The internet is our greatest organisational (and personal) enabler and yet, paradoxically, it is also the greatest threat to organisational (and personal) security. Data leaks, such as Capital One’s exposure of the personal information of 106 million-odd customers, can rack up hundreds of millions of dollars in damages. How did their leak happen? Through a third-party’s misconfigured web application firewall.
Cyber threats aren’t going away.
They’re maturing and diversifying, much like ‘regular’ software. Even more disturbing, is the thought that “Cybercriminals are using AI to reduce the effort to attack and compromise systems through automating the attack process,” as Rahul Lobo, Director, Advisory, Advanced Security Center at EY plainly puts it.
While cyber attacks increase year on year, the types continue to shift: while ransomware was hot in 2017, crypto mining malware stepped up in 2018. Phishing, in its many forms, continues to dominate as a threat to organisations and individuals alike.
Cybersecurity strategy to actively reduce risk
What all this presents is a significant risk to business. Investment in cybersecurity strategy is imperative, for SMBs and large enterprises through to government agencies and not-for-profits. This involves staying informed of the latest threats and sharing with the wider community, like they do at EY.
Says Dylan Holloway, Consultant, Cyber security “The EY Cyber Threat Intelligence team provide weekly updates on the most relevant cybersecurity threats from around the world. If our team has concerned about any identified risks, we can work with IT to put in place mitigation strategies.”
“Alternatively, if our team identifies a cyber risk that we believe is relevant to the organisation as a whole, we can share our findings with the CTI team and IT for wider circulation and start the process for mitigation.”
Other inclusions for cybersecurity strategy need to be: protection through layered security as best possible, and risk mitigation strategies in place to minimise the impact of cyber incidents.
And with just a little bit of strategy out of the way first, let’s talk cybersecurity and risk in 2020 and beyond.
A diversified threat landscape
One of the biggest threats to any organisation’s cybersecurity is the growth of attack vectors.
Once upon a time, organisations operated solely within the office, connected to the outer internet behind a firewall, via a singular network of desktop computers, with important operational compute and storage in the server room, and work stopped when people left the building. The air conditioner and lights needed to be switched off at the end of the day, and admin staff would have to pay attention to when stocks were running low to put in manual supply orders.
Of course, this has all changed. We’re now spending more time working remotely, have IoT devices to help with mundane office tasks, and resupply is automated.
An explosion of internet-connected devices
These are all tasks managed by machines, not by humans. Which means a greater threat landscape across processes. As Cisco predicts, “by 2030, 500 billion devices are expected to be connected to the Internet,” with a study finding that ”58 percent (of organisations say) that the IoT is strategic to their business strategy.”
What this means is that each connected device is a potential access point for an attacker.
One way to help ensure security across this broadening, network-connected device landscape, says Justin Spyridis, Acting General Manager, IoT Product Engineering at Telstra, is to “focus on changing the typical paradigm associated with working distributed resource, by moving away from a perimeter defensive position.”
“This is largely focused on the idea of zero trust networks and assuming that all devices are essentially operating from untrusted domains and take some level of responsibility and ownership (across access control and management), before they’re granted access/resources over an open medium such as the Internet.”
Vendors and the attack surface
You need to also remember that public and multi-cloud environments also have real devices on the end of the line that also are avenues for attack. Each supplier is a vendor, whether it be a cloud provider, a hardware manufacturer, or a software house. Often, from these vendors, their product is comprised of ‘bits’ from other vendors.
How do you go about securing this vendor chain?
Harshit Mistry, Manager, Cyber Security at EY recommends that, “Organisations should implement a third party tiering which can be created using parameters like location of services, number of records accessed, data type accessed, etc.”
“Tiering of the third parties can help determine the frequency of controls assessment and the level of evidence required to ascertain the security posture of third parties. They should review the third party contract and ensure the cyber risk at third parties are managed and contained to reduce the cascading impact on the organisation in case of a security incident at third parties.”
Every bit of data counts
Think that random little thing you’re working on or emailing about isn’t of interest to someone else? Think again.
Adam Fabian, Cyber Response Manager at Telstra can’t stress this enough: “Everything has value! Some low, some high. Lots of low value things can add up to something of higher value.”
If an attacker gains enough pieces of a puzzle, they are able to put together a high-yield attack.
“You might be developing an app, a website or even drafting a document that you feel has no intrinsic value; however, criminals have an incredible knack at extracting value from these things! Documents can be exploited for internal information (emails, network information) that can be used for phishing campaigns or later access, apps can be used to host malware, and servers can be compromised to act as a proxy or stage exfiltrated data (the process of collecting data from a network to one point before it is finally sent externally).”
Remember: “Not all ‘hacks’ are big data breaches. Most are small, quiet and form the part of a bigger chain that allows malicious actors to operate in anonymity.”
Lock down all data. Every little bit counts.
As Richard Watson, Lead Partner APAC Cybersecurity Risk Management at EY wisely says, “The biggest threat today is not outside your organisation. It might not even be an attack. The biggest threat comes from your employees, trusted insiders, and supply chain.”
There are various insider threats that organisations should be prepared for.
Watson outlines various accidental breaches, a common occurrence in industry.
“An employee accidentally emails confidential customer information outside of the organisation, a contractor accidentally brings down the corporate website by promoting defective code to the live environment, a supplier to the organisation stores sensitive corporate information on a laptop or hard drive that gets lost or is stolen.”
This requires a multi-layered security approach and various identity management techniques, trust keys and controls for sensitive information.
In an age where we have more access to the world’s information than ever before, there is now also more disinformation than ever before. And when disinformation is being spread for a purpose, whether it’s insidious, or simply to cause doubt or confusion, it can leave people uncertain in who or what to trust.
Cyber revenge from a disgruntled employee, or a less-than-moral competitor has the ability to do reputational damage to a company, whether it’s via a ‘leak’ to the press, setting up an anonymous social media group or website to spout maybe-true-maybe-not-true information.
When online personal attacks have been normalised without repercussions, and litigation is an expensive exercise that may not reverse the damage done, we find ourselves at a loss.
These type of attacks are unsophisticated, but can have a significant impact if they manage to gain traction. The antidote? Keep employees happy (use truly anonymous employee satisfaction surveys), make sure that you are really following workplace vision and values, and remain on top of company mentions online, so you can mitigate effects as soon as possible.
The malicious insider
In a recent survey by Deep Secure, it was found that 45% of employees would be willing to sell corporate information for the right price – a seriously worrying stat!
How do you prevent against this? Again, it’s about strengthening employee faith in the company and bonds, and making sure that systems are locked down enough so that devastating damage cannot be done. Implementing various levels of security for employees, like they do in government departments – on a need to know basis – is a clever move.
Like Yi Fang Chua, Director, Advisory at EY says, “People are the weakest link of an organisation in the People, Process, Technology triad. Advanced technology and security practices, regardless, will always be constrained by the human factor.”
And further on to the future…
There’s so much more that we could talk about here. The threat to current cryptography from quantum computing. How governments are influencing people of other nations through social engineering techniques online (and becoming more clever about it through AI). The supply chain of technology leading back to (potentially) compromised hardware manufacturers, leaving us all without a leg to stand on. Or how about digital companies still trying to create walled gardens instead of the open source future we’d dreamed of just a few short years ago?
The future of cybersecurity is going to be an amazing space to be in – if you have a keen interest in problem solving, risk analysis and deep dives, and the ability to think like your adversarial opponent.
A career for 2020 and beyond
Cybersecurity and cyber risk management will continue to grow and diversify over the next decades. You could be a network penetration tester, a cyber risk analyst, a cyber insurance developer, or a social engineer. The career choices afforded to those with an interest in cybersecurity are boundless. Take a look at job opportunities below to see if there’s a role with your name on it.