Cybercrime, DDoS, IoT – what should you pay attention to next year?
1. Increase in crime, espionage and sabotage by rogue nation-states
With the ongoing failure of significant national, international or UN level response and repercussion, nation-state sponsored espionage, cyber-crime and sabotage will continue to expand. Clearly, most organisations are simply not structured to defend against such attacks, which will succeed in penetrating defences. Cybersecurity teams will need to rely on breach detection techniques.
2. GDPR – The pain still to come
The 25th of May, 2018 has come and gone, with many organizations breathing a sigh of relief that it was fairly painless. They’ve put security processes in progress and can say that they are en route to a secure situation – so everything is OK?
We are still awaiting the first big GDPR penalty. When it arrives, organizations are suddenly going to start looking seriously at what they really need to do. Facebook, BA, Cathay Pacific, etc. have suffered breaches recently, and will have different levels of corporate cost as a result, depending on which side of the May 25th deadline they sit. So GDPR will still have a big impact in 2019
3. Cloud insecurity – it’s your head on the block
Cloud insecurity grew in 2018 and, unfortunately, it will carry on growing even more in 2019. Increasing amounts of data are being deployed from disparate parts of organizations, with more and more of that data ending up unsecured.
Despite the continual publicity around repeated breaches, the majority of organizations do not have good housekeeping deployed and enforced across their whole data estate in the cloud. To give an idea of the scale, Skyhigh Networks research indicated that 7 percent of S3 buckets are publicly accessible and 35 percent are unencrypted.
4. Single factor password – the dark ages
As if we need the repetition, single-factor passwords are one of the simplest possible keys to the kingdom (helped by failure to manage network privileges once breached). Simple passwords are the key tool for attack vectors, from novice hackers right the way up to nation-state players. And yet they still remain the go-to security protection for the majority of organizations, despite the low cost and ease of deployment of multi-factor authentication solutions. Sadly, password theft and password-based breaches will persist as a daily occurrence in 2019.
5. Malware – protect or fail
Ransomware, crypto mining, banking Trojans and VPN filters are some of the key malware challenges that continue to threaten businesses and consumers. Live monitoring by Malwarebytes, Kaspersky and others, has shown that the mix of threats varies during the year, but the end result of malware threats will be a bad 2019.
Increasing sophistication will be seen in some areas such as ransomware, alongside new malware approaches and increased volumes of malware in other areas. Traditional AV will not provide sufficient protection. Solutions that have a direct malware focus are essential for organizations, alongside tracking of network activity (in and out of the network). With Cybersecurity Ventures predicting that ransomware damage costs will exceed $11.5 billion by 2019, it certainly won’t be going away. Oh yes, and make sure that your backup plan is working and tested.
6. Shift in attack vectors will drive cyber hygiene growth
The ongoing shift of attack vectors, from the network to the user, is causing a reappraisal of how to manage security. Driven partly by the shift in boardroom awareness, and partly by GDPR, many organizations are recognizing, perhaps belatedly, that their users are their weakest link.
Not only is there a greater awareness of the insider threat from malicious current and ex-staff, but there is also a growing recognition that staff cyber awareness and training is a crucial step in securing this vulnerable area. The response from organzations will take the form of cyber education, coupled with testing, measuring, and monitoring staff cyber behavior. Increasingly, Entity and User Behaviour Analytics (EUBA) systems will be adopted, alongside training programs and automated testing, such as simulated phishing and social engineering attacks.
7. IoT – the challenge will only increase
We’ve already seen some of the security challenges raised by IoT, but 2019 will significantly demonstrate the upward trend in this area. Driven by the convenience and benefits that IoT can deliver, the technology is being increasingly deployed by many organizations, with minimal thought by many as to the security risks and potential consequences.
Because some IoT deployments are well away from the main network areas, they have slipped in under the radar. In the absence of a standard, or indeed a perceived need for security, IoT will continue to be deployed, creating insecurity in areas that were previously secure. For the greatest percentage of IoT deployments, it is incredibly difficult or impossible to backfit security. This means that the failure to segment on the network will further exacerbate the challenges IoT will create in 2019 and beyond.
