Cyber security is a crucial component to IT that every organisation needs to take into account all year round – not just for a day when big breaches hit the headlines and act as a reminder of the potential risks. Despite this, Cyber Security Month serves a good opportunity to reflect on the threats that individuals and businesses need to be aware of in the digital age, whether they’re traditional or new and emerging attack methods.
With businesses embarking on their biggest digital transformation journeys yet and innovations in emerging technologies heating up, the way we live, work and play is continuing to transform. As a result, the attack surface that hackers can exploit is significantly expanding. So, this Cyber Security Month, industry experts have come together to highlight a selection of the biggest threats organisations should be aware of, and what policies and security processes can be put in place to reduce serious risks and consequences.
According to Russell Haworth, CEO, Nominet, “The last 25 years have seen more and more elements of our daily lives shift over to the online world, bringing about vast benefits for businesses and citizens alike. But unfortunately, with progress comes risk. For example, our research found that 77% of Brits think they know enough to stay safe online, and 41% think it’s unlikely they’ll be victim to a cyber-attack in the next 12 months.
“While it’s encouraging that many Brits feel they know enough to stay safe, the assumption that cyber-attacks simply won’t affect them is dangerous. Too many of us are still not following even basic security advice, with just under a quarter admitting they didn’t change their password when a provider suffered a breach. In fact, quite astonishingly, recent National Cyber Security Centre breach analysis found that 23.2 million victim accounts still used a 123456 password. This poses obvious risks to the individual, but it is when employees bring this same attitude to cyber security to the workplace that the issue can really escalate.
“Cyber Security Awareness Month is a perfect opportunity to raise awareness of the associated cyber risks we face, but it’s important that everyone follows continual cyber security best practice to protect themselves and businesses from online threats.”
Rich Turner, SVP EMEA, CyberArk explains, “Businesses of all stripes are embracing digital technologies and processes to deliver products and services to market faster. But the ‘need for speed’ and consequent shorter feedback loops introduce a host of new risks which must be priced into the overall package. Our recent Global Advanced Threat Landscape report indicated that less than half of organisations have a strategy that helps secure, control, manage and monitor privileged access to new workflows and technologies such as DevOps, IoT and RPA – technologies foundational to digital initiatives. The net result is a much bigger chance that sensitive data and assets can be breached through compromising these unprotected privileged credentials.
Turner continues, “The issue is that as they adopt these technologies, organisations are increasingly operating in cloud-first environments. This removes a natural security barrier – access is no longer limited to the network, and the perimeter is no longer defensible. To counter this, security strategies must shift to protecting the business’s most important information from within. Zero Trust security models are making this possible: they presume trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access. By practicing defence-in-depth and incorporating privileged access security controls at the core of their strategy, organisations can drive down risk while maintaining business velocity.”
One of the biggest risks posed to UK organisations as a consequence of digital transformation is ransomware, according to Chris Huggett, SVP, UK and India, Sungard Availability Services. “As well as being an effective tool for cybercriminals to extort money and cause business disruption, the ability for ransomware to exploit individuals on a psychological level has enabled it to become a major source of disruption,” explains Huggett.
“While feelings of guilt and responsibility may plague the end-user unknowingly deceived into creating an exploit, a similar or even higher level of stress is likely to be felt by a public-facing executive who must answer to a disgruntled customer base in response to a data breach or service outage. In fact, recent research has revealed that over half (54%t) of C-level executives in the UK have suffered from stress-related illnesses and/or damage to their mental well-being as the result of a technology crisis.”
Dave Palmer, director of technology, Darktrace, echoes Huggett’s thoughts in explaining that traditional attack methods should still be a primary concern for businesses, in particular phishing attacks. “Despite hackers becoming increasingly sophisticated in their attack methods, traditional strategies such as phishing and social engineering are still widely used and often successful,” says Palmer.
“In fact, 90% of malware today originates in the inbox, disguised within phishing emails whose senders impersonate trusted colleagues, and nearly three-quarters of targeted cyber-attacks involve “spear-phishing” emails.
“For this reason, any organisation should take Cyber Security Month as an opportunity to think about implementing processes that will aid them in detecting and preventing spear-phishing campaigns, such as programmes for staff education, as well as adopting a platform approach to cyber defence – as opposed to siloed, email-specific solutions. There is no silver bullet for countering these kinds of attacks, regardless of how robust perimeter-oriented protections become. Rather, we must employ our own solutions to secure our digital assets from the inside-out.”
But as well as these traditional methods, new forms of attack are on the rise, and the stakes are even higher, not just for individuals and organisations, but for entire nations. Paul Dignan, systems engineering manager, F5 Networks says, “we have now entered a new, critical phase of cyber warfare – one where hackers act on behalf of nation-state powers to not only disrupt critical infrastructures, but also actively seek trade secrets. Worryingly, the recent Verizon Data Breach Investigations Report (VDBIR) notes a sharp uptick in nation-state attacks, from 12% of all analysed breaches to 23% in the past year. A quarter of breaches are currently influenced by cyberespionage too. New battle lines have been drawn across the world and organisations need to tool up accordingly.
“The issue, which is one that needs to be considered, not only this month but for the foreseeable future, is that the number of state sponsored attacks is only going to rise with the imminent impact of new trends that will expand attack surfaces for hackers, such as like 5G and IoT. A range of new technologies are emerging to help fight back, such as AI solutions to analyse all traffic in real-time and spot anomalies that were previously out of sight. But whatever the technology mix looks like, the priority is to apply security at every level and on every surface: endpoint, application, and infrastructure,” concludes Dignan.
But when implementing security measures to defend from these traditional, new and evolving threats, Mark Grainger, VP Europe, at Engage Hub believes businesses need to continue to have the customer front of mind.
“A crucial priority is providing an engaging and streamlined customer experience. One of the main challenges posed by enhanced security is that it usually requires additional steps and hoops that customers need to jump through,” Grainger comments.
He adds, “An important aspect banks might want to consider when it comes to improved security and speed is biometric authentication. Many banks are already using fingerprint ID for mobile banking apps, and facial recognition is gaining traction too. In fact, studies show that the global facial recognition market is expected to grow from $3.2bn in 2019 to $7bn by 2024.”
Tim Hickman, partner at White & Case, highlights that, “The financial and reputational consequences of failing to implement appropriate cyber security measures can have a severely detrimental effect on businesses. Companies that are affected by a cyberattack do not always incur a fine. However, penalties are more likely to be imposed if it becomes apparent that a business has inadequate cyber security measures in place. Once a successful cyber-attack becomes public knowledge, customer and market confidence in an organisation can take a real hit.”
