Posts Tagged :

cybersecurity

Mobile Phone

UK researchers detail new technique for countering mobile ‘account takeover’ attacks

960 640 Stuart O'Brien

Computer science researchers at the University of Birmingham have developed a new way to identify security weaknesses that leave people vulnerable to account takeover attacks, where a hacker gains unauthorised access to online accounts.

Most mobiles are now home to a complex ecosystem of interconnected operating software and apps, and as the connections between online services has increased, so have the possibilities for hackers to exploit the security weaknesses, often with disastrous consequences for their owner.

Dr Luca Arnaboldi, from the University of Birmingham’s School of Computer Science, explains: “The ruse of looking over someone’s shoulder to find out their PIN is well known.  However, the end game for the attacker is to gain access to the Apps, which store a wealth of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts.”

To understand and prevent these attacks, researchers had to get into the mind of the hacker, who can build a complex attack by combining smaller tactical steps.

Dr Luca Arnaboldi worked with Professor David Aspinall from the University of Edinburgh, Dr Christina Kolb from the University of Twente, and Dr Sasa Radomirovic from the University of Surrey to define a way of cataloguing security vulnerabilities and modelling account takeover attacks, by reducing them their constituent building blocks.

Until now, security vulnerabilities have been studied using ‘account access graphs’, which shows the phone, the SIM card, the Apps, and the security features that limit each stage of access.

However, account access graphs do not model account takeovers, where an attacker disconnects a device, or an App, from the account ecosystem by, for instance, by taking out the SIM card and putting it into a second phone.  As SMS messages will be visible on the second phone, the attacker can then use SMS-driven password recovery methods.

The researchers overcame this obstacle by developing a new way to model how account access changes as devices, SIM cards, or Apps are disconnected from the account ecosystem.

Their method, which is based on the formal logic used by mathematicians and philosophers, captures the choices faced by a hacker who has access to the mobile phone and the PIN.

The researchers expect this approach, which is published in the Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS 23), to be adopted device manufacturers and App developers who wish to catalogue vulnerabilities, and further their understanding of complex hacking attacks.

The published account also details how the researchers tested their approach against claims made in a report by Wall Street Journal, which speculated that an attack strategy used to access data and bank accounts on an iPhone could be replicated on Android, even though no such attacks were reported.

Apps for Android are installed from the Play Store, and installation requires a Google account, and the researchers found that this connection provides some protection against attacks.  Their work also suggested a security fix for iPhone.

Dr Arnaboldi said: “The results of our simulations showed the attack strategies used by iPhone hackers to access Apple Pay could not be used to access Android Pay on Android, due to security features on the Google account.  The simulations also suggested a security fix for iPhone – requiring the use of a previous password as well as a pin, a simple choice that most users would welcome.”

Apple has now implemented a fix for this, providing a new layer of protection for iPhone users.

The researchers repeated this exercise across other devices (Motorola G10 Android 11, Lenovo YT-X705F Android 10, Xiaomi Redmi Note Pro 10 Android 11, and Samsung Galaxy Tab S6 Lite Android).  Here they found that the devices that had their own manufacturer accounts (Samsung and Xiaomi) had the same vulnerability as Apple – although the Google account remained safe, the bespoke accounts were compromised.

The researchers also used their method to test the security on their own mobile devices, with an unexpected result.  One of them found that giving his wife access to a shared iCloud account had compromised his security – while his security measures were as secure as they could be, her chain of connections was not secure.

Dr Arnaboldi is currently engaged in Academic Consultancy where he works with major corporates and internet-based companies to improve their defences against hacking.

Third party-related business interruptions pose increasing risk to organisational cybersecurity

960 640 Stuart O'Brien
Despite increased investments in third-party cybersecurity risk management (TPCRM) over the last two years, 45% of organisations experienced third party-related business interruptions.

That’s according to a new Gartner survey, which points out that third-party cybersecurity risk management is often resource-intensive, overly process-oriented and has little to show for in terms of results.

Zachary Smith, Sr Principal Research at Gartner, said: “Cybersecurity teams struggle to build resilience against third party-related disruptions and to influence third party-related business decisions.”

The survey was conducted in July and August 2023 among 376 senior executives involved in third-party cybersecurity risk management across organizations from different industries, geographies and sizes.