8. Increasing risks with shadow IT systems and bad housekeeping
Shadow IT systems continue to proliferate, as do the number of applications and access points into systems, including legacy applications. In the case of shadow IT systems, these are indefensible as they are; and in the case of increasing applications and access points, if they relate to old or abandoned applications, they are difficult to identify and defend.
In both cases, these are an easy attack surface with significant oversight, internal politics and budget challenges, and were previously seen as a lower priority for resolution. However, there has been both an increased awareness of the opportunity for attack via this route, and an increase in the number of attacks, which will accelerate in 2019.
9. DDoS – usually unseen, but still a nightmare
DDoS is the dirty secret for many organizations and attacks will continue to grow in 2019, alongside the cost of defending against them. Nevertheless, DDoS attacks aren’t generally newsworthy, unless a big name organization is involved, or the site is down for a long time. And, of course, the victim does not want to draw attention to their lack of defence. That’s not good for custom or for share prices.
The cost of launching an attack is comparatively low, often shockingly low, and the rewards are quick – the victim pays for it to go away. Additionally, cryptocurrencies have aided the money transfer in this scenario. Yet the cost for the victim is much higher than the ransom, as it involves system analysis, reconstruction and, naturally, defending against the next attack.
10. Cybersecurity in the boardroom
A decade, perhaps two decades, late for some organisations, cybersecurity is now considered a key business risk by the board. 2019 will see this trend accelerate as boards demand clarity and understanding in an area that was often devolved as a sub-component of the CISO’s role, and was not really a major topic for the boardroom. The financial, reputational and indeed C- Suite employment risks of cyber breach will continue to drive board focus on cybersecurity up the agenda.
Resource challenges and environmental contexts often force those in security to decide which method or methods to include in awareness campaigns – and in which quantities each should be employed.
In this post, we consider the four different types of security awareness training in turn, the pros and cons of each, and an alternative, increasingly favored approach.
1. Am I really a target?
Most cybersecurity awareness training begins by talking about security threats. It seems logical. But doing so may be a mistake – because of the human bias for optimism.
As people, we tend to harbour an inherent bias for optimism. Most of the time, it’s a helpful trait. When it comes to cybersecurity, though, our inherent bias for optimism means most of us struggle to imagine ever really being victims of cybercrime.
A good cybersecurity awareness campaign needs to address this upfront – because discussing threats is largely pointless unless message recipients believe the threats to be relevant and applicable to them. Cybersecurity awareness training should, therefore, begin by overcoming a key reservation to taking training seriously. It should begin by discussing why those taking the training are indeed targets.
2. Preventing identity theft
Identity theft remains the most prevalent form of cybercrime. As such, preventing identity theft is key to any good cybersecurity awareness training campaign. As well as information on preventing identity theft, cover the warning signs and the dangers of oversharing on social media.
It may also be worth demonstrating how simple it now is to steal an identity. Such demonstrations help make training emotional, and behavior change research shows emotions have an unrivalled ability to change the way people behave. Demonstrating how simple it now is to steal an identity can therefore change not just security awareness but security behaviors, too – which should be a key aim of any security awareness training campaign.
3. Passphrases and multi-factor authentication
Today, what constitutes a secure password is becoming increasingly clear. And yet, according to the password manager SplashData, 123456 is the most common password in use today.
Including information on passphrases – ie, secure passwords that are easy to remember – as well as teaching users how to create and remember them, is essential in any cybersecurity awareness training campaign. Be sure to include information on multi-factor authentication and build in time for people to update old passwords during training.
Increasing security awareness is one thing – but changing security behaviors should be the real aim.
4. Public Wi-Fi
The ongoing rise of remote working coupled with an increase in the prevalence of unsecured public Wi-Fi, make training on public Wi-Fi essential.
It’s definitely worth including stories to highlight the personal and professional risks presented by unsecured Wi-Fi. Stories such as that of Howard Mollett, who reportedly lost £67,000 in a conveyancing scam, are unlikely to be forgotten.
However, to really drive training content home, consider demonstrating the additional personal benefits that come from using VPN, such as how to stream your favorite Netflix shows no matter where you are in the world!
