Are organizations prepared to cope with a targeted cyber-attack in 2021? Organizations face a dynamic threat landscape, and an average of 64% of CISOs believe they are at risk of suffering a material cyber-attack within the next 12 months. 81% of Dutch CISOs say their organization is unprepared, according to the Proofpoint 2021 Voice of The CISO Report. This implies a disconnect between perceived risk levels and preparedness.
According to 34%, the biggest perceived cybersecurity threat in the next year is Business Email Compromise (BEC), followed by Cloud Account Compromise (33%), and Insider threat (31%).
These are the significant threats, but the CISOs also say human error is their organization’s biggest cyber vulnerability. Employees understand their role in protecting against cyber threats but are not adequately skilled or equipped for cyber defense and are putting your business at significant risk of giving cybercriminals a chance to attack your organization. An untrained employee can endanger your security system in various ways. The most common errors by employees include:
- Phishing scams: Cybercriminals are using improved techniques, emails, and text messages. 43% of employees still click on a malicious link or download a compromised file, and 40% still responds to phishing emails.
- Weak password habits: Be aware that employees might use the same password for multiple accounts. The same password for personal and business accounts is a dangerous habit. It allows cybercriminals to reuse the password to access your company when personal accounts are compromised.
- Mis-delivery: Slight negligence can lead to an employee sending sensitive, business-critical information to a recipient or cybercriminal intentionally or unintentionally. 35% of employees leak data intentionally! Therefore, it can create lasting damage to a company.
- Lack of software patch management: Delayed deploying a security patch by employees can lead to security vulnerabilities in companies as IT security issues are left unaddressed. Software patches are essential because 35% uses unauthorized devices and applications on your network.
Five tips on how to reduce and control your risk
Tip1 – Security awareness training
TFew employees are aware of the possible security risks they pose. Although cybersecurity awareness is, in many cases, a top priority, many obstacles remain. An error of an employee and lack of security knowledge poses a high risk to organizations. Only 28% of organizations in the UK confirm conducting security awareness training more than twice a year. Yet, 73% acknowledge that they need to improve the cybersecurity awareness of their employees. For 49% of the businesses, this will be a top priority for 2021. Still, there is a long road ahead of us because 54% recognize time and resource constraints as an obstacle to developing an effective program, and 50% think that the board is not paying enough attention to effective cybersecurity.
The awareness training will handle all kinds of appropriate security controls, physical, administrative, and technical. Of course, the training presents formal cybersecurity education to your employees about the security policies, -procedures, and various information security threats. At last, it encourages employees to learn about IT security issues, identify security risks, and learn how to respond to cybersecurity issues.
Example of lack of Security Awareness: In 2018, Pathé lost about 19 million euros in a business email compromise (BEC) scam. The attack cost the company 10 percent of its total earnings. The Dutch CEO received an email from the chief executive of the French parent company asking for a money transfer. At first, there was some doubt about the request, but after some email contact and receiving a fake confirmation from a Pathé France manager, scammers convinced them of the request’s legitimacy. The employees completed the transaction after verifying the signatures. There are two lessons to learn from this example; First, scammers are very clever and convincing. Second, after the employees got fired, one took it to court because he never received any formal security awareness training. He wasn’t educated in recognizing the scammer’s email. The court ruled in his favor because Pathé had neglected the education of the employees.
Tip 2 – Multifactor authentication
Multifactor authentication (MFA) is an electronic authentication method that requires two or more pieces of evidence, a.k.a. credentials, to confirm the user’s identity for a login or other transaction. MFA combines two or more credential categories:
- Something you know (password).
- Something you have (security token) card.
- Something you are (biometric verification).
Requiring two passwords is not considered MFA, but combining two or more credential categories will enhance your system’s security. A security token can be an e-reader; many banks used these when you wanted to log in to your account. Now, most of the time, your smartphone can function as a token. But these systems still work with codes that cybercriminals can intercept.
Google, therefore, uses a USB key fob that functions as a physical key. When a cybercriminal wants to hack google, the hacker will need a valid password and physical access to the USB security key.
Since Google uses the key, the number of phishing attacks has drastically dropped.
To be verified as a legitimate user, a fingerprint or face scan is required. Based on the location of the user, these methods can differ.
The driving factors behind the boosted MFA market are strict government regulation and the rise in security breaches, fraud, and data identity thefts, the increase of BYOD/ IoT devices, high demand for cloud-based MFA solutions and services, and a high volume of online transactions. Various technologies and industries can benefit from this industry. Besides the government, large organizations, the banking/ finance industry, retail, app, and web developers will benefit the most from MFA. Some major companies offering two-factor authentication are RSA Security, OneSpan, Thales, and Entrust Datacard.
The global market is expected to grow from USD 11.1 billion in 2021 to USD 23.5 billion by 2026, at a Compound Annual Growth Rate (CAGR) of 16.2% during the forecast period.
Example of Multifactor authentication (MFA): When President Ronald Reagan was shot in 1981, he was rushed to the hospital, and fortunate for him, the wound proved non-fatal. While the president was transported to the hospital, his briefcase went missing. The briefcase contained a code card to authenticate the president over the phone to authorize a nuclear attack based on a challenge mechanism. The security procedure design considers the loss of the card, aka the “biscuit,” and requires more than the code on the card to launch a nuclear attack in case the card falls into the wrong hands. The token, or in this case the card code, contains fake numbers as a safety measure. The president, of course, is the only one who knows the correct code. Before the president can make the call for a nuclear strike, he first needs to meet with top military advisers in the Situation Room or while traveling via call using a secured line. Luckily, his security agents retrieved the card, and the world was never in jeopardy to be hit by the nuclear bombs.
