“Cyber security is much more than a matter of IT”
The view of Stephane Nappo, former Global Chief Information Security Officer for French retail bank, SociÃ©tÃ© GÃ©nÃ©rale. Nappo was correct in his analysis, because cyber security is now considered everyone’s responsibility. From the most junior employee to the most senior executives and board members, security is everyone’s problem.
Business leaders today are right to view cyber crime as one of the primary risks and are pushing it higher up the urgent priority list because of hybrid working practices, the number of hackable devices we use every day, and the exponential growth in the criminal’s desire to hack into as much of our lives and businesses as possible.
Whether it’s social engineering, cloud misconfiguration, crypto mining, ransomware, or trojans, cyber-criminals are out to try to find a way in. The cost of cyber crime is predicted to hit $10.5 trillion by 2025, according to the Cisco 2022 Cybersecurity Almanac.
It comes as no surprise that security awareness training for employees, previously one of the most underspent cyber security budget items, is now predicted to reach $10 billion by 2027.
Businesses need to consider cyber security as part of an all-encompassing C-Suite strategy. According to business analysts Gartner, as part of the “social” pillar of ESG in order to reduce the societal impact of cyber security incidents.
While every organisation’s needs are unique, every business also faces the potential threat of a cyber breaches. Vendors, suppliers, customers, employees, investors – can all add to the potential risks and to the pressure on senior leaders and their organisations to do everything possible to ensure no threats are successful.
The Threat Landscape
Remote Working & Endpoints
The global coronavirus pandemic has changed the way we work. It’s created workforce flexibility and for some a better work/life balance as more employees work from home, more often. But the shift to remote and ultra-flexi working has also created an increased threat from cyber crime.
Home offices are less protected than those in the workplace which have more secure firewalls and routers. Centralised offices have access management run by IT departments with expertise in cyber security which is lacking in many homes.
Employees have multiple devices, some provided by their employers, others using personal devices. This can blur the lines between work and home life, increasing the risk of sensitive information falling into criminal hands.
Where organisations previously sought to ensure that their internal networks were secure, the shift to flexible working has opened new corridors for criminals to explore.
As the world increasingly moves to digital, one successful avenue for cyber-criminals is internet-enabled devices. From fitness trackers to smart watches and voice assistants like Apple’s Siri, Amazon’s Alexa and Google Home, more and more devices are internet enabled.
With this huge increase, the number of entry points for criminals – sometimes called the cyber attack surface – is growing rapidly.
With the increased attack surface the threat from ransomware has growing. Ransomware has been increasing and made history in 2020 by contributing to the first reported death relating to a cyber attack. It followed an incident at a hospital in Germany, which was locked out of its systems, wereunable to treat patients.
Here in the UK, in August 2022, an attack against NHS 111 resulted in a significant UK-wide systems outage of its Adastra system. The incident meant staff had to revert to pen and paper to keep services going.
The rapid spread of remote working caused by the pandemic led to an equally rapid and widespread adoption of cloud-based services and infrastructure, creating security implications with additional potential entry points for attackers. It has also increased the insider threat caused by unauthorised remote access, misuse of personal devices, unsecured networks and weak passwords.
While social engineering attacks like phishing are not new, the shift to remote working where colleagues see less of each other, has added to the threat. Attackers focus on individuals working from home who connect to employer networks because they are easier targets.
There’s been a significant rise in ‘big phishing’ or whaling attacks, also known as CEO-fraud, which trick senior figures at an organisation into transferring money or revealing data by spoofing emails of another senior figure.
Toy giant Mattel almost lost $3m as a result of a senior executive receiving an email from a fraudster purporting to be their new CEO.
Often the email looks like it’s from a believable source, and may even have the correct logos and telephone numbers on it to convince unsuspecting individuals.
SMS phishing, where criminals try to trick users into downloading malware, is also on the rise, as is voice phishing where hackers pose as staff members in order to get other employees to provide access to internal systems. Similarly, SIM jacking, where fraudsters gain access to the digital contents of a target’s phone by convincing mobile operators that their SIM card is hacked.
Crypto mining is often favoured by criminals for low-key revenue generation. They find a way into an organisation’s environment and set up a miner to take passive income. But this can often serve as a gateway into more serious forms of cyber crime, gaining access to data or more malicious activity.
