Cybersecurity Awareness Month is the yearly reminder for us all to re-evaluate and tighten our cyber hygiene. But after witnessing a shift from the individual and targeted nature of attacks through to the exponential rise in phishing, ransomware and lateral movement in every corner of the digital world, there is an urgent need to get a grasp of this ‘next normal’. As we realise the extent of damage that can come from an attack on our digital resources, it’s also time to shift our understanding of who carries the responsibility.
Almost every business will suffer a breach in its lifetime, so the onus is now on identifying where to minimise damage, and to make a collective effort across an organisation to keep security tight rather than leaving it to the folks in IT. In this article, top industry experts explore the threat landscape and how we can collectively protect against it.
Adapting cyber defences in line with new tech adoption
Paulo Henriques, Head of Cyber Security Operations at Exponential-E, leans towards the use of automation to keep up with the always-on approach hackers are taking. He says, “hackers monitor the web 24/7 hunting for any vulnerabilities they can take advantage of, so businesses can never rest. It’s absolutely paramount that businesses have processes in place to constantly monitor, manage and test their cyber security posture. This means taking a proactive stance to security, and automation can be a big help. Many tools now make use of AI, data analytics, and machine learning to identify threats before attacks have been conducted, which makes a massive difference in reducing cyber risks and mitigate vulnerabilities. While the human element is still crucial in understanding the context, meaning and intent of cyber-attacks, automation is able to extend human ability to process, analyse, and interpret data in mass volume, which saves time and money and greatly reduces the chances of a malicious actor bypassing cyber security processes.”
Simon Horswell, Fraud Specialist Manager, Onfido, agrees that current defences are falling short. He thinks that, “like the everyday consumer, fraudsters have embraced the shift to online-first services but with new and sophisticated tactics that are becoming harder to detect and protect against”. He adds, “the consequences of a breach now reach beyond rebuilding IT infrastructure. With new forms of phishing, replay, or online impersonation, fraudsters are eroding trust in the online space and causing a breakdown in the relationship between consumers and businesses. In fact, over a third (39%) would now withhold personally identifiable information when engaging with businesses online.”
Despite the need for new means of protection, Anubhav Aurora, Vice President, Security Engineering, Cradlepoint adds that a lack of certainty around the security of new projects can lead to hesitation over adopting new tech. He says, “while many businesses are keen to adopt new technologies, such as 5G and IoT, many IT and cybersecurity teams lack an overall understanding of how different technologies work together and will hesitate on widescale adoption as they would not have had the time to evaluate security architectures specific to 5G. Therefore, they would bode well to consider how DevSecOps is implemented, what security features are native to the product, and if those features integrate well with the existing technology ecosystem as well as the enterprise security ecosystem.”
Aaron Rosenmund, Director of Security Research and Curriculum at Pluralsight, thinks that the threat to business extends as tech is adopted throughout a digital transformation, He says, “as organisations continue digital transformation efforts and migrate to the cloud, they face new security and data protection issues. Meanwhile, the threat landscape continues to advance. In response, cloud security must be top of mind, as loss of revenue, reputation and business continuity are all serious risks when data is compromised. According to our recent State of Cloud Report, just under half (45%) currently see concerns around security as their biggest challenge to cloud maturity.”
Engaging employees with cybersecurity training
Gareth Jehu, CTO at Com Laude, raises the point that companies have a responsibility to continually train and educate their employees. He comments, “there is a lot more investment going into security awareness training, and there are a multitude of platforms and providers that can help organisations by simulating a phishing attack, educating staff and users on how to identify and deal with them”., That said, he believes things are constantly changing. He adds, “businesses must keep on top of educating people on the latest trends – not least for their own financial protection but for the reputation of the business going forward.”
David Higgins, Senior Director, Field Technology Office at CyberArk, considers the resurgence of phishing as a serious attack vector for businesses, but believes employee training is having a positive impact. He says, “phishing attacks are pervasive. Fortunately, employees have come a long way in spotting phishing attempts, especially those of the email variety and only 2.9% of employees may click on phishing emails. Yet recent attacks on large firms have proven just how sophisticated multi-pronged phishing schemes have become.”
Ian McShane, Vice President of Strategy at Arctic Wolf, thinks ultimately there are ‘5 Ps of success’ that organisations should follow when it comes to cyber defences. He says, “business leaders must help their organisations understand how to respond in the event of an attack or security incident. Planning and practicing how the response *should* work and who makes critical decisions, can be the difference between an attack and an expensive breach. Start with determining the true extent of the damage. Which services have been affected, and what recovery options are available.”
No industry is exempt from cyber risk
While cybersecurity should be a concern for all industries, Zach Powers, Chief Information Security Officer at Benchling, points out that some sectors are more desirable to attackers than others. He states, “the biotech and biopharma industries have some of the highest consumer safety ratings due to continued investments in quality, data integrity, and compliance. In contrast, the industries do not stack up as well from a security perspective, due to lagging investment in security and legacy approaches to security. In 2021, 98% of pharmaceutical companies experienced at least one intrusion. This doesn’t mean that all of those companies had their IP stolen, but it does mean a threat actor was active inside their systems. Security and consumer safety needs to be weighted more equally.”
The people behind cyberattacks are changing, too, according to Tom Clowes, Head of IT at Grayce. He points out, “we’ve seen a rise in state-sponsored attacks over amateur Hacktivist groups and businesses are not exempt of this threat. Organisations would do well to arm themselves with support from organisations, such as the National Cyber Security Centre, to mitigate these risks.”
Understanding who is responsible for cybersecurity
Rick McElroy, Principal Cybersecurity Strategist at VMware, concludes that the defence tactics must evolve in line with threat landscape. He says, “as cybercriminals evolve their tactics, we all must recognise the role we play in cyber and view it as everyone’s responsibility. For security professionals and their organisations, this means evolving defence strategies and updating training curriculum to address emerging threats. For example, training on how to spot and avoid audio and video deepfakes is not part of most security awareness training programs, despite two-thirds of defenders witnessing a deepfake attack over the past year.”
This sentiment is echoed by David Warburton, who leads Threat Research at F5 Labs, who highlights the responsibility of cybersecurity. “Everyone now has a duty to themselves and fellow citizens to understand and practise good security basics. This includes creating unique and strong passwords for every site. Today, passwords are still one of the biggest weaknesses of modern-day computing and are the root cause of most data breaches.”. He adds, “We often re-use the same password from site to site to keep things simple. Attackers, therefore, don’t even need to use powerful computers to guess billions of passwords a second. They can just download a list of the most commonly used passwords and use those to try and access your account. These attacks known as credential stuffing, typically only have a 1-3% success ratio, but to an attacker who has time and patience on their side, that could still result in malicious access to thousands of bank accounts, corporate networks, or personal emails.”
It’s clear that cybersecurity should be a high priority for all businesses and engrained in all of their operations, but that doesn’t mean we should be complacent. Keeping a close watch on the latest insights and strategies can help keep us safe in a dangerous cyber world. This cybersecurity awareness month take note of insights from the industry experts to stay one step ahead.
Jesse Pitts has been with the Global Banking & Finance Review since 2016, serving in various capacities, including Graphic Designer, Content Publisher, and Editorial Assistant. As the sole graphic designer for the company, Jesse plays a crucial role in shaping the visual identity of Global Banking & Finance Review. Additionally, Jesse manages the publishing of content across multiple platforms, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune.