Over a Year of Log4j Lingering: Why We Need to Stop Viewing High-Severity Breaches as Anomalies

Written by

More than a year after the news broke in December 2021, the Log4j vulnerability, or Log4Shell to some, remains one of the most prolific cybersecurity incidents of our time. Still causing chaos for many organizations, it has painted a less than perfect picture of the current cybersecurity landscape that calls for urgent action. Fast forward to 2023, Log4j is no longer an anomaly and it’s time we stopped viewing it, and the others that will inevitably follow, as such. That said, it’s not all doom and gloom. There are signs of progress and reasons to be optimistic about the future of our industry. 

The Perfect Cyber Storm

The number of security vulnerabilities reached over 23,000 by the end of 2022, breaking the record of 20,000 the year before. A troubling statistic but not an unexpected one when you consider that, according to research from Rubrik Zero Labs, global businesses have experienced a cyber-attack on average almost every week over the past year. 

The reality is that data is expanding in volume, with the annual compound growth rate of data creation projected to be 23% per year. The impact of more data and more vulnerabilities colliding creates the perfect surface area for cyber-criminals looking to make a quick buck. What’s more, businesses’ confidence in their ability to recover from an attack is at an all-time low. The vast majority (92%) of organizations surveyed in the Rubrik Zero Labs research are concerned about maintaining business continuity during and after a breach. 

It’s also impossible to ignore the undeniable global cyber skills shortage here, which now stands at 3.4 million workers worldwide. It is talent shortage, rather than technology, that is the primary challenge hampering businesses in adequately responding to this complex landscape. A low number of skilled cybersecurity professionals equates to a prolonged time in identifying and addressing threats, such as Log4j, and is likely to continue being part of the cybersecurity puzzle for years to come.  

Cybercrime is also becoming an economy of its own with the rise of ransomware-as-a-service (RaaS), driven significantly by cyber gangs like Conti. A variation of malware-as-a-service (MaaS), RaaS is a business model based on malware developers leasing out ransomware and its control infrastructure to other cyber-criminals. Clearly, there is (illegal) money to be made here. And the more money there is, the more incentive there is to create and exploit vulnerabilities.

Anomalies No More 

Although high-severity breaches like Log4j receive significant media attention, previously known vulnerabilities remain the main cause of chaos in businesses. In fact, according to Rubrik Zero Labs, two-thirds of cyber-attacks weren’t new and leveraged a previously-known vulnerability. 

Ultimately, organizations are fighting a compounded challenge: both the new vulnerabilities that appear every year and those from previous years that remain active and may not have been adequately addressed. If the decks aren’t cleared each time vulnerabilities are discovered, it’s no surprise we’re discussing them on their one-year anniversaries and anniversaries after that. 

Regardless of whether attacks make a splash in the news or not, vulnerabilities like Log4j should no longer be seen as an irregularity. Instead, we should think of them as a collective issue to address the longtail of these threats more effectively. Data breaches remain the top perceived threat for security leaders this coming year. Therefore, fully understanding its data, how and where it’s growing, how it’s likely to be targeted and how to recover it should an attack happen should be a priority for any enterprise. 

Step in the Right Direction

While some high-severity vulnerabilities still make headlines, there are some positive trends. 

Firstly, cybersecurity – or more specifically, cyber incidents – are no longer a taboo topic. A decade ago, it was very rare that any company would disclose that its organization had been compromised out of fear of public shame and customer and revenue loss. The lack of communication among industry peers meant we weren’t addressing issues as a wider community. Nowadays, whilst regulation has forced many businesses to disclose cyber incidents with the threat of fines, there is a general feeling of increased transparency and recognition that a problem exists. Moreover, a data breach has become a board-level topic – something unthinkable even five years ago. This is a positive move because a true organizational change can only happen if senior team members lead through said change.

In response to the global talent shortage, cyber education is a completely different world compared to when many current security leaders were starting out. We have seen more academic institutions offering cybersecurity programs and more workforce initiatives to train and retrain professionals. Consequently, there will be more knowledgeable and skillful cybersecurity experts in the near future. 

Finally, many vendors have already begun putting security first when developing new technologies, so businesses have an increasing level of choice when looking at ways of protecting themselves. While it does not guarantee perfect protection from the ever-evolving cyber risks, it’s undeniably a step in the right direction.

It’s fair to say that we won’t see the back of vulnerabilities like Log4j for some time and high-severity breaches are no longer limited to one day. So we need to start viewing them in that way. Yet, there are reasons to be optimistic about where the industry is headed – more visibility, discussion and collaboration on these issues will only produce a positive impact.

What’s hot on Infosecurity Magazine?