Organizations from SME to Enterprise are reviewing and modernizing their security strategies in a threat landscape that continues to dynamically evolve in scope, scale and sophistication, especially with the rapid advance of digital transformation from hybrid working, to Software-As-A-Service (SaaS) adoption and Bring-Your-Own-Device (BYOD) diffusion.
Resilience to vulnerabilities is an imperative and the focus is on exactly this – raising awareness to build resiliency – with the aim to help support organizations of any size in proactively enhancing their security posture. With the CSAM theme this year being: ‘It’s Easy to Stay Safe Online – See Yourself in Cyber’ we will explore the key vectors of change impacting on Cyber Security today, with resources and tips on actions everyone can take to better negate the risk.
Pillars of Security – Getting the Fundamentals Right
Cyber-attackers will always choose the path of least resistance. So, attention to security at the password level remains a key first step in keeping information safe – putting this into context, over 40% of breaches now involve stolen credentials with the number available on the dark web exceeding a staggering 24 billion! This was recently brought center stage by the extensive ripple effect caused by attacks on Uber, from logistical delays to customer dissatisfaction, through to lost driver income, and of course organizational costs from income to reputation, and ultimately trust. It is understood that the employee corporate credentials of an Uber EXT contractor were purchased on the dark web after their personal device had been compromised with malware. So, what can we learn from this?
Firstly, use unique, complex phrases for passwords with a mix of upper and lowercase letters, numbers and characters, and make sure to change this often, as recently discussed by Laura Shafer, Vice President of Product Marketing at 11:11 Systems. Additionally, using multi-factor authentication (MFA) and two-factor authentication (2FA) can make it harder for attackers to access your device, even if they have your login details. However, not all MFA approaches are made equal! For critical internal accounts within organizations, such as those of the C-Suite who are increasingly subject to attacks, the use of hardware tokens and FIDO passkeys is recommended.
This can especially increase resiliency to techniques such as phishing, to which some 89% of organizations have experienced an attack in the past year alone (HYPR 2022). With MFA or 2FA in place, it becomes much harder for attackers to create fake login pages to collect unsuspecting employee credential information, which appears to have been the case with Uber. Put simply, multi-factor authentication (MFA) is not optional anymore – it’s imperative – and beyond this it also heralds an acceleration in innovation and availability around passwordless Sign-Ins altogether.
Finally, and supporting the ever-present need to couple technology solutions with education and awareness, MFA Fatigue should also be acknowledged. These attacks involve the end user being bombarded with verification notifications and are reliant on their ability to approve a simple SMS, Voice or Push notification without having any context of the session they are actually authenticating. This also formed part of the Uber attack, in which MFA Fatigue combined with social engineering enabled its success – in this case the attacker posing as tech support via WhatsApp and telling the user to accept the MFA verification prompt. This naturally makes Social Engineering our next area of focus!
Social Engineering and Cloud Computing
Employing psychological tricks that exploit vulnerabilities in how people react to specific situations and change their behaviours, social engineering attacks come in 5 core types, namely phishing, watering hole attacks, business email compromise (BEC), physical social engineering and USB Fraud. In 2021, more infections were caused by phishing attacks than any other vector. Innovation in areas such as Deepfakes, which employ AI technology to create fraudulent recordings, videos or images of real people, have made phishing attacks even more difficult to detect.
This attack vector is also a significant contributor to cloud security concerns. In the Foundry’s 2022 Cloud Computing Survey, some 35% of IT decision makers listed data privacy and security as their top cloud challenge. Additional research by Kaspersky Lab finds that around 33% of cybersecurity cloud incidents can be attributed to social engineering techniques. To address this, investment in zero-trust infrastructure can limit the potential damage of these and other threats, both internal and external to your organization. It also heightens focus on the benefits of Infrastructure as a Service (IaaS) platforms which bring together the need for security, agility, flexibility, visibility, and scalability, as exemplified by 11:11 Cloud.
Empowering and educating all staff, not just those in tech facing roles, is also key here – cybersecurity is a shared responsibility for everyone and support to enable this must be addressed across technology, culture, process and skills perspectives. This is especially true in around topics such as Social Engineering which absolutely preys on human nature and trust. As an example, how many people do you know who have received training in psychological manipulation as part of their organization onboarding process?
