• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Posts Tagged :

cyber security

Top five security predictions for 2022

1024 682 Stuart O'Brien

With the COVID-19 pandemic continuing to put businesses and society at risk, Andy Robertson, Head of Enterprise & Cyber Security, at Fujitsu UK&I, has laid out his top five predictions for 2022…

In these unprecedented times, organisations have needed to vastly adapt their security processes to the new ways of working and living. But just because the current security defences are able to withstand attackers now, that doesn’t mean cyber criminals won’t strike again in the future. Cyber criminals are always developing unique tactics to find and exploit new weaknesses.

As the UK still faces the COVID-19 pandemic, businesses are facing a hacking epidemic. For example, The National Cyber Security Centre’s (NCSC) 2021 annual review found that there were three times as many ransomware attacks in the first quarter of 2021 than in the whole of 2019. Current remote working practices have significantly changed the securitylandscape, but the need to keep everything connected and secure hasn’t changed. Businesses need to focus on embedding revised security measures right from the start so that their employees can keep operating securely, wherever they are in the world.

As we enter the third year, where the pandemic continues to impact organisations, here are my top five predictions cyber security in the coming 12 months…

  1. Trust will be maintained by Zero Trust Architecture in the hybrid working world  

2020 and the early part of 2021 were all about remote working. Moving into 2022, I expect to see more organisations embrace and establish hybrid working as the norm. New data from Glint reveals that 87% of employees would prefer to stay remote at least half of the time, even after it was safe to return to their workplace.

As organisations adapt to different working patterns and locations, this fairly new hybrid working approach introduces new security risks. A login from a remote location late at night – once considered suspicious – is now a much more common occurrence as hybrid workers balance work and life priorities.

To help reduce the risks and the burden of monitoring those risks, organisations should consider implementing a Zero Trust approach. It’s a remarkably simple concept. Businesses must assume that there will be a breach, that anything can be compromised, and that no-one is really who they say they are or is acting responsibly. This does not mean you don’t trust your employees, partners, suppliers, or customers – as people. It’s actually about knowing who they are, what they are doing, what technology they are using, and what level of authorisation they have for each thing they do, every time they do it, wherever they are doing it.

 

This means that data, systems, and equipment are treated equally and securely. It doesn’t matter where they are located, in your network or outside it. Nothing is trusted until you know it can be trusted.

  1. IT and OT cyber security will both be the CISOs concern 

In 2022, Operational Technology (OT) cyber security will be recognised as being as important as IT security for assuring business continuity. The number of large-scale attacks on OTs has grown in volume in 2021 – with 83% of critical infrastructure companies experiencing breaches in the last three years. I expect to see this continue in 2022 as cyber criminals seek to further exploit these potentially vulnerable systems that control critical processes – making them lucrative targets.

IT and OT cyber security will become a greater concern for the CISO as they seek to reduce overall risks for their organisation. The good news is that satisfying the new end-to-end cyber security paradigm brings benefits beyond pure risk mitigation. The cyber security measures an organisation deploys will become a key quality characteristic, which organisations will be required to demonstrate in order to be admitted to digitised supply chains.

CISOs will need to give the same attention to their OT security as they do IT to gain all of these benefits.

  1. True Business Continuity will require greater levels of collaboration and real-time insights

The COVID-19 pandemic reached an unprecedented scale and longevity that rippled through the way organisations operate, communicate, and safeguard against future disruptions. And these weren’t the only factors testing organisations’ continuity plans in the last 2 years. Society also simultaneously experienced civil unrest, wildfires, and hurricanes. This exposed weaknesses in organisations and demonstrated how historically siloed approaches to resiliency put organisations in grave danger. For instance, ransomware hackers targeted three US water facilities in 2021, which is concerning against the backdrop of droughts.

No one had a plan robust enough for 2020. It also prompted volatile and unpredictable market conditions. The pandemic not only demonstrated the interdependence of multiple areas of risk but showed organisations they must be vigilant about all disciplines simultaneously and holistically.

