Now in its 17th year, Cybersecurity Awareness Month continues to play a critical role in raising awareness of the online threats faced by both organisations and individuals alike. This year’s theme – ‘Think Before U Click’ (#ThinkB4UClick) focuses on the importance of personal accountability: whether we’re checking personal emails or accessing the company server, diligence must always be exercised to avoid inadvertently opening the door to hackers.
This year, attackers have doubled down on social engineering (i.e. phishing) to exploit the disruption caused by the Covid-19 pandemic and take advantage the subsequent spike in the use of online services. In April, for example, one survey found a 667% increase in malicious phishing emails during the pandemic, sent by scammers impersonating the UK government, the WHO, and the Centre for Disease Control and Prevention.
In this article, industry experts from a range of technology disciplines discuss some of the biggest threats that individuals, organisations and even entire nations face today in the cyber sphere. In a rapidly changing world, these perspectives help us to understand not only the consequences of inadequate cybersecurity measures, but the ingredients of effective cyber resilience in 2020 and beyond.
Combatting disinformation and cyber propaganda
With in-person contact having taken a hit this year, for many, a significant proportion of daily life has now moved online. Accordingly, self-protection has had to adapt. “With cyber culture increasingly embedded into people’s lives, cybercrime is now just an inevitable part of everyday life” argues Keiron Shepherd, Principal Solutions Engineer at F5. Accordingly, “data is a valuable currency that needs to be protected.”
“As such, cybercriminals are becoming very adept at misleading voters with disinformation. This includes propagating false news, using bots to drive social media engagement and the strategic leaks of incriminating emails or confidential documents. Mainstream awareness on these issues is growing. However, the fact remains that people spend a significant amount of time online and it is getting increasingly difficult to understand what is real and what is a bot-generated media post.
“Mitigating these types of risks calls for several tactics. Given the increasing sophistication of the technology behind this kind of disinformation, it is fundamental that individuals now realise the power of social engineering and the influencing effect that deceptive tactics can have on them. It is critical to continually educate people and raise awareness on these issues.”
Managing cyber risk with a distributed workforce
For businesses, resilience and continuity strategies have had to adapt to distributed working in order to effectively manage the security challenges of the ‘new normal’. Chris Hodson, CISO, Tanium, describes how many of the issues that emerged at the start of lockdown resulted from considerably overestimating preparedness for the security challenges that came with shifting to a distributed working environment.
“Our research found that 85% of business leaders thought they were prepared to manage the shift to widespread WFH. This confidence turned out to be ill-founded with 98% admitting they faced security challenges in the transition away from the office.”
“Not only did widespread remote working exacerbate existing issues,” Hodson continues, “it also created a host of new security challenges, allowing cyber criminals to run amok during a period of deep confusion and uncertainty for businesses. Whether companies choose to permanently move their operations, return employees to the office, or some combination of both, implementing tools such as endpoint management and efficient security solutions should be a priority.”
The new cybersecurity imperative
As connectivity continues to become a crucial element in more of society’s infrastructure, cyber-attacks are having more devastating consequences. As, Dave Palmer, Director of Technology, Darktrace, explains, “Just last week, news of a woman dying after ransomware hit a German hospital hit the headlines. Last month the NCSC warned of attacks against the academic sector following a spate of hacks on UK schools, colleges and universities. Earlier this year, we learned of nation states hacking vaccine research.”
As cyber-attacks become more advanced, cybersecurity, Palmer argues, must not only become more intelligent, but move at ‘machine speed’. “Finding the right people with the right skills to defend organisations is important, but they cannot handle the challenge alone. We need to augment teams with AI that can make decisions in seconds about what is strange but benign, and strange but threatening – and not only does it detect the threat, but it understands the action that is necessary to stop the threat from spreading.”
The board’s responsibility to conduct ongoing security reviews
Continuing the discussion on accountability and responsibility, Tim Hickman, partner and data protection lawyer at global law firm White & Case, argues that board-level executives must now take a more active interest in cybersecurity. “Recent enforcement trends have shown that a failure at the very top of an organisation to engage –and stay engaged– with evolving cybersecurity threats can result in regulators launching investigations, with consequent financial and reputational damage to the business,” he says.
However, the maintenance of robust and legally compliant security systems is becoming ever more challenging for organisations. “In a world in which business systems are increasingly inter-connected,” Hickman continues, “new vulnerabilities are being discovered –and exploited– at an alarming pace. Compliance obligations imposed on businesses increasingly require those businesses to determine for themselves which cybersecurity measures are appropriate and sufficient in the context of their activities. As a result, cybersecurity measures that were sufficient and appropriate even a few months ago may no longer be sufficient or appropriate today.”
Cybersecurity in the eyes of consumers
Adapting to the sudden change triggered by the Covid-19 pandemic marked a major test of business continuity planning in every company across every industry. In addition to a greater number of formerly face-to-face interactions now taking place online, Chris Huggett, SVP EMEA, Sungard AS outlines how this has revealed a new relationship between cyber resilience and brand reputation.
“While cybersecurity is a universal imperative of business resilience, there are certain industries in which the reputational damage of a cyber-attack can be particularly impactful” he comments.
“Our research shows that organisations in the financial services industry are the most at risk of losing their customer base, with over two-thirds (67 percent) of respondents claiming they would switch providers immediately if they became aware of cybersecurity flaws. The results also show home broadband and online retail service providers to also be in high-risk categories, with the potential to lose 64 percent and 58 percent of the customers, respectively.”
Looking to the year ahead
Businesses today contend with an increasingly complex landscape of disruption due to rapid change, both in terms of the technologies at the heart of business operations, and in terms of the tools and methods attackers use to exploit them.
The world is becoming more and more connected. But a single vulnerability – one weak password, engagement with a phishing email or a single unpatched device, for example – is still all that is needed for a devastating attack to occur. When it comes to cybersecurity, businesses and individuals must take both a forensic and holistic approach.
As per the theme of this year’s Cybersecurity Awareness Month, businesses and individuals in 2020 must arm themselves with the right tools and the right knowledge to remaining cyber resilient. Otherwise it’s only a matter of time before the next cyber-attack reveals just how devastating its consequences can be.
- Keiron Shepherd, Principal Solutions Engineer at secure application delivery provider F5
- Chris Hodson, CISO, at endpoint security and systems management company Tanium
- Dave Palmer, Director of Technology, at cyber AI company Darktrace.
- Tim Hickman, Partner and Data Protection Lawyer at law firm White & Case
- Chris Huggett, SVP EMEA, at business continuity consultancy organisation Sungard Availability Services(Sungard AS)