The security picture has changed. While the trajectory of trends remains consistent, the context has changed in two critical ways. Firstly, the global pandemic has transformed how we work, and secondly, the world’s most notorious cybercrime sponsor has started a war.
A Russian, state level attack would likely target critical infrastructure including banking, payments and trading systems, communications networks, the energy sector, healthcare, and transportation. Combine this possibility with a steep increase in cybercrime across the lockdown years and we have the potential for a perfect storm. Our focus at JP Reis is banking but infrastructure failures at the highest level tend to affect each other and the key vulnerability common to all of them is cyber-attack.
What We Said in 2019 – Updates:
We warned about spear-phishing emails impersonating CEOs. Two multimillion dollar examples on this page explain why.
We talked about ransomware and cyber insurance. CNA paid out $44M in May ’21 but maybe the most notorious case was the Colonial Pipeline Attack because downtime, disruption and reputational damage are generally more expensive than the ransom itself.
We highlighted privacy laws as a likely source of fines for companies in all industries. Amazon and WhatsApp incurred huge fines and there was a significant penalty for Zoom. With cyber attacks costing in the $trillions yearly, it is likely that regulations will start to toughen in 2022 with rules limiting ransomware pay-outs, and penalties for vulnerabilities as well as breaches.
The Internet of Things has grown quickly and is expected to see 18M connected devices in 2022. Vulnerable devices can simplify criminal access to networks and then to rich data sources. Despite worrying stories about Baby Monitors, TVs and Doorbells, the biggest threat is in industry rather than domestic settings. Edge devices, that manipulate data close to its collection point, also increase risk. Read about Mesh Security below.
As ever, security threats are growing and the defense budgets are expanding. Bank of America was spending $1B a year on cybersecurity measures even before the Ukraine situation exploded. So, rather than examining the finer detail, we just want to look at the most prevalent trends for 2022, the main threats and some of the best ways to counteract them. There are numerous types of cyberattack but the two most prevalent and headline catching are still Denial of Service and Ransomware, both of which can make services unavailable.
Denial of Service
Denial of Service [DoS] attacks can be roughly categorized as Volumetric, Protocol Layer or Application Layer depending on which aspect of a system they target. A distributed denial-of-service attack [DDoS] disrupts businesses at the point of service by overwhelming the bandwidth of systems. A botnet comprising 1,000s of infected devices sends bogus messages, connection requests or fake packets to the target server, service, website, or network until it fails and cannot respond to service requests. The proliferation of connected devices and the advent of remote working means many more unsecure devices are vulnerable to infection and recruitment as bots unless careful steps are taken. The size, complexity and ambition of these attacks grew in 2021 and the largest ones tend to be multi-vectored.
Financial Services is a prime target for DDoS attacks along with Healthcare, Government, Gaming etc. Downtimes vary from minutes to days but the main target industries are very sensitive to even the shortest outages. A smaller DoS attack can be a diversionary tactic to draw attention away from something even more destructive.
Ransomware
Ransomware is a specific type of malware attack in which files are locked using cryptography and an untraceable ransom is demanded to stop the files being either destroyed or made public. Phishing attacks are the typical deployment vectors for ransomware. The more targeted “spear phishing,” for example when CEOs are targeted or impersonated, are on the rise. Mobile phishing aka mishing is also an emerging trend. A worrying development, exacerbated by remote working, is for USB devices to be used. A recent PWC survey found that over 60% of UK executives expected the number of reportable ransomware attacks on their companies and cloud suppliers to increase in 2022 and were therefore increasing security budgets.
Our 2019 Blog highlighted how cybersecurity insurance could actually increase your risk of a ransomware attack while lowering the risk of a calamitous outcome. Many attacks of this nature end with a payment. Despite some enormous policies being written and a global industry that is set to turnover $20B in 2025, it is felt that industry is not suitably covered. Many insurers are hesitant to underwrite cyber policies, especially when clients struggle to quantify the risk. As a result, risk tends to be concentrated among 4 main reinsurers. Law enforcement agencies like the FBI advise against making payments, Gartner is among organizations predicting widespread legislation to regulate ransomware payments over the next two years.
The Florida Water Treatment Attack was a ransomware example where the hackers managed to raise the toxicity level of public water supply in the vicinity of the Superbowl, 2 days before the event. Access was gained through the abuse of remote access credentials that had been shared between employees using a TeamViewer account that was not securely configured.