Probably not many…
Unpatched Software and Testing
Additionally, lapses in appropriate and effective vulnerability management are a leading concern, especially around levels of unpatched software. During the height of the pandemic, research showed many organizations were regularly delaying patch updates (IBM 2021) and now an additional study shows as many as 66% of organizations have a vulnerability backlog of an eye-watering 100K bugs! Reflecting back on the issues discussed related to passwords, this is another example of ensuring that basic cyber hygiene is embedded by design.
And beyond this, greater attention must be placed on testing. As an example, recent research by Noname Security shows a clear disconnect, or even a level of denial here, with just 11% of respondents testing APIs for signs of abuse in real-time – yet 67% stating they are confident that their DAST and SAST tools are capable of testing APIs. Validating the reality of disaster recovery is another area where extensive testing is essential. Recommendations include involving scenario- or event-based testing, even to the level of providing application testing and end-user testing in some cases to ensure a robust, well-planned and validated strategy.
NIST Framework Resource
And finally, the NIST Cybersecurity Framework is highly recommended to help protect your business through shared best practice. Now downloaded over 1.7 million times, the framework outlines a strategy to better understand your organisation’s security risks, protect against them and, in the event of an attack, how to better triage, respond and recover. The framework holistically covers five core function areas – Identify, Protect, Detect, Respond and Recover. Putting this into context to highlight its real-world applicability, and taking Identify as an example, it is critical to know the who/what/where of your data storage, application and system links, role access and more.
Automation tools such as Continuous Risk Scanning can be very effective, helping to discover security vectors that were previously unknown, identifying the most significant risk areas, and ensuring you ‘get on the right path’ for enhanced protection and more active security intelligence. When we consider that half of all organizations have not put a cybersecurity risk plan in place, taking that first step today has never mattered more!
Cybercrime exists in a world of constant change and today’s surge in cybercriminal activity directly correlates to the increase in the attack surface. Last year alone, cybercrime rose more than 15% and so, it is abundantly clear that this focus has never been more important, and indeed must be an all year round imperative. A multi-layered approach to both proactive prevention and real-time response is key, combining automated protection and mitigation with a human perspective by design. To find out more about how 11:11 Systems supports Cloud, Connectivity and Security more information is freely available here.
All questions and feedback most welcome, Sally
About the Author
Prof. Sally Eaves is a highly experienced chief technology officer, professor in advanced technologies, and a Global Strategic Advisor on digital transformation specializing in the application of emergent technologies, notably AI, 5G, cloud, security, and IoT disciplines, for business and IT transformation, alongside social impact at scale, especially from sustainability and DEI perspectives.
An international keynote speaker and author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the “torchbearer for ethical tech”, founding Aspirational Futures to enhance inclusion, diversity, and belonging in the technology space and beyond. Sally is also the chair for the Global Cyber Trust at GFCYBER.
On email security in the era of hybrid working
With remote working the future for so many global workforces – or at least some kind of hybrid arrangement – is there an impact on email security we are all missing? Oliver Paterson, director of product management at VIPRE Security, believes so.
“The timeframe that people expect now for you to reply to things is shortened massively,” says Paterson. “This puts additional stress and pressure on individuals, which can then also lead to further mistakes. [Employees] are not as aware if they get an email with a link coming in – and they’re actually more susceptible to clicking on it.”
The cybercriminal’s greatest friend is human error, and distraction makes for a perfect bedfellow. The remote working calendar means that meetings are now held in virtual rooms, instead of face-to-face. A great opportunity for a quick catch up on a few emails during a spot of downtime, perhaps? It’s also a great opportunity for an attacker to make you fall for a phishing attack.
“It’s really about putting in the forefront there that email is the major first factor when we talk about data breaches, and anything around cyberattacks and ransomware being deployed on people’s machines,” Paterson says around education. “We just need to be very aware that even though we think these things are changing, [you] need to add a lot more security, methods and the tactics that people are using to get into your business is still very similar.
“The attacks may be more sophisticated, but the actual attack vector is the same as it was 10-15 years ago.”
This bears true in the statistics. The Anti-Phishing Working Group (APWG) found in its Phishing Activity Trends Report (pdf) in February that attacks hit an all-time high in 2021. Attacks had tripled since early 2020 – in other words, since the pandemic began.
