We should be prepared for a further increase in cyberattacks, which could be partly down to major powers leaking cyber superweapons.
“We have long warned that organisations of all sizes are being bombarded by a global, fifth generation of cyber threats (Gen V),“ says Pankaj Bhula, regional spokesperson at Check Point Software. “These are multi-vector cyber threats that can cause fatal damage and irreparable harm to the reputation of the compromised company.
“However, most companies are only secured against what we call third generation threats (Gen III), which are threats that we’ve known about since the early 2000s and which seek to exploit vulnerabilities in applications. Cybercrime is evolving at such a breakneck pace that falling behind on protection for weeks or months can have serious consequences, let alone when security is years out of date. It’s no wonder then that the pages of newspapers are filled with articles about victims of cyberattacks.”
The problem is likely to be compounded by cyber superweapons being developed by major powers. In the real world, it can take months or years to prepare for a military conflict. In the online world, a ‘war‘ can be unleashed in seconds. A cyber superweapon is a piece of malware used against a nation-state causing it significant harm. Perhaps the most high-profile example in recent years is the SolarWinds Sunburst attack.
Even small hacker groups have access to very dangerous threats, and sooner or later these strategic cyber weapons are leaked by the major powers. Moreover, threats and attacks are traded on the darknet for example, so the number of potential cybercriminals is even larger. Customised data, threats and attacks can be purchased, so amateurs can cause devastating damage for a few tens of dollars.
Stopping the cyberattack pandemic will require cooperation between governments, cybersecurity companies as well as individual organizations.
In May 2021, US organisations saw an average of 671 weekly attacks. This is a 25% increase from the beginning of the year where organizations faced 589 weekly attacks. In EMEA, the weekly average of attacks per organization was 780 in May, compared to 643 at the start of the year, a 21% increase.
The comparison with May 2020 sounds even scarier. Year-over-year, there was a 70% increase in cyberattacks on US organisations, and a 97% increase in EMEA.
In the Americas, botnet attacks increased the most in May, up 26% compared to the beginning of this year. This was followed by infostealers (up 19%), banking Trojans (10%) and ransomware (9%). In EMEA, malware attacks on IoT devices (up 144%) and mobile attacks (up 41%) rocketed.
It is also interesting to compare attacks on individual industries, says Bhula. While the Americas saw the largest increases in attacks on carriers (up 51%), software (up 43%) and consulting companies (up 25%) in May, and the largest decreases in attacks on hardware manufacturers (down 69%) and education/research companies (down 22%); the EMEA region saw the third largest increase in attacks on hardware manufacturers (up 26%). Similar to the Americas, software vendors (up 64%) and utilities (up 46%) saw even bigger jumps. Interestingly attacks fell for enterprises in the healthcare sector (down 13%) and financial/banking (down 16%).
“Threat detection alone has long been insufficient. Once an attack has penetrated a device or corporate network in any way, it’s too late. It is therefore essential to use advanced threat prevention solutions that stop even the most advanced attacks as well as zero-day and unknown threats,” concludes Bhula.
The shift to remote working has contributed to driving up the number of businesses experienving an increase in the volume of cyberattacks by 78%, according to data presented by the Atlas VPN team.
Even though social media platforms are flooded with news of companies proudly presenting the fact that they are permanently shifting to a remote-work environment, they usually do not mention the fact that the pivot has created major issues for their security.
Unpatched personal devices, erratic employee behavior, and inadequately protected home networks create many loopholes for threat actors to exploit.
Carbon Black, a company that provides workload protection services surveyed 3 542 CIOs, CTOs, and CISOs to find out if WFH (work from home) resulted in an increase in cyberattacks. Respondents were from various industries and 14 different countries. The survey was published in June 2021.
The study shows that a massiev 96% of enterprises in France saw a significant increase in the number of attacks due to the shift to a WFH environment.
The second most affected country is Australia, where 89% of cybersecurity professionals reported that attacks increased due to employees working remotely. The UK and Japan share third and fourth place, with 86% of respondents stating that they noticed a significant jump in cyber threats in the past year.
As many as 84% of businesses in Saudi Arabia, 83% in the Netherlands, 82% in Singapore, and 80% in the United Arab Emirates said that attacks jumped substantially. Canada is in line with the global average, where 78% of enterprises reported a growth in the cyberattack volume.
The US is at the lower side of the scale, with 63% of cybersecurity professionals reporting an increase in cyber threats in the past year.
Despite the growing risks a concerning number of South African companies are not prepared for the inevitability of a cyberattack despite the significant financial and reputational risks.
This is according to Ryan Mer, MD of eftsure Africa, who says: “Too few senior managers view cybersecurity as a business problem and not just a technology problem. The reality is cybersecurity is very much a business consideration.
“CEOs and CFOs will eventually face critical questions such as: How much money do we spend on cybersecurity? Do we change key processes? How do we create awareness and change company culture? Do we put security ahead of operational functionality? What is the role of internal processes and staff on data security and integrity?”
Mer adds that, because cybersecurity is a business-wide risk, it requires more than isolated activities to be addressed. “This is where the role of a Chief Information Security Officer (CISO) is important. The CISO therefore needs to have technical and security skills and competencies, but equally as important, should understand the finance function, operations of the business, and have the business as well as communication skills to effectively create this span.”