As we move into 2022, I expect to see more uncertainty and volatility that will stretch continuity plans. Organisations that want to build resilience and stability should bring together multiple disciplines such as business continuity, IT continuity/Disaster Recovery, risk management and procurement (supply chain) to collaborate on wider-reaching plans that facilitate real-time decision-making based on data instead of historic trends.

I also expect to see industries collaborating and regulators taking a greater interest in resilience across critical industries. A primary example of this is the operational resilience directive, released by the UK’s financial regulatory bodies, the Financial Conduct Authority (FCA), in partnership with Prudential Regulation Authority (PRA) and the Bank of England (BoE). This directive comes into effect in March 2022 for implementation, with full compliance being required in March 2025.

  1. The strongest form of defence… will come from being attacked 

To build organisational resilience against a rising tide of cyber threats in 2022, organisations will have to learn to think like cyber criminals. Cyber criminals are on the offensive and will always look for ways to exploit any weakness they find, without any regard for law and ethics. They rely on exploiting complacency and organisations focusing on agility at the expense of security.

One of the most critical vulnerabilities to watch out for in the years to come is the open source software Log4j. This vulnerability is currently leading to the compromise of systems and data and will continue to do so in 2022. Attackers will iterate on and develop exploits to target this vulnerability and deploy ransomware and bitcoin miners to successfully compromise systems. Log4j will likely be a target of further scrutiny by attackers and vulnerability researchers looking to identify other weaknesses within the logging utility.

To build the right defences, organisations must learn how to think like a cyber-hacker so that they can close down any gaps that could be exploited. Organisations should embrace attack simulations and wargaming, with a trusted security partner. That way, it will help them set up realistic scenarios, run them, and then learn from the results. A wargame is the simplest and best way to find gaps in your defences. What you learn in action strengthens your ability to avoid needing to take serious action in the future.

Working with security service providers that can deliver Breach & Attack Simulation services helps test the vulnerabilities and see how effective an organisation’s security posture is and where it needs to be strengthened, or even changed completely.

  1. Turning the tide on security alert fatigue

Covid has added to the urgency of many businesses’ migration to the cloud and boosted consumer adoption of cloud services, and that’s set to continue for a long time. One estimate predicts that the cloud computing market size will reach $1.2 trillion by 2028. Increased cloud consumption has been accompanied by an equally rapid increase in the number of threats and alerts from across those platforms.

Inevitably, in 2022 we will see more security alerts which will exacerbate the problem of ‘alert fatigue’ where IT security teams can become overwhelmed and miss the signs of a significant attack. The continuing skills shortage in the cyber industry combined with this fatigue means the organisations will need to think differently and provide greater incentive to explore the use of security automation solutions that can prioritise alerts and even enact pre-defined responses to reduce the burden for security professionals.

UK Cyber Security Council and SASIG partner for skills drive

960 640 Stuart O'Brien

The UK Cyber Security Council and the Security Awareness Special Interest Group (SASIG) have announce a new partnership to further enhance and develop careers, skills and training in cyber security.

The Council and SASIG will work together on key webinars and events designed to improve trust in the online environment and to harbour that trust they are committed to when it comes to education and knowledge sharing throughout the community. One of the forthcoming events that the Council will partner with SASIG on is their third Cybersecurity Skills Festival which takes place on Tuesday 22 February 2022. 

For those looking to re-skill into a new career sector, cyber security is an attractive option. With a new reliance on technology in all aspects of life, this means that a huge number of new technology-focused jobs are constantly emerging. Cyber security is a growing market, and it is estimated that the cyber industry will need an additional 3.5 million qualified professionals by 2023.

With skills, education and training in cyber security being firmly on the agenda for the work that the UK Cyber Security Council is doing, partnering with SASIG in this key area to help individuals transition into a career in cyber security was a natural choice.

Speaking of the partnership, Simon Hepburn, CEO of the UK Cyber Security Council, said: “We are delighted to partner with SASIG as we move forward with our careers and learning workstream. Getting more people to consider entering the cyber security industry is crucial, and we look forward to working with SASIG on this.  We will be launching a programme of joint activities in the coming months such as webinars and events and with skills, training and education in cyber security very high on the agenda for the UK Cyber Security Council, this was a very natural partnership that aligns with the core values of the UK Cyber Security Council perfectly.”
Martin Smith MBE, Chairman and Founder of SASIG, said: “It is a privilege to be working with the prestigious UK Cyber Security Council on the vital task of bridging the cybersecurity skills gap – in SASIG’s view, the single most important strategic challenge our profession faces. Our Skills Festivals have already established themselves as a successful way of bringing together those looking for new talent and those wanting to enter our dynamic and exciting profession, but there is much more to be done. This new partnership between SASIG and the UK Cyber Security Council will be central to these efforts.”

Americans lost a record $3.5bn to cybercrime in 2021 YTD

960 640 Stuart O'Brien
The wave of cybercrime is plowing throughout America with the biggest damages in history. Atlas VPN extracted data from publicly available government sources and found that US citizens already lost $3.49 billion to cybercrime in the first three quarters of 2021.
You don’t need to bring out the calculator – the damages come out to $12.78 million per day.
Edward Garb, a cybersecurity researcher at Atlas VPN explains the main driving forces behind the surge in cybercrime damages: “Cybercriminals are using the buzz around cryptocurrencies, NFTs, and the metaverse to trick people into investing in bogus projects that disappear after raising a hefty sum of money.”

The data for the analysis is based on reports submitted through the official Federal Trade Commission websites –  IdentityTheft.gov and ReportFraud.ftc.gov. Citizens can get help by receiving personal identity theft recovery plans.

Regarding monetary damages – the FTC does not resolve the allegations, but it does disseminate the information to over 3,000 law enforcement agencies across the United States for further investigation.

The analysis reveals that cybercrime damages sky-rocketed by 82.91% in 2021 compared to last year. To be exact, people lost $1.58 billion more (yes, billion) this year than they did in the same period in 2020.

These losses are a result of 1.6 million unique fraud and identity theft reports submitted to the Federal Trade Commission websites mentioned previously.  This means that the FTC has to deal with around 5,869 complaints every single day.
Last year, the number of reports stood at 1.09 million after the first three quarters of the year, which is around a third less than in 2021. Back then, they had to go through 3,981 complaints daily.
To better understand the current cybercrime landscape, Atlas VPN analyzed which crimes caused the most trouble.
It already noted that investment-related crimes are on the rise due to countless projects in the crypto, NFT, and metaverse markets. This year, US citizens lost a staggering $956 million to these types of scams, representing a 277.87% growth YoY.

What role does cyber security play in digital transformation?

918 612 Guest Blog

Richard Menear, CEO, Burning Tree

The capabilities of modern technology have continued to progress, with widespread digitisation sweeping through almost every aspect of our lives. Digital transformation takes digitisation one step further, integrating technology into each business area — including improving operations, refining the customer experience and fostering a more cyber-aware workforce.

And although digitisation was underway before the COVID-19 pandemic hit in 2020, many organisations — from universities to food delivery companies — were forced to ramp up this process and embark on total digital transformation in response to new remote working requirements and changing consumer behaviour. So much so that the adoption of technology sped up by three to seven years in the space of mere months as organisations raced to implement the latest software.

But in the modern world, simply adopting new technology or software into your business is not enough to keep pace with competitors. For a fully integrated digital transformation to succeed, IT professionals and business leaders must ensure security is built in at every stage — or risk falling foul of increasingly sophisticated cyber attacks.

What does digital transformation entail?

When a business undergoes digital transformation, its IT becomes the central hub for all its operations. Digital transformation will look different for every business (and even vary between teams within the same company) but generally involves a complete rethinking of how organisations operate using technology.

Digital transformation might mean investing in IT departments, building a new mobile application or e-commerce site, or implementing DevOps or Agile programs to improve system functionality. Whatever the case may be, the point of digital transformation is to embrace the improved agility, scalability and flexibility that modern technology has to offer to automate critical processes and make a business more efficient as a whole.