This sounds pretty secure, and this is the reason for at least implementing a two-factor authentication system. Still, when the other company in your supply chain suffers from a hack or you engage with a scammer’s email, these security measures will not always and entirely safeguard you from harm. So, this brings us back to the importance of employee cybersecurity awareness.
Tip 3 – Cyber insurance
In 2020, for the first time, cyber-attacks were listed as the most important business risk globally, according to a survey of Allianz Global Corporate & Specialty. Seven years ago, cyber incidents ranked only 15th with just 6% of responses, the report reveals. Cyber insurers advise their clients on guarding themselves against cyber-attacks and hacking threats based on their risk profile for baseline security. As part of their service, they assist their clients with identifying the cause of an incident and minimize the disruption. After a cyber-attack has taken place, the cyber insurance company will deal with the fallout and help with the recovery process.
Having a cyber insurance policy can help minimize business disruption during a cyber incident. Companies like MMOXX use technology to continuously monitor the security environment, get insight, and provide targeted advice. On top of that, they provide incident response and cyber insurance in cooperation with Dutch insurance company Nationale Nederlanden.
According to Visiongain research, the European cyber insurance market is forecasted to grow with an average growth rate of 20% between 2020 and 2030, doubling in size between 2020 and 2025.
Example of the value of cyber Insurance; In 2017, we had the NotPetya malware attack, which has been called the most devastating cyber-attack in history. Since then, cyber experts say cybersecurity and prevention strategies have developed fast, but experts also warn that another significant cyber-attack is never far off. The malware attack began in June 2017, located in Ukraine. NotPetya caused more than $10 billion in damage and significantly impacted many companies, including pharmaceutical company Merck, which lost up to $870 million. Merck was well insured, but most of its 30 insurers and reinsurers refused coverage under the company’s property policies for damage resulting from NotPetya. Well, the policies provided $1.75 billion worth of coverage for catastrophic risks, including the destruction of computer data, coding, and software, Bloomberg reported. The insurance was not enough because Merck’s property policies explicitly excluded acts of war. Unfortunately, NoPetya was categorized as an act of war.
Tip 4: Data & Information classification and protection
To a greater or lesser degree, every organization produces and manages sensitive information stored in different locations: User computers, document managers, cloud storage, file servers. Data classification is organizing data by relevant categories so that IT security can protect the data more efficiently. The classification process makes data and information easier to locate and retrieve. It is a necessary process when it comes to risk management, compliance, and data security.
When you send sensitive data/ information, as a recommendation, apply email encryption. When a file is attached to the email, you can protect that file too using Digital rights management (DRM). DRM technology restrains the use of (copyrighted) digital materials. DRM tools intend to protect the rights of the copyright holder and prevent unauthorized modification or distribution. The last two are usually considered technologies for preventing data leaks: context-aware Data Loss Prevention (DLP) and Information Rights Management (IRM). DLP is a set of tools and processes applied to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. IRM protects files from unauthorized copying, viewing, printing, forwarding, deleting, and editing. Through integration with the IRM, the DLP can establish the automatic protection of the file as a corrective action using an IRM security policy.
Example of Data & information classification and protection: In April 2020 came to light that half a million Zoom passwords were being sold on the dark web. Hackers got the passwords through credential stuffing and then packaged the successfully compromised accounts into a new database. Zoom also came in trouble when failing to encrypt its software to prevent hackers from crashing meetings.
Review any third-party tool you use for business operations with care, even when it feels safe because everybody uses the application. Each piece of software that involves sensitive data is a potential opening attack and hack your network.
Tip 5: Vulnerability scanning & patch management tooling
Vulnerability management tools scan a company’s networks for weaknesses that hackers can potentially exploit. When the scan points out a weakness, the vulnerability software suggests or initiates a remediation action. Vulnerability scans are there to help prevent an attack.
Patch Management is the process of maintaining the network of computers by frequently deploying patches to keep computers, servers, software, and other resources up to date. Patch management is an essential IT task in any organization, as leaving software and operating systems unpatched puts your organization exposed to security breaches.
57% of cyber-attack victims stated that applying a patch would have prevented the attack. 34% say they knew about the vulnerability before the attack.
There is all sort of software programs and platforms on the market that offer patch management services. For instance, Qualys the leading platform for 20 years in this industry. They help businesses with their Qualys Cloud Platform and integrated apps simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance, and protection for IT systems web applications.
Example Vulnerability scanning & patch management tooling: The WannaCry ransomware attacks in May 2017 highlight the importance of implementing good patch management policies. The ransomware attacks were made possible due to bad patch management procedures at numerous organizations. With WannaCry, attackers leveraged a vulnerability in Windows Server Message Block (SMB). The WannaCry ransomware invasion hit around 230,000networks globally. The attack struck a third of the NHS hospital in the UK. Ambulances were reportedly rerouted, unable to reach people who needed essential critical care. The total damage cost the NHS hospital £92 million, and the hospital had to cancel 19.000 appointments. Implementing a single patch – MS17-010 could have easily prevented these attacks. The patch was available for two months before the WannaCry attacks. Regular monthly software check-ups could have prevented this from happening.
Cybersecurity is constantly evolving, and if we intend to minimize the risk of a successful attack, we need a disciplined and persistent approach, adapt our security strategy, and make the necessary investments. Cybersecurity awareness training is an investment known for its excellent Return on Security Investment (ROSI). When calculating the ROSI, take a risk-based approach to estimate how security impacts the business’ bottom line to justify the spending decision.