With a plethora of high-profile hacks saturating the media, Andy Heather, managing director EMEA at Centrify, highlights why for the most part, cyber-attacks don’t actually stem from a group of well-orchestrated professionals, but weaknesses within your organisation.
You would be hard-pressed to find anyone in the Western world who has not been caught up in the infinite cycle of upgrading cyber software and replacing hardware, year after year.
However, contrary to popular belief, it takes a lot more than state of the art technology to remain a step ahead of cyber criminals and increasingly sophisticated cyber-attacks, which take place every minute of every day, affecting any and every organisation or individual.
Whether the victim is a business or charity, CEO or celebrity – anyone can become a target, often when they least expect it.
Cyber-attacks are one of the most ruthless forms of digital crime, affecting millions every year. Often completely anonymous, cyber criminals can bring down entire IT systems, expose data affecting mass amounts of people across the globe, and cost companies millions in the subsequent clean up.
One of the most prominent examples of a wide scale cyber-attack is the one which was carried out on ride-hailing firm Uber in 2017.
This hack exposed the names, email addresses and mobile phone numbers of around 57 million customers, and 600,000 drivers had their names and license details compromised.
As a result, Uber controversially paid the hackers’ the initial ransom demand of $100,000. Then, in September 2018, reports confirmed that because they attempted to cover this up, they will pay an additional £133 million in total to settle all legal action and fines that came in the aftermath of the attack.
It’s clear that these cyber threats will not go away anytime soon. It has been predicted that global cyber-crime damage costs will hit a total of $6 trillion annually by 2021 – a huge increase on the estimated $600 billion that it cost in 2018.
This drastic increase completely contradicts the increase in budgets that is allocated for cybersecurity each year.
In fact, despite spending over $114 billion in 2018, this budget is expected to increase by just less than 10% for 2019, and global cybersecurity expenditure has been predicted to hit $1 trillion in total by 2021.
The reason for this sharp contradiction between the increase in cyber spend and quantity of cyber-attacks is actually relatively simple; business leaders are failing to understand that cyber attacks come in many different forms.
Of course, the media paints the image that cyber attacks are a result of teams of well-trained, often international professionals, who can hack into the network of any organisation which has not invested heavily in external cyber-attack prevention measures, including malware protection software.
The reality is that phishing attacks and compromised passwords are the far less glamorous, but significantly more prevalent causes of a data breach on an organisation.
Attackers no longer “hack” in – they log in using weak, stolen, or otherwise compromised credentials, which we sometimes unknowingly give them for free.
These issues must be fully understood and acted upon. In order to effectively improve safety measures as we head further into 2019, business leaders must open their eyes to the reality that the enemy often lies within the organisation.
Take the recent data breach on EE for example – an employee exploited access to confidential customer information and used said details to ‘stalk’ an ex-partner.
This led to huge repercussions in the press for the mobile network provider and underlines worryingly, the ease at which any employee can access sensitive information for, presumably, millions of customers.
To stay ahead of the game, companies must adopt a Zero Trust approach. This is an outlook which assumes every user in a company’s IT system is a potential security risk, therefore everyone must be treated equally – as untrusted.
Until they can pass certain verifications in order to maintain company efficiencies, organisations must move beyond simple usernames and passwords and adopt additional measures of verification, such as single sign-on, multi-factor authentication, smart cards, and more.
For example, after logging in with a username and password, the person requesting access could then be requested to do a secondary verification on something they are known to have, such as a mobile phone. A simple text code or verification swipe across the screen adds a second “factor” to which their identity can be tied to and verified.
This can be taken multiple steps further, such as looking for things like geo-velocity. If a user logs in on a PC in New York and then five minutes later attempts to log in on a mobile phone from London, you know something is amiss.
Machine learning can identify and learn from abnormal behaviours to challenge when more risk is present in the access request.
Some systems can even log user activity, so any leak which initiates a possible cyber-attack could be traced back to the specific user – sparking just the right amount of paranoia in an organisation to dissuade any employee from illegally selling sensitive company data.
And, of course, while the end goal is to harden the security posture of the organisation in a modern threatscape with increasing attack surfaces, it’s also important not to just throw up roadblocks for users at every turn.
With many current cybersecurity solutions, business productivity and agility can actually be enhanced, making it a valued business enabler.
Moving forward, business leaders and employees must adapt their attitude to the ever-increasing cyber threat and adopt a cohesive strategy to introducing internal, as well as external, cybersecurity measures as well.
This will ensure that there is no particular ‘weak spot’ in a company’s IT infrastructure, which should discourage cyber criminals from even attempting a data breach or attack in the first place.
