Businesses are embarking on their biggest Digital Transformation journeys yet, as innovations in emerging technologies heat up and continue to transform the way we live, work and play.
But organisations can’t put cybersecurity on the backburner amongst the hype for seemingly bigger and better things. Implementing new technologies like Artificial Intelligence (AI) and adopting an increasing number of IoT devices significantly expands the attack surface and number of entry points that hackers can exploit.
This Cyber Security Month, industry experts have come together to highlight a selection of the biggest threats organisations should be aware of and what policies and security processes can be put in place to reduce serious risks and consequences.
According to Russell Haworth, CEO, Nominet, the last 25 years have seen more and more elements of our daily lives shift over to the online world, bringing about vast benefits for businesses and citizens alike. But unfortunately, with progress comes risk.
“For example, our research found that 77% of Brits think they know enough to stay safe online and 41% think it’s unlikely they’ll be victim to a cyberattack in the next 12 months,” he said.
“While it’s encouraging that many Brits feel they know enough to stay safe, the assumption that cyberattacks simply won’t affect them is dangerous. Too many of us are still not following even basic security advice, with just under a quarter admitting they didn’t change their password when a provider suffered a breach. In fact, quite astonishingly, recent National Cyber Security Centre breach analysis found that 23.2 million victim accounts still used a 123456 password. This poses obvious risks to the individual, but it is when employees bring this same attitude to cybersecurity to the workplace that the issue can really escalate.
“Cyber Security Awareness Month is a perfect opportunity to raise awareness of the associated cyber-risks we face, but it’s important that everyone follows continual cybersecurity best practice to protect themselves and businesses from online threats.”
Rich Turner, SVP EMEA, CyberArk, explains, “businesses of all stripes are embracing digital technologies and processes to deliver products and services to market faster. But the ‘need for speed’ and consequent shorter feedback loops introduce a host of new risks which must be priced into the overall package. Our recent Global Advanced Threat Landscape report indicated that less than half of organisations have a strategy that helps secure, control, manage and monitor privileged access to new workflows and technologies such as DevOps, IoT and RPA – technologies foundational to digital initiatives. The net result is a much bigger chance that sensitive data and assets can be breached through compromising these unprotected privileged credentials.
Turner continues, “the issue is that as they adopt these technologies, organisations are increasingly operating in cloud-first environments. This removes a natural security barrier – access is no longer limited to the network, and the perimeter is no longer defensible. To counter this, security strategies must shift to protecting the business’s most important information from within. Zero trust security models are making this possible: they presume trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access. By practicing defence-in-depth and incorporating privileged access security controls at the core of their strategy, organisations can drive down risk while maintaining business velocity.”
One of the biggest risks posed to UK organisations as a consequence of Digital Transformation is ransomware, according to Chris Huggett, Senior Vice President, UK and India, Sungard Availability Services.
“As well as being an effective tool for cybercriminals to extort money and cause business disruption, the ability for ransomware to exploit individuals on a psychological level has enabled it to become a major source of disruption,” explains Huggett. “While feelings of guilt and responsibility may plague the end-user unknowingly deceived into creating an exploit, a similar or even higher level of stress is likely to be felt by a public-facing executive who must answer to a disgruntled customer base in response to a data breach or service outage. In fact, recent research has revealed that over half (54%) of C-level executives in the UK have suffered from stress-related illnesses and/or damage to their mental well-being as the result of a technology crisis.”
Dave Palmer, Director of Technology, Darktrace, echoes Huggett’s thoughts in explaining that traditional attack methods should still be a primary concern for businesses, in particular phishing attacks.“Despite hackers becoming increasingly sophisticated in their attack methods, traditional strategies such as phishing and social engineering are still widely used and often successful,” says Palmer. “In fact, 90% of malware today originates in the inbox, disguised within phishing emails whose senders impersonate trusted colleagues and nearly three-quarters of targeted cyberattacks involve ‘spear-phishing’ emails.
“For this reason, any organisation should take Cyber Security Month as an opportunity to think about implementing processes that will aid them in detecting and preventing spear-phishing campaigns, such as programmes for staff education, as well as adopting a platform approach to cyberdefence – as opposed to siloed, email-specific solutions. There is no silver bullet for countering these kinds of attacks, regardless of how robust perimeter-oriented protections become. Rather, we must employ our own solutions to secure our digital assets from the inside-out.”
But as well as these traditional methods, new forms of attack are on the rise and the stakes are even higher, not just for individuals and organisations, but for entire nations. Paul Dignan, Systems Engineering Manager, F5 Networks says,“we have now entered a new, critical phase of cyberwarfare – one where hackers act on behalf of nation-state powers to not only disrupt critical infrastructures but also actively seek trade secrets. Worryingly, the recent Verizon Data Breach Investigations Report (VDBIR) notes a sharp uptick in nation-state attacks, from 12% of all analysed breaches to 23% in the past year. A quarter of breaches are currently influenced by cyberespionage too. New battle lines have been drawn across the world and organisations need to tool up accordingly.
“The issue, which is one that needs to be considered, not only this month but for the foreseeable future, is that the number of state sponsored attacks is only going to rise with the imminent impact of new trends that will expand attack surfaces for hackers, such as 5G and IoT. A range of new technologies are emerging to help fight back, such as AI solutions to analyse all traffic in real-time and spot anomalies that were previously out of sight. But whatever the technology mix looks like, the priority is to apply security at every level and on every surface: endpoint, application, and infrastructure” concludes Dignan.
But when implementing security measures to defend from these traditional, new and evolving threats, Mark Grainger, VP Europe, at Engage Hub, believes businesses need to continue to have the customer front of mind. “A crucial priority is providing an engaging and streamlined customer experience. One of the main challenges posed by enhanced security is that it usually requires additional steps and hoops that customers need to jump through.” Grainger reflects on banking customers, adding that, “an important aspect banks might want to consider when it comes to improved security and speed is biometric authentication. Many banks are already using fingerprint ID for mobile banking apps and facial recognition is gaining traction too. In fact, studies show that the global facial recognition market is expected to grow from US$3.2bn in 2019 to US$7bn by 2024.”
Tim Hickman, Partner at White & Case highlights, “the financial and reputational consequences of failing to implement appropriate cybersecurity measures can have a severely detrimental effect on businesses. Companies that are affected by a cyberattack do not always incur a fine. However, penalties are more likely to be imposed if it becomes apparent that a business has inadequate cybersecurity measures in place. Once a successful cyberattack becomes public knowledge, customer and market confidence in an organisation can take a real hit.”
Hickman concludes, “The best strategy for protection is in having a thorough understanding of the threat landscape that your organisation faces and the increasingly sophisticated nature of attackers out there. It is essential to recognise the vulnerabilities in your organisation’s IT infrastructure and identify high-value assets and data, so that appropriate policies and protective measures can be put in place.”