Without adopting technologies such as the Cloud or the Internet of Things (IoT), many businesses of all sizes and sectors will struggle to keep up with the demand for digital, as physical legacy systems become outdated and unable to support growth. In fact, what was once considered best-in-class adoption speed, even just a few years ago, is now slower than the average for most businesses.

An effective digital transformation will allow a business’ IT to contribute to offerings and generate revenue — not just prop up existing functions. Plus, by streamlining processes and building the infrastructure necessary to do so, technology can improve communication, customer service and, most importantly, security. But only if security is built in from the outset…

When can digital transformation threaten security?

In a rush to get the newest technology and software online, many businesses make cyber security an afterthought — leaving them and their customers vulnerable to attack.

In the past year, there have been a staggering number of cyber attacks in the UK alone. Microsoft’s Exchange servers were famously corrupted in 2021, claiming at least 60,000 known victims around the world before the breach was detected. Even schools have fallen victim to hackers, such as six schools in the Isle of Wight recently compromised by a ransomware attack.

And it is not just the large corporations at risk; small and medium-sized enterprises (SMEs) are regularly subjected to hacking attempts. Around 65,000 attacks are carried out every day in the UK — approximately 4,500 of which are successful.

So, as IT infrastructures grow in size and companies lean on cloud-native technology for daily functions, new systems must have the capability to identify and mitigate security risks at an early stage of software lifecycles. Otherwise, application vulnerabilities could introduce an unacceptable amount of risk and prevent a system from keeping pace with changing threats and developments, negating the purpose of implementing new technologies in the first place.

Therefore, effective digital transformation must involve a complete overhaul of how businesses think about security — from educating a more cyber-aware workforce to securing the appropriate budgets for IT departments and cyber security software.

Cybersecurity: The crucial double check 

918 612 Stuart O'Brien

Cybersecurity has quickly become the world’s fastest growing form of criminal activity, and is showing no sign of slowing down with the number of attacks on businesses continuing to increase. COVID-19 has acted as a catalyst for this, with hackers taking advantage of remote workers during challenging times.

Despite innovations and sophistication in hacking methods, one of the main means of data loss is insiders, including employees making mistakes. Humans make errors – stressed, distracted employees will make even more mistakes. And with sensitive information on the line, such as regulatory compliance to safeguarding Intellectual Property (IP), companies are increasingly concerned about the risk of inadvertent data loss. But how can this threat be mitigated?

Andrea Babbs, UK General Manager, VIPRE SafeSend, emphasises the importance of implementing a crucial double check to improve email security culture…

Human Error 

Business reliance on email is creating a very significant cyber security risk – and not simply due to the increasing volume and sophistication of phishing and ransomware attacks. Given the sheer volume of emails sent and received a day (over 300 billion every day in 2020), mistakes are inevitable. Employees are trusted with company-sensitive information and assets, and many are permitted to make financial transactions – often without requiring additional approval. Furthermore, with strict data protection requirements in place, not only GDPR, but also industry specific regulations, organisations clearly require robust processes to mitigate the risk of inadvertent data loss.

According to reports, 34% of all breaches are caused by insider fault, yet many employees are unaware of their responsibility when it comes to data protection. Should confidential corporate information fall into the wrong hands, the consequences could be devastating, including financial penalties, loss of trust and competitors gaining an advantage. BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. But how could this mistake be stopped? What employees need is a way to better manage their email functions, with an opportunity for potential mistakes to be flagged before an individual hits send, for example showing who is in the to, cc and bcc fields.

Additional Layers 

Few organisations have a clear strategy for helping their employees understand how a simple error can put the company at significant risk; even fewer have a strategy for mitigating that risk and protecting their staff from becoming an insider threat. But more importantly, what they may not be aware of is that there is a solution available that can add a layer of employee security awareness.