5. Social engineering, including phishing and SMShing
The UK government’s 2018 cyber security breaches survey recently polled UK businesses on their experience of breaches. 75% of those that had suffered a breach had done so following “Fraudulent emails or being directed to fraudulent websites” – ie social engineering and/or some form of phishing. Cyber security awareness training should therefore give special focus to both phishing and social engineering as a whole.
It’s worth thinking about how social engineering training is delivered, too. Many companies today highlight the dangers of social engineering through simulated attacks, which test people’s response to attacks “live” in the workplace. Such attacks are backed by behavioural change theory: as well as being emotionally engaging, they help modify people’s schema. Put simply, they train people to expect attacks and, as such, help modify how people respond to genuine day-to-day threats.
6. Browsing securely
The green padlock no longer marks websites as safe to use – a fact few people outside of security actually know. Few people still have configured their browsers to avoid tracking or form auto-filling. Advice on browsing securely is therefore essential to any security awareness training programme.
Given behavioural change as an overall aim, it’s worthwhile going through step-by-step guides on browser configuration.
7. Device security
As with passphrase management, device security is an area which most are familiar with. Most people know the importance of antivirus software and most know how important it is to keep firewalls running. And yet malware infection remains prominent year in, year out. Why?
Again, it seems as though awareness is failing to change behavior. In the past, tried and tested content on device security has failed, so security awareness training on device security needs to go beyond what’s been done before.
Framing device security training in terms of the personal benefits users can expect is usually a good idea. For example, CybSafe’s module on device security opens with the line “This module will help you save money by showing you how to set up your computer securely.”
Related to device security is content on malware, which should cover the different types of malware and how infections occur. As research shows we tend to ignore security warnings, it’s worth including information on the importance of heeding security warnings, or even going one step further and decoding what ambiguously written security warnings are actually trying to say.
Including content on the signs of infection is also crucial. On average, it takes 197 days to detect a data breach or malware infection linked to data loss – yet the warning signs are often clear.
9. Breach recovery
Most security professionals agree on the naivety of failing to plan for a data breach – yet information on breach recovery is seldom included in security awareness training campaigns. The depth of subject matter necessary will vary depending on the audience. At the most basic level, people need to know how to report breaches. When training security teams though, more detail will be needed.
10. GDPR and data privacy
The General Data Protection Regulation is a far-reaching regulation and one that leaves those who handle data with some additional responsibilities.
Security awareness training that covers GDPR and, most importantly, puts it into context for various areas of an organization, not only helps organisations comply with the regulation, but reinforces the importance of the secure processing of data – an essential point, but one which some seem to have been forgotten.
All ten topics above are now covered in detail by the CybSafe platform, which updates not just as the threat landscape changes but also as your people’s security understanding and behaviours advance.
After learning about individual knowledge levels and behaviour patterns, CybSafe uses behavioural change insights to advance security awareness, behaviour and culture. At the same time, it uses machine learning to continually move key security metrics in the right direction, demonstrably reducing human cyber risk. To see how it works – as well as what’s included – arrange a free demonstration here.
As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.
Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.
With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.
Connectivity Creates Opportunities and Challenges
Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.
Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”
IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates greater weakness that is very, very hard to get back after the fact and correct.”
Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”
Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.
“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”
“It’s a very complicated world that we live in right now, because the attacker and defense problem is highly asymmetrical,” Roesch adds.
The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.
The Danger of Giving in to Ransomware
Ransomware is like a thug with a gun: “Pay up, or your data gets it!”
Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.
Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”
James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.
Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.
Instead, organizations can take steps to defend themselves against ransomware. These steps include:
Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.
User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.
Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.
The Human Factor
While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.
It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.
Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”
Meet the Evil Entrepreneurs
In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.
Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.
Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.
Weighing Risk Against Benefits
Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”
Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”
In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.
Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”
The past couple of years have seen an increase in online criminal activities and attacks. For companies and businesses, the threat of ransomware and information threat has grown significantly. A lot of businesses have started to become dependent on technology, so they need systems in place that are fool proof as well as paying close attention to the data security in their systems. All companies need to invest in separate cyber security teams that will monitor and protect the company’s network, they will also keep testing and updating these cyber security systems.
