October marks European Cyber Security Month – an awareness campaign aiming to promote the importance of information security and highlighting the simple steps that can be taken to protect data, whether personal, financial and/or professional.
This year, the campaign is centred around cyber-hygiene and how to stay safe with the latest emerging technology. Two focus areas for both individuals and businesses to be aware of are traditional attack methods such as phishing and how it is continuing to take prevalence in the cyberspace. However newer methods of attack, like AI-enabled attacks must be considered as it has the ability to wreak havoc on organisations and even entire nations.
In this article, tech industry experts discuss some of the biggest threats facing individuals, organisations and entire nations today, what the consequences can be and how we can look to defend against them.
The heart of the issue
“The last 25 years have seen more and more elements of our daily lives shift over to the online world, bringing about vast benefits for businesses and citizens alike. But unfortunately, with progress comes risk. For example, our research found that 77 per cent of Brits think they know enough to stay safe online, and 41 per cent think it’s unlikely they’ll be victim to a cyber-attack in the next 12 months,” says Russell Haworth, CEO, Nominet.
“While it’s encouraging that many Brits feel they know enough to stay safe, the assumption that cyber-attacks simply won’t affect them is dangerous. Too many of us are still not following even basic security advice, with just under a quarter admitting they didn’t change their password when a provider suffered a breach.”
Today’s biggest threats
Dave Palmer, Director of Technology, Darktrace believes Cyber Security Month presents a fantastic opportunity for businesses and individuals to reflect on the cyber-threats that are continuing to take precedence amongst the hacker community. “Despite hackers becoming increasingly sophisticated in their attack methods, traditional strategies such as phishing and social engineering are still widely used and often successful. In fact, 90 per cent of malware today originates in the inbox, disguised within phishing emails whose senders impersonate trusted colleagues, and nearly three-quarters of targeted cyber-attacks involve “spear-phishing” emails.”
Chris Huggett, Senior Vice President, UK and India, Sungard Availability Services is also of the view that organisations should be aware of traditional methods, stating that “ransomware is one of the biggest cyberthreats organisations in the UK face. Entering into an organisation’s network by targeting individual users, it uses intense psychological pressure and exploits human error to gain access to IT systems and/or data.”
In addition to these more traditional attack methods though, Paul Dignan, Systems Engineering Manager, F5 Networks explains how we have now entered a new, critical phase of cyber-warfare – “one where hackers act on behalf of nation-state powers to not only disrupt critical infrastructures, but also actively seek trade secrets. Worryingly, the recent Verizon Data Breach Investigations Report (VDBIR) notes a sharp uptick in nation-state attacks, from 12 per cent of all analysed breaches to 23 per cent in the past year. A quarter of breaches are currently influenced by cyberespionage too. New battle lines have been drawn across the world and organisations need to tool up accordingly.”
Tim Hickman, Partner at White & Case says, “as we have seen over the past year, the financial and reputational consequences of failing to implement appropriate cybersecurity measures can have a severely detrimental effect on businesses. Companies that are affected by a cyberattack do not always incur a fine. However, penalties are more likely to be imposed if it becomes apparent that a business has inadequate cybersecurity measures in place. Once a successful cyberattack becomes public knowledge, customer and market confidence in an organisation can take a real hit.”
With regards to the consequences of ransomware specifically Hugget explains that, “as well as being an effective tool for cybercriminals to extort money and cause business disruption, the ability for ransomware to exploit individuals on a psychological level has enabled it to become a major source of disruption. While feelings of guilt and responsibility may plague the end-user unknowingly deceived into creating an exploit, a similar or even higher level of stress is likely to be felt by a public-facing executive who must answer to a disgruntled customer base in response to a data breach or service outage. In fact, recent research has revealed that over half (54 per cent) of C-level executives in the UK have suffered from stress-related illnesses and/or damage to their mental well-being as the result of a technology crisis.”
Keeping the hackers out
Rich Turner, SVP EMEA, CyberArk says “businesses of all stripes are embracing digital technologies and processes to deliver products and services to market faster. But the ‘need for speed’ and consequent shorter feedback loops introduce a host of new risks which must be priced into the overall package. Our recent Global Advanced Threat Landscape report indicated that less than half of organisations have a strategy that helps secure, control, manage and monitor privileged access to new workflows and technologies such as DevOps, IoT and RPA – these are technologies foundational to digital initiatives. The net result is a much bigger chance that sensitive data and assets can be breached through compromising these unprotected privileged credentials.
“The issue is that as they adopt these technologies, organisations are increasingly operating in cloud-first environments. This removes a natural security barrier - access is no longer limited to the network, and the perimeter is no longer defensible. To counter this, security strategies must shift to protecting the business’s most important information from within. Zero Trust security models are making this possible: they presume trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access. By practicing defence-in-depth and incorporating privileged access security controls at the core of their strategy, organisations can drive down risk while maintaining business velocity.”
In Palmers opinion, any organisation should take Cyber Security Month as an opportunity to think about implementing processes that will aid them in detecting and preventing cyber-attacks of any kind, “such as programmes for staff education, as well as adopting a platform approach to cyberdefence – as opposed to siloed solutions. There is no silver bullet for countering any kind of attacks, regardless of how robust perimeter-oriented protections become” according to Palmer, “rather, we must employ our own solutions to secure our digital assets from the inside-out.”
Dignan echoes that AI is one of a range of new technologies that are emerging to help fight back in real-time and spot anomalies that were previously out of sight, though highlighting that, “whatever the technology mix looks like, the priority is to apply security at every level and on every surface: endpoint, application, and infrastructure. As ever, organisations should constantly review and update their security settings and tools, on top of running regular penetration tests to monitor and improve staff behaviour. Investing in staff training and education will also go a long way, as it can be difficult for all employees to keep up with the ever-evolving techniques used by hackers by themselves.”
Specifically speaking to financial institutions, Mark Grainger, VP Europe, at Engage Hub, believes many are struggling to find the right balance between security and flawless customer experience.
He says, “a crucial priority for any bank is protecting sensitive customer data and safeguarding their money. But just as important today, is providing an engaging and streamlined customer experience. One of the main challenges posed by enhanced security is that it usually requires additional steps and hoops that customers need to jump through. An important aspect banks might want to consider when it comes to improved security and speed is biometric authentication. Many banks are already using fingerprint ID for mobile banking apps, and facial recognition is gaining traction too. In fact, studies show that the global facial recognition market is expected to grow from $3.2bn in 2019 to $7bn by 2024.”
Grainger continues, “another option for customers to confirm their identity is voice authentication. Call-centre agents can easily identify and verify a customer through voice, saving time and resources compared with other more complicated methods, leading to happier customers and more efficient staff.”
In addition to implementing technology solutions, Huggett believes “organisations must establish a business-wide culture of vigilance.” Explaining that ransomware, for example, “works best when the individuals it targets are isolated, therefore solid communication structures and openness among staff are important tools for combatting it. Emphasising mutual protection leads to less of a burden being placed on individuals.”
Ultimately, Hickman thinks, “the best strategy for protection is in having a thorough understanding of the threat landscape that your organisation faces, and the increasingly sophisticated nature of attackers out there. It is essential to recognise the vulnerabilities in your organisation’s IT infrastructure and identify high-value assets and data, so that appropriate policies and protective measures can be put in place.”
Dignan concludes, “it is a dangerous world out there for companies today, and only through the right mix of pre-emption, prevention and continuous education can businesses hope to fight back.”