.5 billion!

Therefore, despite the risks of trying to hack a large company, there are additional rewards that are very appealing to threat actors, including:

• Personal customer data, which may contain names, addresses, login information, payment information, or even social security numbers and/or someone’s date of birth.
• Access to other companies, especially if the initial hack impacted a well-known distributor or vendor.
• Free use of the companies’ own tools and public facing information, such as websites.
• Logs and private information that could be used to negatively impact the company or organization.

The most common hacks on large companies are credential theft or known vulnerability exploitation. Credential theft happens when a trusted individual within an organization has their credentials stolen by a threat actor, allowing the threat actor to take actions that require elevated privileges. Credential attacks can be disastrous and represent the reason why many high-level organizations are adamant about relying on the practice of using secure credentials that are regularly changed.

Known vulnerability exploitation is another risk to large companies. Hackers exploit known vulnerabilities by finding out what systems a company uses. From there, they invest their efforts in discovering what vulnerabilities that system has had in the past. Then, they test these vulnerabilities against the systems, seeing if the company has yet to patch them. Large companies, especially ones that have thousands of devices in use across their organization, are prone to these types of attacks; after all, it’s exceedingly difficult and expensive to ensure every single last device is properly protected.

Large companies may seem like the paragon of security. However, with so much to look after, it can and is difficult to fill every crack. The next time you see a crazy password requirement, or an expectation to use multi-factor authentication (MFA), you can think about the outcomes of a credential attack, and, perhaps, take it in stride and it'll be easier than you think. In fact, there's a few (relatively easy) steps you can take to help you avoid trouble.

After all, it’s the resources of this massive industry that works day (and night) to keep you and your company as well protected as it can be in today’s ever-changing threat environment!