According to Cisco, 69% of organisations experience some level of crypto mining, and at least 86% of organisations report having had at least one user try to connect to a phishing site.
How do organisations cope with the increasing number and types of malicious cyber attacks? And what’s the best approach, since more than 85% of attacks start with the human factor?
One of the biggest security trends in 2022 is the growth of Security-as-a-Service. Instead of building up firewall solutions, many businesses are opting to hand over their security to a managed security service provider.
This means that a tailor-made solution can be designed according to the needs of the organisation and managed by a team of technological experts.
Multi-Factor Authentication (MFA)
MFA means organisations can better protect data and access control.
According to Gartner, cyber security is turning into a social phenomenon, with investor interest, public pressure, employee demands and governmental regulations increasing the incentives for organisations to track and report cyber security goals and metrics within their environmental, social and governance (ESG) efforts as a business requirement.
Gartner research also shows that 88% of boards regard cyber security as a business risk, not just an IT problem, and by 2026 at least 50% of C-suite execs will have cyber security performance requirements built into their employment contracts.
The same research suggests that customers are becoming more interested, and concerned, in the cyber security stance of organisations they do business with. It’s likely that senior leaders will, as a growing trend, be asked to develop goals and metrics to demonstrate an organisations’ commitment to reducing the social issues that may arise from cyber security incidents, such as data breaches of customer information.
Organisations are now offering cyber security training to their employees as part of a strategy to highlight the different techniques and scams they could face.
According to Cybersecurity Ventures, the global market for security awareness training for employees is predicted to reach £8.5bn (US $10bn) by 2027. But, as with other training, employees often forget, so regular and updated refresher courses will add to this total in the decades to come.
Cyber security mesh
The cyber security mesh is an approach to security architecture which is gaining traction. It enables a distributed enterprise to deploy and integrate security to assets, whether on premise, in data centres, or in the cloud. Gartner forecasts that organisations adopting a security mesh will reduce the financial impact of security incidents by up to 90%.
Identity system defence is one of the biggest upward trends. The misuse of credentials is now a primary method for attackers to access systems and achieve their goals. One of the biggest recent such incidents involved the software company, SolarWinds, which in December 2020 became aware of a supply chain attack on one of its systems.
The attackers added malware to the supplier’s software, which then infiltrated 18,000 government and private organisations. It was discovered by an alert security operator who wondered why an employee wanted a second phone registered for MFA.
Emerging breach and attack simulation tools can also be used to continuously explore and test security defences. Threat hunting is the practice of searching for cyber threats that are undetected in a network. It involves looking deep into an organisation’s systems to find malicious actors that have slipped past initial endpoint security defences.
As a result of the increase in the number and types of attacks and the cost to business and people’s security, it’s likely that another trend we’re likely to witness is cyber security regulations being continually toughened up by governments around the world.
With International Data Privacy week.
The cyber threat landscape has grown significantly in recent years, as we’ve outlined in detail above. More criminals are using an expanding range of tactics to get in through a growing number of cyber doors in order to cause havoc, steal data, extort cash and worse.
Organisations are investing heavily to stay one step ahead because one small slip can cost a great deal of time, lost data and money.
But while the tactics used by the criminals to defy our systems get better, so do the solutions, as we have also outlined. Technology is helping to fill the gap, including automated security systems using AI and machine learning to assist humans in putting up security barriers, searching for hidden threats and reducing costs.
These can help organisations to protect their critical assets, perimeters and networks. Every business will need to ensure the solutions are designed to match their requirements and budgets and every business needs to decide how much to invest and how it is to invest in protecting systems, data, finances and employees from the risk of cybercrime.
As part of our support for International Data Privacy week we want to play our part in educating customers and have a number of resources you can take advantage of. I have listed a few of these below in case they are of interest.
Test who in your organisation would respond to a socially engineered Phishing attack and benchmark your results. We also offer leading Staff Cyber Awareness from KnowBe4 to ensure your organisation has taken steps to educate staff and mitigate the major risks to your organisation.
We have a series of quick guides that provide an overview of the risks, challenges and solutions that can be implemented to strengthen security posture and repel cyber-attacks.
In partnership with leading security vendor Fortinet, we offer a simple and straightforward way to identify your current vulnerabilities and areas that may require prioritisation or remediation.
To take advantage of any or all of these, click the links above or get in touch to discuss any of these further.