Businesses can help employees avoid simple mistakes, such as misaddressed emails, by providing a simple safety check, which alerts users to confirm both the identity of the addressee(s) and, if relevant, any attachments. The solution can be configured to work on a department or user basis, for example, a business may not want HR to be able to mistakenly send sensitive personal information to anyone internally and therefore require a confirmation for all emails.

In addition to confirming email addresses and attachment(s), the technology can also check for keywords within the email content using Data Loss Prevention rules, and each business can set its own requirements and parameters determined by corporate security protocols. Any emails, including attachments containing these keywords, will be flagged, requiring an extra process of validity before they are sent without impeding working practices, and providing users with a chance to double check whether the data should be shared with the recipient(s).

The Essential ‘Pause’ Moment 

Deploying an essential tool that prompts for a second check and warns when a mistake is about to be made helps organisations mitigate the risk of accidental error, and the potentially devastating consequences that might have on the business. Accidentally CCing a customer, rather than the similarly named colleague, will be avoided because the customer’s domain will not be on the allow list and therefore automatically highlighted. This is more crucial than ever before with employees dispersed across a range of locations as part of hybrid working. Such tools can support mixed operating system environments and DLP add-ons can be given to certain departments and groups who handle very sensitive information such as employee or legal data.

This type of tool is key for companies and reinforces a security culture, building on education and training, with a valuable solution that helps users avoid the common email mistakes that are inevitable when people are distracted, tired or stressed. It provides an essential ‘pause’ moment, enabling individuals to feel confident that emails have been sent to the right people and with the right attachments.

In addition to checking the validity of outbound and inbound email addresses and attachments, it can also support in minimising the risk of staff falling foul of a phishing attack. For example, an email that purports to come from inside the company, but actually has a cleverly disguised similar domain name, such as receiving an email from V1PRE, as opposed to VIPRE. The technology will automatically flag that email when the user replies showing that it is not from an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack.

Conclusion

Email is arguably the key productivity tool in most working environments today, placing much of the responsibility for secure use of that tool on employees. But supporting staff with an extra prompt for them to double check they aren’t mistakenly sharing confidential data helps to raise awareness, understanding and provides that essential security lock-step – before it’s too late. The premise is not to add time or delay in the day to day management of email; it is about fostering an attitude of awareness and care in an area where a mistake is easily made

No organisation is immune to human error, but by having a clear strategy in place to address the issue of misaddressed emails and data loss through emails, as well as mitigating the associated risks helps businesses to remain compliant and secure. It’s all about increasing awareness and improving email culture where mistakes can so easily be made, while reinforcing compliance credentials.

UK holds Chinese state responsible for ‘pervasive pattern of hacking’

960 640 Stuart O'Brien

The UK is joining what it calls likeminded partners to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft Exchange servers.

The attacks took place in early 2021, affecting over a quarter of a million servers worldwide.

The government says the attack was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property.

At the time of the attack, the UK says it quickly provided advice and recommended actions to those affected and Microsoft said that by end of March that 92% of customers had patched against the vulnerability.

The UK is also attributing the Chinese Ministry of State Security as being behind activity known by cyber security experts as “APT40” and “APT31”.

Widespread, credible evidence demonstrates that sustained, irresponsible cyber activity emanating from China continues.

The Chinese government has ignored repeated calls to end its reckless campaign, instead allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught.

This coordinated action today sees the international community once again urge the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data and commercial interests of those with whom it seeks to partner.

The UK is calling on China to reaffirm the commitment made to the UK in 2015 and as part of the G20 not to conduct or support cyber-enabled theft of intellectual property of trade secrets.

As part of a cross-Government response, the National Cyber Security Centre (NCSC) issued tailored advice to over 70 affected organisations to enable them successfully to mitigate the effects of the compromise.

In 2018, the UK government and its allies revealed that elements of the Chinese Ministry of State Security (MSS) were responsible for one of the most significant and widespread cyber intrusions stealing trade secrets.

Foreign Secretary Dominic Raab said: “The cyber attack on Microsoft Exchange Server by Chinese state-backed groups was a reckless but familiar pattern of behaviour. The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not.”