VIPRE has many solutions to this age-old problem, and the email security product side of the business comes primarily under Paterson’s remit. One such product is VIPRE SafeSend, which focuses on misaddressed emails and prevents data leakage. “Everyone’s sent an email to the wrong person at some point in their life,” says Paterson. “It just depends how serious that’s been.”
Paterson notes one large FMCG brand, where a very senior C-level executive had the same name as someone else in the business much lower down. Naturally, plenty of emails went to the wrong place. “You try and get people to be uber-careful, but we’ve got technology solutions to help with those elements as well now,” says Paterson. “It’s making sure that businesses are aware of that, then also having it in one place.”
Another part of the product portfolio is with EDR (endpoint detection and response). The goal for VIPRE is to ‘take the complexities out of EDR management for small to medium-sized businesses and IT teams.’ Part of this is understanding what organisations really want.
The basic knowledge is there, as many organisational surveys will show. Take a study from the Enterprise Security Group (ESG) released in October in terms of ransomware preparedness. Respondents cited network security (43%), backup infrastructure security (40%), endpoint (39%), email (36%) and data encryption (36%) as key prevention areas. Many security vendors offer this and much more – but how difficult is it to filter out the noise?
“People understand they need an endpoint solution, and an email security solution. There’s a lot of competitors out there and they’re all shouting about different things,” says Paterson. “So it’s really getting down to the nitty gritty of what they actually need as a business. That’s where we at VIPRE try to make it as easy as possible for clients.
“A lot of companies do EDR at the moment, but what we’ve tried to do is get it down to the raw elements that every business will need, and maybe not all the bells and whistles that probably 99% of organisations aren’t going to need,” Paterson adds.
“We’re very much a company that puts a lot of emphasis on our clients and partners, where we treat everyone as an individual business. We get a lot of comments [from customers] that some of the biggest vendors in there just treat them as a number.”
Paterson is speaking at the Cyber Security & Cloud Expo Global, in London on December 1-2 around the rising threat of ransomware, and how the security industry evolves alongside this threat. Having a multi-layered approach will be a cornerstone of Paterson’s message, and his advice to businesses is sound.
“Take a closer look at those areas, those threat vectors, the way that they are coming into the business, and make sure that you are putting those industry-level systems in place,” he says. “A lot of businesses can get complacent and just continue renewing the same thing over and over again, without realising there are new features and additions. Misdelivery of email is a massive one – I would say the majority of businesses don’t have anything in place for it.
“Ask ‘where are the risk areas for your business?’ and understand those more, and then make sure to put those protection layers in place to help with things like ransomware attacks and other elements.”
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Instagram Tests More BeReal-Like Elements as it Looks to Lean Into the Authentic Social Shift
Play The Game Awards Nominees Today with Game Pass
Daily Search Forum Recap: December 2, 2022
How to Achieve 7-Figures with Your Law Firm Website
How to Create Evergreen Content That Generates Traffic to Your Site
Twitter Will Start Displaying Tweet Reach Metrics Up-Front on Tweets
Google Thanksgiving Volatility, Links, Content & More SEO & 19 Years Covering Search
Meta Launches Two New Art Projects to Highlight the Creative Opportunities of the Metaverse
Is IP Address A Google Ranking Factor?
Google AdSense New Side Rail Ads
B2C marketing: A guide for marketers
Marketo’s October releases: A manager’s guide
This Week’s Deals with Gold and Spotlight Sale, Plus Xbox Black Friday Sale
Announcing the Keyword Research Certification: Create a Personalized Keyword Strategy
Vampire Survivors Available Today with Xbox Game Pass for Xbox Series X|S and Xbox One
Identifying an Effective B2B Target Market for Ads
Helping Affiliates Create Satisfactory Long-Form Content
The Pros and Cons of Your Brand Using Affiliate Links
Twitter’s demise would cost marketers an important, useful channel
Xbox Shares Community Safety Approach in Transparency Report
SEO5 days ago
A Simple (But Complete) SEO Tutorial for Beginners in 7 Steps
SEO6 days ago
A Comprehensive Guide To Marketing Attribution Models
SOCIAL7 days ago
Twitter Launches New Ad Targeting Options, Including Advanced Website Conversion Optimization
SEO7 days ago
7 Ways To Use Google Trends For SEO & Content Marketing