Effective TPCRM Depends on Delivery of Three Outcomes
Successful management of third-party cybersecurity risk depends on the security organization’s ability to deliver on three outcomes – resource efficiency, risk management and resilience and influence on business decision making. However, enterprises struggle to be effective in two out of those three outcomes, and only 6% of organizations are effective in all three (see Fig. 1).

Figure 1. Security Organizations’ Ability to Deliver on Three Outcomes for Effective TPCRM

Source: Gartner (December 2023)

Four Actions for Security Leaders to Manage Third-Party Cybersecurity Risks
Based on the survey findings, Gartner identified four actions that security and risk management leaders must take to increase their effectiveness in managing third-party cybersecurity risk. The survey found that organizations that implemented any of these actions saw a 40-50% increase in TPCRM effectiveness.

These actions include:

  1. Regularly review how effectively third-party risks are communicated to the business owner of the third-party relationship: Chief information security officers (CISOs) need to regularly review how well the business understands their messaging around third-party risks to ensure they are providing actionable insights around those risks.
  2. Track third-party contract decisions to help manage risk acceptance by business owners:Business owners will often choose to engage with a third party even if they are well-informed about associated cybersecurity risks. Tracking decisions helps security teams align compensating controls for risk acceptances and alerts security teams to particularly risky business owners that may require greater cybersecurity oversight.
  3. Conduct third-party incident response planning (e.g., playbooks, tabletop exercises): Effective TPCRM goes beyond identifying and reporting cybersecurity risks. CISOs must ensure the organization has strong contingency plans in place to prepare for unexpected scenarios and to be able to recover well in the wake of an incident.
  4. Work with critical third parties to mature their security risk management practices as necessary: In a hyperconnected environment, a critical third-party’s risk is also an organization’s risk. Partnering with the critical third parties to improve their security risk management practices helps promote transparency and collaboration.

Photo by Sigmund on Unsplash

CISOs: ‘Regulation responsibility is unclear’

960 640 Stuart O'Brien

Over half (56%) of CISOs agree that it is not clear within their organisations whose responsibility it is to manage and implement changes in order to comply with the latest regulations, putting organisations at risk. This is despite over two thirds (67%) claiming that keeping up with changing regulation is an ongoing challenge.

Research conducted by cyber security solutions provider BSS, which explores ‘How CISOs can succeed in a challenging landscape’, also found that a further two thirds (64%) of the 150 UK-based information security decision makers surveyed agreed that regulations change before they have had a chance to successfully implement procedure.

The research also found that regulations like GDPR, which was first implemented in 2018, are still a headache for CISOs, with two thirds (63%) agreeing.

With the deadline approaching on newer regulations such as the Digital Operational Resilience Act (DORA), which comes into action on 17th January 2025, assigning responsibility for managing and implementing regulation must be addressed.

Positively, 80% of CISOs agreed that regulatory compliance is a top priority for their company’s board. But while the priority is there for many, the technology oftentimes does not support it. A third (33%) of CISOs reported that they don’t feel like they have the technology stack required to excel in their role.

In fact, only one in ten (11%) CISOs surveyed reported that their organisations approach to overall cyber risk management is both stable and flexible, allowing them to pivot and respond to opportunities and change, such as regulation.

BSS Director, Chris Wilkinson said: “CISOs need to have a clear idea of where the responsibility for regulation lies in order to succeed in their role. Not complying with regulation leaves organisations at risk and ultimately it is the CISO who will answer to any penalties or cyber threats that come as a result of non-compliance with regulations. If CISOs are culpable then they also need to be in control.”

Photo by Adam Nowakowski on Unsplash

Responding to a cyber attack: why you should call your lawyer

960 640 Stuart O'Brien

By David Varney, partner, and Isaac Bedi, solicitor, in the technology team at independent UK law firm Burges Salmon

With the significant rise in data breaches and cyber incidents in the past few years, organisations are becoming increasingly aware of the risks that cyber attacks pose to their business and cybersecurity threats are now a board-level issue. Sophos’ recent State of Ransomware Report 2023 indicated that around 44% of UK businesses surveyed had suffered a ransomware attack in the previous year, with the average recovery costs (excluding any ransom payment) being around £1.1 million.

However, despite this increased awareness, when sophisticated cyber-attacks do occur, organisations often focus their immediate attention on instructing third party IT providers to remedy and rectify the breach, rather than approaching their lawyers to assist them with ensuring that they comply with their legal obligations in respect of any data breach.

