Cyber-crime has emerged as one of the most pressing issues in the 21st century. Often completely anonymous, cyber-criminals are exploiting the opportunity that the increasingly-digital world has presented them to maximum effect. Every minute of every day a business, charity or individual faces a cyber threat of some sort. Billions of pounds are spent globally on the clean-up required after successful cyber-attacks, and unquantifiable amounts of data are lost or damaged, software and systems corrupted, intellectual property stolen and reputations destroyed.
The security breach on Facebook in September 2018 is one of the most prominent examples of the impact a cyber-attack can have on an organisation. Attackers exploited a glitch allowing them access almost 50 million profiles and the additional apps they provide access to, with a further 40 million being exposed to further threat. The perpetrators remain unknown – further demonstrating cyber-attacks as the most worryingly successful, and damaging, forms of crime. The breach also sent Facebook stock tumbling and the company now faces a fine of up to £1.25 billion.
Despite what the media might have some believe, it’s not just the huge corporations that face cyber threats. It was reported by the Cyber Security Breaches Survey in 2018 that 42 per cent of micro or small businesses reported at least one cyber security breach or attack in 2018, rising to over 70 per cent of large businesses or charities with incomes of £5 million or more. These statistics also showed that among those experiencing breaches, large firms identify an average of 12 attacks a year and medium-sized firms six attacks a year.
It is clear that business leaders are aware of the pressing need for cybersecurity measures to be in place. In fact, further figures from the Cyber Security Breaches Survey 2018 show that 74 per cent of business leaders and more than half of all charities cite cyber security as a high priority for the organisation’s senior management. This coincides with just less than a 10 per cent increase in the predicted global cyber budget from 2018 to 2019.
However, regardless of any acknowledgement one might have towards the growing threat of cyber-attacks, research suggests that many business leaders have a very limited understanding of the nature of these attacks. In a recent report, 61 per cent of CEOs cited malware as the main cause of data loss while the technical officers they rely on to keep the organisation protected cited compromised credentials as a more prevalent cause of any cyber-attack.
Much of this problem stems from sensationalised news coverage of the cyber-attacks on global brands and huge organisations. The media will often point the finger towards international networks of ‘elite’ professionals, provoking the image of expert ‘hackers’ using cutting-edge technology to bring down entire IT systems. In reality, the threat is often far closer to home than one might first realise. Attackers rarely “hack” in against sophisticated systems – they log in, using weak, stolen, or otherwise compromised credentials, which users sometimes even unknowingly give them.
Consider sophisticated cyber security-backed IT systems
As a result, having invested in external cyber prevention methods, such as malware recognition software and staff training, many business leaders assume they are safe and no longer concern themselves with the cyber threat against their company. It’s often even the case that so much money has been invested in the external measures, that staff and executives start to conduct themselves as though they are completely invincible from any possible threat of a cyber-attack – leading to detrimental behaviour such as cutting corners when it comes to basic cyber prevention precautions. This may include leaving themselves logged into a company’s IT system when out for lunch, or using easy-to-remember, weak passwords. Often, with companies with lax security measures at best, if someone with malicious intentions gets hold of a device, username and password, there are few restrictions around what they cannot access – meaning one simple slip up from an employee of any level could be the end-game for an organisation of any size.
Moving forward, it is essential that organisations recognise the severe issues that can arise from lax or non-existent identity and access security measures. This starts by taking a Zero Trust approach – assuming that every user is a possible security risk, and therefore treating all users equally – as untrusted. Cyber threats can be mitigated by cross checking information about any user attempting to log in to a given IT system or database relevant to the company they work for.
In order to maintain company proficiency at the same time, multi-factor authentication provides an additional step to verify the identity of anyone trying to access data. For example, after logging in with a username and password, the person requesting access could then be requested to do a secondary verification on something they are known to have, such as a mobile phone. A simple text code or verification swipe across the screen adds a second “factor” to which their identity can be tied to and verified. Failure to adopt this approach could allow a hacker unprecedented access to an abundance of sensitive company information without leaving a trace of their malicious activity.
Organisations should even seriously consider adopting more sophisticated cyber security-backed IT systems which can log user activity, so if a cyber-attack did occur as a result of illegal internal activity, the break-in could be traced back to the specific user, login, date, time and location. This should spark just the right amount of paranoia between all potentially ‘corrupt’ employees to negate all considerations of purposeful abuse of company data.
Ultimately, assumptions about user identity is one of the biggest threats facing businesses in an increasingly dangerous digital world. Leaders of all varieties of organisations, be it a charity or public sector service, SME or global enterprise, must adapt to the threat that can, and often does, arise from compromised credentials. One way to do that is by simply adopting the Zero Trust mindset: never trust, always verify.
This is not to say that companies should neglect or revoke any measures they already have in place against external cyber threats because, in truth, nobody know where, when or how a cyber-attack might arrive. This makes it all the more important for an organisation to ensure that all the necessary cyber prevention measures are in place – ensuring there are no weak spots and minimising the threat of a cyber-attack from all possible angles.
Andy Heather, Managing Director, EMEA, Centrify
Image Credit: B-lay