Skip to main content
Leadership

Sisyphus is still pushing that rock

My New Year’s wish is to see us refocus and lighten our load

Business concept Young businessman pushing large stone uphill with copy space

In early 2020 I started writing about cybersecurity issues in these pages, beginning with the following statement:

Every year organizations everywhere, including credit unions and the world’s most sophisticated companies, increase their investments in the best firewalls, industry leading antivirus software, strong cybersecurity education programs, and top cyber talent, all to create robust defense policies and monitor their infrastructures. Yet these companies constantly experience intrusion events attributed to malware that compromise their reputations and threaten their business models."

At the time I asked how is this possible? I’m still asking, five years later.

Too little has changed, other than the volume of successful attacks—they’ve grown greatly. More businesses, including credit unions, are reporting successful intrusions, compromised operations, and expensive repairs. In 2024, news sites, including credit union focused ones, reported on more breaches, larger impacts, and greater costs than in any past year. And all of us continue to receive the “now no longer new” formal notice of data breach letter from all sorts of organizations we do commerce with, including credit unions.

The dreaded data breach letter satisfies a legal/regulatory requirement but provides little comfort. Because, in part, we’ve failed to address “access and software memory security”, we’ve entered the age of legally mandated notifications of system breaches and data compromise, encryption, or worse—data extraction. So now we receive the notice that our trusted provider has failed to protect their systems and our data but are making every effort to reduce the risk of this type of incident occurring in the future, including enhancing technical security measures.

But no comfort comes with the free offer. The providers have failed but they assure us they will do better. And they want us to know they have no clear evidence our data is being used to harm us but, just in case, “here’s a free 12-month subscription to a credit monitoring service.” I feel safer, don’t you?

I was certain, back in 2020, that system breaches and customer data loss would lead to enough customer angst or exit that organizations would be driven to do better work, to find answers to vulnerable systems and software.

But I was wrong. I believed system breaches and compromised data or data extraction would cause more than enough damage to drive significant efforts to cure for software access and software memory weakness, to drive organizations to do better.

Rather, we see ransomware and other breach outcomes leading to more and more...

  1. Loss in customer trust, even if inertia and malaise keep customers from moving. After all, where can one go to when it appears all organizations are failing at security?
  2. Loss in productive commerce, service downtime, locked out customers, and more, as organizations remediate breach damage.
  3. Loss in income from both lost commerce and costs to remediate security failures, to repair the operational damage.

I was wrong, but why? I was wrong, but not because we have made too little investment or too little effort. I was wrong because we have let ourselves become lost in this unequal fight. We are expending energy everywhere, but not effectively, and where it’s most needed.

We need to FOCUS on the software specifically because we are in this unequal fight. We spend our resources (time, money, operational focus) on working to secure our entire environments. But the fight with the intruders is unequal because the attack area is huge; and we never want to be breached. And we are expected to be “right” one hundred percent of the time; but the bad guys need only be right ONCE.

So, it’s time we turn our attention to application controls and software memory protection—the subject I looked to first in 2020. I recently sat in a virtual seminar listening to security experts debate this topic. There were many attempts to answer this question, but the one that resonated with me, and that all speakers agreed upon, came from a security software developer who shared “because we have so much to do, we operate with diluted focus and, in the areas of software access and security, we fail to understand that “it’s the software, stupid!”

I open 2025 hoping to see a greater effort by the organizations I do commerce with to manage software access and to protect software memory, to prevent malware from running unwanted code.

I open 2025 with the wish that organizations will finally focus on protecting their software from unwanted code running within it. And how can they do that? By demanding a solution(s) for endpoint and application protection that doesn’t mimic the failings of traditional solutions (the ones you use now). How are they failing you? They only work if they know:

  1. About every vulnerability for every application on the system,
  2. Every attack method against that vulnerability that has been previously used, and can
  3. Add additional signatures for new, anticipated ways intruders can take advantage of a vulnerability.

I hope to close 2025 seeing organizations moving to the kind of endpoint and memory protection solution I’ve written about since 2020, one that offers robust protections by:

  1. Providing pre-configured application control policies designed to protect against a wide range of attack vectors. These policies should be designed to stop any unwanted software from executing, including the malware that initiates the loading of a malicious driver. 
  2. Providing monitoring and control for the behavior of applications in real-time, based on a history of known "good" actions. If an attacker tries to inject malicious code into a legitimate application's memory, the solution should detect and block the unauthorized activity, preventing the attack from succeeding. These policies are designed to stop any unwanted software from executing, including the malware that initiates the loading of the malicious driver. 
  3. Providing robust self-protection built into every running application that cannot be turned off by stopping a handful of processes running on the system.
  4. Providing seamless integration with existing endpoint security solutions, such as antivirus and EDR products. This would provide an additional layer of protection without disrupting the existing security infrastructure, ensuring that the organizations’ security postures are strengthened without adding undue complexity.

I hope the Sisyphean task I’ve taken on, the continuing effort to show the need for better application controls and software memory protection, will be lightened this year. I hope that more organizations will demand better solutions. I hope they will bring more focus to the problems they can better control, the problems found in their own software and its management. Here’s to a more cybersecure 2025.

Greg Crandell

Greg Crandell

Query Consulting Group