What threats are presenting the biggest risks to businesses this Cyber Security Month and how can they be prevented? Industry experts discuss
New methods of cyber-attack are presenting themselves with increasing regularity, with the first example of voice phishing recently making its way into the headlines. In light of this, as businesses continue to embark on and ramp up their digital transformation journeys, security can’t be put on the backburner. Cyber security is more vital than ever before.
But it isn’t just new and emerging threats that organisations and individuals alike need to be aware of. Traditional methods are still presenting a significant threat.
So, what do businesses need to be aware of this Cyber Security Month and moving forward into 2020, and what can be done to prevent the worst from happening?
Don’t get too comfortable
According to Russell Haworth, CEO, Nominet, “the last 25 years have seen more and more elements of our daily lives shift over to the online world, bringing about vast benefits for businesses and citizens alike. But unfortunately, with progress comes risk. For example, our research found that 77% of Brits think they know enough to stay safe online, and 41% think it’s unlikely they’ll be victim to a cyber-attack in the next 12 months.
“While it’s encouraging that many Brits feel they know enough to stay safe, the assumption that cyber-attacks simply won’t affect them is dangerous. Too many of us are still not following even basic security advice, with just under a quarter admitting they didn’t change their password when a provider suffered a breach. In fact, quite astonishingly, recent National Cyber Security Centre breach analysis found that 23.2 million victim accounts still used a 123456 password. This poses obvious risks to the individual, but it is when employees bring this same attitude to cyber security to the workplace that the issue can really escalate.
“Cyber Security Awareness Month is a perfect opportunity to raise awareness of the associated cyber risks we face, but it’s important that everyone follows continual cyber security best practice to protect themselves and businesses from online threats.”
Rich Turner, SVP EMEA, CyberArk explains, “businesses of all stripes are embracing digital technologies and processes to deliver products and services to market faster. But the ‘need for speed’ and consequent shorter feedback loops introduce a host of new risks which must be priced into the overall package. Our recent Global Advanced Threat Landscape report indicated that less than half of organisations have a strategy that helps secure, control, manage and monitor privileged access to new workflows and technologies such as DevOps, IoT and RPA – technologies foundational to digital initiatives. The net result is a much bigger chance that sensitive data and assets can be breached through compromising these unprotected privileged credentials.
Turner continues, “the issue is that as they adopt these technologies, organisations are increasingly operating in cloud-first environments. This removes a natural security barrier – access is no longer limited to the network, and the perimeter is no longer defensible. To counter this, security strategies must shift to protecting the business’s most important information from within. Zero Trust security models are making this possible: they presume trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access. By practicing defence-in-depth and incorporating privileged access security controls at the core of their strategy, organisations can drive down risk while maintaining business velocity.”
Watch out for traditional attack methods
One of the biggest risks posed to UK organisations as a consequence of digital transformation is ransomware, according to Chris Huggett, Senior Vice President, UK and India, Sungard Availability Services. “As well as being an effective tool for cybercriminals to extort money and cause business disruption, the ability for ransomware to exploit individuals on a psychological level has enabled it to become a major source of disruption,” explains Huggett. “While feelings of guilt and responsibility may plague the end-user unknowingly deceived into creating an exploit, a similar or even higher level of stress is likely to be felt by a public-facing executive who must answer to a disgruntled customer base in response to a data breach or service outage. In fact, recent research has revealed that over half (54%t) of C-level executives in the UK have suffered from stress-related illnesses and/or damage to their mental well-being as the result of a technology crisis.”
But as well as traditional methods like ransomware, new forms of attack are on the rise, and the stakes are even higher, not just for individuals and organisations, but for entire nations. Paul Dignan, Systems Engineering Manager, F5 Networks says, “we have now entered a new, critical phase of cyber warfare – one where hackers act on behalf of nation-state powers to not only disrupt critical infrastructures, but also actively seek trade secrets. Worryingly, the recent Verizon Data Breach Investigations Report (VDBIR) notes a sharp uptick in nation-state attacks, from 12% of all analysed breaches to 23% in the past year. A quarter of breaches are currently influenced by cyberespionage too. New battle lines have been drawn across the world and organisations need to tool up accordingly.
“The issue, which is one that needs to be considered, not only this month but for the foreseeable future, is that the number of state sponsored attacks is only going to rise with the imminent impact of new trends that will expand attack surfaces for hackers, such as like 5G and IoT. A range of new technologies are emerging to help fight back, such as AI solutions to analyse all traffic in real-time and spot anomalies that were previously out of sight. But whatever the technology mix looks like, the priority is to apply security at every level and on every surface: endpoint, application, and infrastructure,” concludes Dignan.
Striking the right balance
But when implementing security measures to defend from these traditional, new and evolving threats, Mark Grainger, VP Europe, at Engage Hub believes businesses need to continue to have the customer front of mind. “A crucial priority is providing an engaging and streamlined customer experience. One of the main challenges posed by enhanced security is that it usually requires additional steps and hoops that customers need to jump through.” Grainger reflects on banking customers, adding that, “an important aspect banks might want to consider when it comes to improved security and speed is biometric authentication. Many banks are already using fingerprint ID for mobile banking apps, and facial recognition is gaining traction too. In fact, studies show that the global facial recognition market is expected to grow from $3.2bn in 2019 to $7bn by 2024.”
The ramifications can be costly
Tim Hickman, Partner at White & Case highlights that, “the financial and reputational consequences of failing to implement appropriate cyber security measures can have a severely detrimental effect on businesses. Companies that are affected by a cyberattack do not always incur a fine. However, penalties are more likely to be imposed if it becomes apparent that a business has inadequate cyber security measures in place. Once a successful cyber-attack becomes public knowledge, customer and market confidence in an organisation can take a real hit.”
Hickman concludes, “The best strategy for protection is in having a thorough understanding of the threat landscape that your organisation faces, and the increasingly sophisticated nature of attackers out there. It is essential to recognise the vulnerabilities in your organisation’s IT infrastructure and identify high-value assets and data, so that appropriate policies and protective measures can be put in place.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.