As well as employing a security team, you will also need to adopt other protocols in your working process that will help enhance data security measures. If you’re a small or medium business, then you will need to especially adopt secure practises as smaller businesses are an easy target.
Discipline and Security Protocols
One of the first steps in attaining high levels of data security is to establish clear protocols for access and operation. So, employees need to be given clear guidelines regarding their access to the network, sources of data and communication channels. A system must be in place to check if employees deviate from the established protocols and a clear identity confirmation protocol must be in place, so employees know what to do if someone they don’t know tries to get into the business.
More business operations are changing their activities to software platforms due to the growing popularity of SaaS (Software as a Service). A lot of businesses today employ a range of software services like enterprise resource management, inventory management, workforce, and operation scheduling, etc. These systems come with built-in security that will need to be foolproof updated because of new threats that might get generated.
By having awareness and knowledge of basic cybersecurity is vital. Since a lot of these cybercrimes are carried out on software platforms employees will need to be aware of the vulnerabilities and their solutions.
Cyberattacks cost the world more than natural disasters – US$3 trillion in 2015, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat.
For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant – even as high as $5,000.
The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home Insurance, Burns & Wilcox and Chubb all offer cyber insurance for individuals. These plans cover as much as $250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.
In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be conservative and overcharge.
As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyber insurance market will grow and may expand rapidly. In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.
To demonstrate why security awareness training so often fails, it’s worth conducting a quick thought experiment.
Imagine you’re a smoker and, one day, you find out you’re genetically susceptible to lung cancer. Thanks to your genes, you’re two-three times more likely to contract lung cancer than the average person.
The elevated risk has nothing to do with your record of smoking – but continuing to smoke increases the risks even further.
Given the situation, do you think you’d be more or less likely to quit smoking than other smokers?
Studies show that, actually, you’d be just as likely to continue smoking as others. Your new knowledge wouldn’t change your behavior.
Could this also be why security awareness training sometimes fails?
The problem with traditional security awareness training
As we’ve discussed elsewhere, traditional security awareness training usually focuses on trying to raise security ‘awareness’. Increasing people’s knowledge of the risks is the goal. It’s mostly assumed that, if people are aware of the risks, they’ll start behaving in a secure manner. Unfortunately, the assumption is flawed.
Increasing security awareness rarely changes security behaviors. People can spend days learning about security threats only to return to their desks and consciously ignore security warnings.
Security awareness training that changes behavior
In order for security awareness training to be successful, campaigns must focus on more than just awareness. They must focus on awareness, behavior and culture – the ‘ABC’ of information security.
Changing people’s behaviors and building a culture of security isn’t as simple as increasing security awareness. The latter can be achieved through a series of simple comprehension exercises.
By contrast, to change people’s behavior, your security awareness campaigns should be fuelled by insights from the world of behavioral science.
Security awareness training that encourages a secure culture
Cultural change is just as important as behavioral change, and there are a number of simple ways you can nurture a culture of security through your own security awareness campaigns. Training everyone, engaging the board, demonstrating the value of security, highlighting the personal benefits of security, facilitating questions and increasing face-to-face interaction, all play a part.
Arguably most important of all, though, is quantitatively measuring culture. It’s only by measuring culture today and then culture tomorrow that you can be sure culture is moving in the right direction.
Why good security awareness training is so important
In the interests of balance, it’s worth pointing out two things.
First: security awareness training is improving. Where security awareness training has historically taken the form of ticking a compliance-shaped box, increasingly, campaigns focus on awareness, behavior and culture. Increasingly, companies are implementing security awareness training to demonstrably reduce cyber risk.
Second: when security awareness training works, it has the potential to nullify threats that technological defenses cannot. Every time someone reports a malicious email, they save a great deal of heartache. Heeding security warnings, using VPNs, setting strong passphrases, challenging identities; combined, the actions of vigilant people save reputation, financial and emotional distress countless times over every single day.
So while security awareness training sometimes fails, when it focuses on the ABC of information security, it does a lot of good. And society as a whole needs more people to move towards meaningful training quickly.
Focusing solely on increasing security awareness makes life easy for criminals. By focusing on awareness, behavioral and cultural change, your campaigns can prevent advanced attacks and keep people safe.