While large corporates are more likely to have the resources to fill the CISO role, businesses below the corporate level may not. In such instances, Mer says an outsourced or CISO-as-a-service offering could add immense value. “Ultimately, and especially in relation to the Protection of Personal Information (POPI) Act, there needs to be a coherent strategy and allocated responsibility in place with respect to cybersecurity, data management, compliance and fraud prevention.”
He adds that in the absence of commonplace and well-developed CISO roles, it is the CFO who should lead the way in addressing cybersecurity concerns, particularly in smaller organisations. “It is potentially disastrous for the finance team to be ignorant of cyber risk. Attackers can target many areas of an organisation, but the dangers are usually measured in financial terms: CFOs cannot ignore cybersecurity simply because it is a complex issue outside their area of expertise.”
In addition to having the skills and oversight necessary to take a broad and long-term view of the potential financial impact of an attack, Mer says the CFO is one of the most natural custodians of data, from collection to its ongoing management. “Attacks will very often target the finance department and its team members directly, and in many instances may even be perpetrated by or assisted by internal team members, in attempts to steal and defraud the business. CFOs need to ensure their own vulnerabilities are both understood, and urgently addressed.”
Ralph Berndt, sales and marketing director at Syrex, agrees that implementing effective cybersecurity solutions today comes down to their practicality and ensuring the fundamentals are in place.
Companies must identify the data that must be secured, the reasons behind securing it, and finding the most cost-effective ways of doing so, he says.
There has been a significant push towards a Zero Trust approach. This is a derivative of the new breed of security threats facing organisations. But despite how the cyberthreat surface is evolving and how sophisticated attacks have become, it remains crucial for the company to define good cybersecurity practice within the context of its business. Ultimately, it is about having the ability to protect and recover information while doing what the business is meant to do.
However, the more secure the environment becomes, the more disruptive it is for employees, Berndt says. The usability of security must therefore be a golden thread throughout the organisation.
He recommends that the strategy begin with endpoint protection of every user device. Given the normalisation of distributed work and how employees have come to rely on their personal devices to access the corporate network and data, safeguarding these devices becomes non-negotiable.
As part of this remote environment, virtual private networks (VPNs) and multi-factor authentication (MFA) become invaluable. These must be implemented in addition to standard perimeter security solutions like firewalls, anti-virus, and anti-malware, Berndt explains.
From a policy perspective, the company must make sure that users only have access to the data and systems central to their job roles. While this has always been important, it was less of a concern as employees would generally only access sensitive data while within the relative safety of the corporate network. But with employees at home becoming easier targets, the risk of lateral movement from one compromised device must be kept as low as possible.
The organisation must therefore understand how its data is being accessed and the applications that are accessing it, he adds. By putting endpoint protection and Multi Factor Authentication in place to enhance existing perimeter solutions, companies can manage remote workers in a more secure way. As mentioned, this protection at a device level must be as integrated as possible to ensure the least amount of impact to the employees experience whilst maintaining the highest level of security. For these users, it is having the ability to work in conditions as close to the office environment as possible. They want ease of use and quick access to data.
For organisations, this means a radically evolved playbook when it comes to cybersecurity best practice. From traditional firewall, anti-virus, anti-malware, and mail protection, to endpoint, Active Directory, and Zero Trust, they must either extend their in-house security ‘battle box’ or move to platform as a service to fulfil the security function.
François van Hirtum, chief technology officer of Obscure Technologies, believes that awareness training should be actively deployed to complement organisations’ efforts to secure their e-mail systems.
He says this is because hackers are increasingly targeting people as security technologies become more and more effective.
“The ‘2019 Verizon Data Breach Investigations Report’ found that 94% of all breaches are the result of people having been targeted successfully. People are always the last line of defence, and if your people aren’t properly trained and aware, your data and systems will always be vulnerable,” he says. “Having the right training programme in place is obviously critical, and general training needs to be complemented by targeted training for those who are most at risk.”
For example, phishing is a well-used technique for gaining access into corporate systems. Ponemon’s “Cost of phishing” study revealed that the average 10 000-person organisation spends up to $3.8 million on preventing phishing, while the Aberdeen Group puts the average cost of a successful phishing attack in the region of $136 000.
Van Hirtum says that security training for employees must be functional, specific, and ongoing. This means that general awareness training needs to be supplemented by training for those individuals deemed to be most at risk, given that cybercriminal syndicates identify specific targets. For example, the CFO’s personal assistant or a payroll clerk would be prime targets because they offer a way into the financial heart of the company, and yet might not realise this. Such individuals need specific training about the kind of attacks that could be launched, how to spot them and what to do when they occur. In addition, this training needs to be updated as the threat landscape changes over time.
At present, for example, up to 80% of phishing e-mails contain a reference to COVID as a way to lure recipients to click on links.
“Current threats and how to spot them need to be constantly brought to ‘at-risk individuals’ attention,” Mr van Hirtum says. “The truth is that e-mail security is now very important for any organisation, no matter its size. As always, having the right technology in place is critical.”