Prevention
This post isn’t cybersecurity 101 so we aren’t running through network security, firewalls, and redundancy protocols. 96% of phishing attacks are still delivered by email, 3% by malicious website and 1% by phone. As ever, the most effective method of protection is for staff to be informed and vigilant. This has been consistent since the dawn of cybercrime. We’ve listed some good advice at the bottom of the post but we want to talk about other developments first.
Micro-Segmentation
In 2020 we talked about micro-segmentation which prioritizes the level of security applied to different assets within the increasingly irrelevant network perimeter wall. Workflows are protected individually and lateral communication between servers is blocked. This approach enables a workable level of user experience while maintaining extremely high levels of protection for the most critical data, applications, and services.
Mesh Security
Mesh Security has a similar aim and its growth has been catalyzed by the combination of remote working and the increasing use of internet-connected devices outside of the nominal perimeter wall. The notion of a perimeter is redefined to apply to individual people and devices. Mesh will support the majority of identity and access management [IAM] requests in a scalable and consistent way. Due to the evolving nature of distributed networks, it is likely that IAM application services will be handed over to managed service providers who will be best placed to develop identity proofing tools and to establish best practice for decentralized identity standards.
AI Security
Bad actors typically target busy systems with heavy streams of events because they provide the best chance of access, disruption and, in the early stages, evasion of detection. AI and machine learning can empower them to dynamically enhance and fine tune their attacks. Identifying anomalous behavior in financial trading environments is a key use case for AI. The ability to monitor complex systems has seen larger companies investing in AI for internet security which will become increasingly essential as criminals invest in the same technology. This area of development is behind some of the big jumps in security spending.
Supply Chain Risk
Partners and suppliers are a potential source of risk. It’s not just concerns about organizations from authoritarian states, like those people have with China’s Huawei, but any company that is either compromised in such a way that it presents a risk to clients, or that remains too vulnerable to this happening. Information Security policy is already an important criterion in vendor selection processes and will tend to become the primary factor. It’s not only the threat of security breaches and malware, the new regulatory environment means that failure to follow privacy conventions can also risk high value fines (see the box above). It is thought that privacy laws will apply to 75% of the world’s population within 3 years. Demonstrating data security is not a one-off task to be completed at the start of a contract. For this reason, an industry is already growing to facilitate compliant supplier relationships.
Preparing the Workforce
The threat of Russian cyberattacks provides an engaging context against which to remind companies and individuals that they need to be vigilant. We have seen that organizations will hire managed security services, cloud-based DDoS protection is especially useful for a tiny sacrifice of latency. Companies may also hire cybersecurity experts to help protect client and employee information, and visible assets like websites and social media accounts to prevent them being exploited. Part of the work of external consultants may be to help train staff, the Colonial Pipeline hack was the result of a single compromised password and this underlines the importance of individual discipline and vigilance.
Some things can be imposed, secure passwords, multi-factor authentication and automated software updates are simple aspects of best practice. There should also be strict guidelines on device and app usage, especially for anyone working remotely. The real key is engagement.
Although as a group they are your largest vulnerability, employees can be trained to spot the signs of a DDoS attack providing an extra layer of monitoring. All companies should have clear plans of action for DDoS, with clearly defined responsibilities and lines of communication. The quicker that action can be taken, the less damage there will be.
We recommend on-going security awareness training and frequent, impactful, bitesize nuggets of information: “hover over the URL to see where it really goes,” “charity messages at times of crisis are a known phishing tactic,” “If in doubt report it.” One off training sessions may be best delivered by external consultants to reduce the impression that the issue is owned by one department. Flipping that around, the introduction of cybersecurity ambassadors in every team across an organization also breaks down the perception barrier. If this seems onerous, consider that a cybersecurity ambassador arguably protects against far larger and more common risks than a first aider or fire warden. An ambassador has the opportunity to make cybersecurity a collective, on-going effort, and to communicate new threats, social engineering techniques, and best practices effectively.
People should be encouraged, rewarded, and made to feel safe to report issues, especially when they think they’ve made a mistake. Hiding a breach out of fear of repercussions can lead to an attack having a much greater blast radius that could have been contained. Once again, having someone in the team to report to can make this easier. Alternatively, some kind of panic button or hotline should be in place.
The growth of cybersecurity will continue in lockstep with the growth of threats. It is our shared responsibility to protects against them and a company’s duty to not only provide protection but to empower its workforce to do the same.
