Official statistics from DCMS’s Cyber Security Breaches Survey paint a relatively bright picture for enterprise security in the UK, with the proportion of UK organisations being hit by cyber-attacks and data breaches dropping in the past year from 43 per cent to 32 per cent. The report also found that 30 per cent of businesses have made changes to their cyber security policies or processes as a result of GDPR. For 78 per cent of businesses, cyber security is now a high priority for their organisation’s senior management.
At the same time, breaches are still regularly hitting headlines, and 2019 has witnessed some of the biggest data dumps in history. February’s Collection 1-5 leaks, and the breach of email validation service Verifications.io in March, collectively exposed over 2 billion records. This is a worrying sign for businesses, as the impact of cyber security breaches can be severe, including financial and reputational damage. Indeed, IBM revealed that the global average cost of a data breach is £3 million, and estimated that a breach of 50 million records or more can cost a company as much as £273 million.
So what does this say about the UK's cybersecurity landscape? Are we playing cat and mouse with cyber criminals who are constantly evolving their attacks to stay one step ahead? Do businesses need to more to improve their IT security, and if so, how? To answer these questions we need to identify existing vulnerabilities in the security posture of enterprises, understand how these vulnerabilities shape how attackers operate, and explore the emerging technologies designed to keep organisations protected.
Behind the breach
It’s clear from a number of high-profile breaches that have hit the headlines that many enterprises are leaving themselves vulnerable to hackers by relying on basic methods of authentication, such as passwords, or weak multi-factor authentication (MFA) techniques such as one-time SMS codes which can easily be intercepted by malware. Furthermore, many users are still continuing to re-use passwords across multiple accounts which increases the likelihood of their credentials being stolen if a breach does occur.
For example, when social media site Timehop was breached, it was as a result of not protecting its cloud network with MFA, so when an employee’s credentials were leaked, the hacker was granted immediate access to users’ data. As a result, virtually all of the app’s 21 million users were affected, with the compromised information including names, email addresses, dates of birth, and some phone numbers.
MFA combines at least two out of three authentication methods including something you know (such as a PIN), something you have (such as an authentication app), or something you are (such as a fingerprint). By requiring additional information beyond a username and password, accounts are harder to get into. However, it’s important that businesses are aware of using MFA methods with known vulnerabilities, such as one-time SMS codes which can easily be intercepted by attackers.
Compounding the poor practices of enterprises is the effort cyber-criminals are putting in to adapting existing security measures and improving the effectiveness of their attacks. Attackers are trading knowledge in underground marketplaces which is allowing them to specialise in particular aspects of cyber-crime, for example breaking into accounts or stealing security credentials. By sharing tips and hacks with each other, they’re also often able to stay ahead of security protocols.
Operating in the same way a business would, cybercriminals also make economic decisions to decide where to spend their time and effort, based on the return-on-investment. As enterprises ramp up security for one channel, such as internet or phones, criminals will then turn their attention to pursue softer targets, such as mobile apps. This practice is being seen in the banking and finance sector where fraud losses from internet banking and telephone banking dropped in 2018, but mobile banking fraud specifically increased by 20 per cent from 2017.
Adopting an adaptive approach across all channels
In order to keep up with the rapidly changing strategies of criminals, more value and importance must be placed on dynamic and flexible controls. Organisations need to invest in the collection of high-quality data that will provide the basis for these controls, as well as the informed decisions they need to make on threats and criminal activity. Although there are a number of tools on the market, we’re seeing the emergence of the next generation of intelligent security such as adaptive authentication, which uses artificial intelligence and machine learning to score vast amounts of data, analyse the risk of a situation, and adapt the authentication levels accordingly.
For example, if a user checks their online bank balance from a recognised device and location, they would only need to go through basic authentication requirements to gain access to their account. However, for higher-risk activity, such as high transactions, that fall outside of normal behaviour, additional authentication will be required. By combining a range of authentication tools such as MFA, behavioural analysis, biometrics, and even pulling in data from third party tools, adaptive authentication makes staying ahead of the cybercriminals becomes that little bit easier. Security moves from being a black and white binary story to becoming precise and intelligent – providing the exact level of security as and when it is needed.
Finally, businesses need to ensure that all channels are secure, including mobile, which is increasingly being targeted by criminals as consumers continue to use them to buy things and move money around. Developers need to build security into mobile apps from the start, for example, mobile application shielding which can detect malicious behaviours and shut down the targeted app before an attack can take place.
To assume that breaches are now part and parcel of enterprise life is to make a lazy assumption about the state of cybersecurity today. It suggests that no matter how much we strengthen our human or technological defences, it will never be good enough to keep criminals out. It’s clear that this is not the case. Yes, enterprises need to do more to improve IT security, but as we see authentication technology continue to evolve and progress, staying ahead of criminals should only get easier, and the number of breached companies should continue to fall.
Christian Vezina, CISO, OneSpan
Image Credit: B-lay