‘Work from anywhere’ is a reality for many organisations today but as teams leverage cloud tools to enable better collaboration, the criminals are also upping their game to take advantage of the new environment. Adenike Cosgrove, Cybersecurity Strategy, International, Proofpoint, highlights why defenders must prioritise email security when operating in the cloud, as well as how CISOs can best protect against today’s many different attacks.
Today’s global threat landscape is fundamentally characterised by that human element, and it’s no different in the Middle East. ‘Work from anywhere’ is now a reality for a significant percentage of the workforce and we’re seeing organisations around the world at greater risk of cyberthreats than ever before.
That’s why 66% of CISOs in the UAE agree that remote working has made their organisation more vulnerable to these targeted cyberattacks, according to Proofpoint’s 2021 Voice of the CISO Report.
Here we break down some of the key questions CISOs in the region may have, with advice on how to bolster their cybersecurity postures.
What types of attack are CISOs in the region expecting to encounter?
Almost 100% of attacks require somebody to do something via human interaction to be successful.
Criminals are leveraging social engineering as a key tool to get somebody to click on or interact with their payload. The stats highlight that 99% of data loss incidents are human-driven, while 75% of ransomware attacks start with email phishing. There are also Business Email Compromise attacks or email fraud attacks – where the criminal pretends to be someone that the victim trusts – are causing more financial loss than all other attacks combined.
Given the overall success rate and low cost of executing these email fraud attacks, we’re seeing UAE CISOs particularly concerned about these. Security professionals are recognising these new ways in which criminals are trying to socially engineer people – they’re ultimately logging in instead of hacking in.
What trends have you seen in terms of regional organisations moving to the cloud and what challenges does this present?
The ability for employees to work from anywhere is here to stay and we’re seeing an increased need for organisations to enable things like virtual collaboration, cloud services and the ability for people to collaborate more effectively from anywhere, on any device, in any location.
Many firms are now housing a substantial portion of their sensitive information and corporate data in the cloud. They’re migrating from on-premises data centres to Microsoft, Amazon and Google to ease that transition into work from anywhere. But that means our security strategy and controls need to change as we’re leveraging cloud services.
And the criminals recognise this shift. That’s why instead of hacking Microsoft, they’re tricking our employees into giving up those credentials to these cloud services. Why hack Microsoft, if you can just steal someone’s credentials and log in using their actual identity and just download the data from the cloud? Criminals are also leveraging cloud services to host malware and this is being used to launch ransomware attacks.
Many organisations have migrated to office 365. What are the hidden costs and security limitations of this?
Microsoft really is a business enabler and businesses across the world, including those in the Middle East, are reaping the rewards of Microsoft and those collaboration services.
But we’ve seen the criminals too are leveraging that infrastructure. We saw malicious messages sent from Microsoft 365, targeted at 60 million users in 2020, according to Proofpoint’s threat data. This is criminals using Microsoft’s own infrastructure and trusted domains to spread that malware.
Email is still the number one point of entry for cyberthreats and this puts everyone at risk – internal employees, external suppliers, external third parties and customers that we collaborate with.
A core concern is the fact that these emails are leveraging outlook.com, for example, as a domain, which has a trusted reputation – so those emails are much more likely to land in the inbox.
Criminals are really using a wide range of tactics to hijack these cloud email and application accounts. That’s why 71% of CISOs in the UAE are more concerned about the repercussions of cyberattacks now, more than ever.
Why must email security for office 365 be a priority?
Fundamentally, we need additional controls on top of the core capabilities that Microsoft 365 provides. If the criminals are leveraging a platform approach, we too as defenders need to leverage a platform approach.
If the criminals are leveraging a number of different techniques from credential phishing to malware to Business Email Compromise, we have to have that defence in-depth platform approach to protect the user and the threat that the user is facing in the email channel.
How concerned should CISOs be about insider threats? And how is the reported great resignation driving the rise in these?
As cybersecurity professionals, we spend a lot of our time and budget focused on keeping threats out. We want to make sure that we’re protecting our data and with good reason. However, not all attacks are perpetrated by outside criminals. Sometimes that risk is inside of our house. There are two key trends that are leading to this increase in insider risk.
The first is the move to the cloud. We’re leveraging more cloud services, more data is going into the cloud, more people have access to that data.
And then second is this work from anywhere – we have much more flexibility but with increased access comes increased risk. Are we monitoring where that data resides? Are we monitoring who has access to that data?
With the Great Resignation we’ve seen an increased risk around insider threat incidents because as people are leaving organisations they’re taking data with them, believing it to be theirs.
We are seeing these trends where individuals are taking data or accessing data in interesting new ways. Forrester coined an interesting phrase, stating that COVID-19 has introduced ideal conditions for insider threat – and that’s ultimately because we’ve enabled more access. So, we need to monitor that data.
How can CISOs best protect against these different attacks and ensure employees are aware of the threats presented to them?
First, it’s understanding – what type of insider are you dealing with? That should inform how your security team responds. If you’re dealing with someone that’s made a mistake, perhaps you want to send them to training again or make them aware of a security policy of and their responsibility in protecting that data.
Your response plan will be completely different if, for example, you’re dealing with a compromised user, someone who has maybe inadvertently given up their password and username to a cybercriminal and the criminal is now acting as that person, because they’re logging in using their credentials.
Further, you’d be responding slightly differently if you’re dealing with someone that is intentionally stealing company data and trying to cause harm to the organisation.
But fundamentally, the foundation of any defence is visibility. You need to have total visibility into your data and your people. The data that they are creating and how they’re accessing it, where it resides, who has access, whether it’s on premises or the cloud and how people are working with that data.
It’s not just about confidentiality. It’s also about the integrity and availability of that information. Then you need to implement technical controls like DLP solutions, or security solutions that are ultimately preventing those criminals from stealing credentials and getting access to those Crown Jewels and cloud stores. You can then implement appropriate controls to protect the threat landscape of that individual.
Also, you need to create a strong security culture. That means understanding the behaviour of people, what good behaviour you want to implement, and then building a culture programme and awareness programme to ultimately change behaviour towards that good.
As a final recommendation, people are the new perimeter so we recommend implementing a layered defence. This includes dedicated insider threat management solutions, a strong security awareness training programme and ultimately, a critical and strong threat protection solution that’s blocking threats from reaching your people, irrespective of the channel or technique or platform that the criminals leveraging.Click below to share this article