October marks European Cyber Security Month. Businesses are embarking on digital transformation journeys; emerging technologies are continuing to transform the way we live and work. At the same time, the cyber threat landscape is continually evolving and expanding, so there’s no time for businesses to sit on their laurels. And it isn’t just new and emerging threats that organisations and individuals need to be aware of as traditional methods are still presenting a significant threat.
No company is immune to data breaches, says Benjamin Ross, Director, International Marketing at Delphix. Ben says: “Security and data privacy are without a doubt one of the biggest concerns facing modern enterprises today. Yet most businesses today lack a firm grasp of their data – where it lives, who has access to it and how it’s being shared. Often times, organisations tend to focus their efforts and investments in protecting the exterior alone. But breaches can and do happen from the inside.
“In fact, up to 90 per cent of valuable data lives in internal, downstream environments like development, testing, and analytics. Failing to protect the sensitive data in these locations can significantly open your organisation up to security breaches. Cyber security is only as strong as your weakest entry point, and if the data in your internal environments is not masked, you will be putting yourself at risk of security breaches. This Cybersecurity Awareness Month offers businesses a timely opportunity to re-examine their security practices and identify the weak points – both internal and external. Robust cybersecurity truly starts from the inside.”
What are the biggest threats that organisations should be aware of in the digital age and what can be done to prevent and avoid significant consequences?
According to Russell Haworth, CEO, Nominet, “the last 25 years have seen more and more elements of our daily lives shift over to the online world, bringing about vast benefits for businesses and citizens alike. But unfortunately, with progress comes risk. For example, our research found that 77pc of Brits think they know enough to stay safe online, and 41pc think it’s unlikely they’ll be victim to a cyber-attack in the next 12 months.
“While it’s encouraging that many Brits feel they know enough to stay safe, the assumption that cyber-attacks simply won’t affect them is dangerous. Too many of us are still not following even basic security advice, with just under a quarter admitting they didn’t change their password when a provider suffered a breach. In fact, quite astonishingly, recent National Cyber Security Centre breach analysis found that 23.2 million victim accounts still used a 123456 password. This poses obvious risks to the individual, but it is when employees bring this same attitude to cyber security to the workplace that the issue can really escalate.
“Cyber Security Awareness Month is a perfect opportunity to raise awareness of the associated cyber risks we face, but it’s important that everyone follows continual cyber security best practice to protect themselves and businesses from online threats.”
Rich Turner, SVP EMEA, CyberArk says: “businesses of all stripes are embracing digital technologies and processes to deliver products and services to market faster. But the ‘need for speed’ and consequent shorter feedback loops introduce a host of new risks which must be priced into the overall package. Our recent Global Advanced Threat Landscape report indicated that less than half of organisations have a strategy that helps secure, control, manage and monitor privileged access to new workflows and technologies such as DevOps, IoT and RPA – technologies foundational to digital initiatives. The net result is a much bigger chance that sensitive data and assets can be breached through compromising these unprotected privileged credentials.
Turner adds that the issue is that as they adopt these technologies, organisations are increasingly operating in cloud-first environments. “This removes a natural security barrier – access is no longer limited to the network, and the perimeter is no longer defensible. To counter this, security strategies must shift to protecting the business’s most important information from within. Zero Trust security models are making this possible: they presume trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access. By practicing defence-in-depth and incorporating privileged access security controls at the core of their strategy, organisations can drive down risk while maintaining business velocity.”
One of the biggest risks posed to UK organisations as a consequence of digital transformation is ransomware, according to Chris Huggett, Senior Vice President, UK and India, Sungard Availability Services. He says: “As well as being an effective tool for cybercriminals to extort money and cause business disruption, the ability for ransomware to exploit individuals on a psychological level has enabled it to become a major source of disruption. While feelings of guilt and responsibility may plague the end-user unknowingly deceived into creating an exploit, a similar or even higher level of stress is likely to be felt by a public-facing executive who must answer to a disgruntled customer base in response to a data breach or service outage. In fact, recent research has revealed that over half (54pct) of C-level executives in the UK have suffered from stress-related illnesses and/or damage to their mental well-being as the result of a technology crisis.”
But as well as traditional methods like ransomware, new forms of attack are on the rise, and the stakes are even higher, not just for individuals and organisations, but for entire nations. Paul Dignan, Systems Engineering Manager, F5 Networks says: “we have now entered a new, critical phase of cyber warfare – one where hackers act on behalf of nation-state powers to not only disrupt critical infrastructures, but also actively seek trade secrets. Worryingly, the recent Verizon Data Breach Investigations Report (VDBIR) notes a sharp uptick in nation-state attacks, from 12pc of all analysed breaches to 23pc in the past year. A quarter of breaches are currently influenced by cyber-espionage too. New battle lines have been drawn across the world and organisations need to tool up accordingly.
“The issue, which is one that needs to be considered, not only this month but for the foreseeable future, is that the number of state sponsored attacks is only going to rise with the imminent impact of new trends that will expand attack surfaces for hackers, such as like 5G and IoT. A range of new technologies are emerging to help fight back, such as AI solutions to analyse all traffic in real-time and spot anomalies that were previously out of sight. But whatever the technology mix looks like, the priority is to apply security at every level and on every surface: endpoint, application, and infrastructure,” concludes Dignan.
But when using security measures to defend from these traditional, new and evolving threats, Mark Grainger, VP Europe, at Engage Hub believes businesses need to continue to have the customer front of mind. “A crucial priority is providing an engaging and streamlined customer experience. One of the main challenges posed by enhanced security is that it usually requires additional steps and hoops that customers need to jump through.” Grainger reflects on banking customers, adding that, “an important aspect banks might want to consider when it comes to improved security and speed is biometric authentication. Many banks are already using fingerprint ID for mobile banking apps, and facial recognition is gaining traction too. In fact, studies show that the global facial recognition market is expected to grow from $3.2bn in 2019 to $7bn by 2024.”
Tim Hickman, Partner at White & Case says that “the financial and reputational consequences of failing to implement appropriate cyber security measures can have a severely detrimental effect on businesses. Companies that are affected by a cyberattack do not always incur a fine. However, penalties are more likely to be imposed if it becomes apparent that a business has inadequate cyber security measures in place. Once a successful cyber-attack becomes public knowledge, customer and market confidence in an organisation can take a real hit.
“The best strategy for protection is in having a thorough understanding of the threat landscape that your organisation faces, and the increasingly sophisticated nature of attackers out there. It is essential to recognise the vulnerabilities in your organisation’s IT infrastructure and identify high-value assets and data, so that appropriate policies and protective measures can be put in place.”