This article examines the legal obligations that organisations should be considering when a cyber attack occurs, as well as the importance of obtaining legal advice on these issues at the earliest stages of an attack – and ideally as part of a well-planned and rehearsed cybersecurity readiness program that is in place prior to any data security incident and ready to action if an organisation is subjected to a cyberattack.

Key Considerations

Clearly the key concern for organisations upon suffering a cyber attack is the restoration of their systems and the recovery of any data lost. To that extent, unless organisations do have internal teams who can deal with an attack, it is critical for them to already have an arrangement in place with a third-party IT provider or instruct them as soon as possible upon discovery of an attack.

However, organisations should also ensure that in conjunction with their immediate IT response, they contact their lawyers to assist with ensuring compliance with their immediate obligations, such as:

  • the compliance obligations associated with paying any ransom to the attackers;
  • the obligation to notify regulators, such as notifying the ICO within 72 hours where any personal data is involved in the attack;
  • any contractual obligations to notify their insurers of the attack;
  • the obligation to notify data subjects of the attack where there is a high likelihood of a risk to their rights and freedoms;
  • any contractual obligation to notify third party suppliers or customers of the attack.

It’s important to remember that failure to notify any insurer within the required timeframe will often result in any coverage for cyber insurance being invalidated. Similarly, any failure to notify third party suppliers or customers may result in a breach of contract, entitling those third parties to terminate any agreement and potentially claim damages as a result.

The advantage of instructing lawyers as part of the immediate response in the aftermath of a data breach is that they can consider all the above issues from the outset and scan the horizon for any issues in the breach response strategy that may create problems or complications for the organisation in the future and once the immediate impact of the breach has been resolved. These issues might include any claims brought by individuals or customers as a result of the cyberattack or any claims the organisations may wish to bring against third parties who may have some responsibility for the breach, such as a third-party IT provider who has failed to diligently protect against a cyberattack.

Most importantly, instructing lawyers at the outset of an attack means that the organisation can benefit from the legal privilege that communication between clients and their lawyers is afforded. In particular, where a third-party IT provider is being instructed to investigate the root cause of an attack, having lawyers instruct the provider on the organisation’s behalf will mean that any report produced may be subject to legal privilege, allowing the organisation to retain control over this information and who this is disclosed to, which is of significant benefit to the organisation should any claims be brought against them as a result of the attack, or indeed should they wish to bring any claim themselves against any third party who may be responsible for it.

Key takeaways and implications

Ultimately, organisations’ response to any cyber attack should ensure that it prioritises its legal obligations in respect of a breach alongside its cyber response. Ensuring that lawyers are on hand at the earliest stages of the breach will allow organisations to ensure they remain compliant with their legal, contractual and regulatory obligations throughout the breach response process.

Paying a ransom ‘doubles stolen data recovery costs’

960 630 Stuart O'Brien

76% of ransomware attacks against organisations resulted in adversaries succeeding in encrypting data – and when a ransom is paid to get data decrypted, victims end up doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organisations that used backups to get data back).

That’s according to the latest annual State of Ransomware 2023 report from IT security specialist Sophos, which has revealed the highest rate of data encryption from ransomware since it started publishing the data in 2020.

Moreover, paying the ransom usually means longer recovery times, with 45% of those organisations that used backups recovering within a week, compared to 39% of those that paid the ransom.

Overall, 66% of the organisations surveyed were attacked by ransomware—the same percentage as the previous year. This suggests that the rate of ransomware attacks has remained steady, despite any perceived reduction in attacks.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes,” said Chester Wisniewski, field CTO, Sophos.

“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” said Wisniewski.

When analysing the root cause of ransomware attacks, the most common was an exploited vulnerability (involved in 36% of cases), followed by compromised credentials (involved in 29% of cases). This is in line with recent, in-the-field incident response findings from Sophos’ 2023 Active Adversary Report for Business Leaders.

Additional key findings from the report include:

  • In 30% of cases where data was encrypted, data was also stolen, suggesting this “double dip” method (data encryption and data exfiltration) is becoming commonplace
  • The education sector reported the highest level of ransomware attacks, with 79% of higher education organizations surveyed and 80% of lower education organizations surveyed reporting that they were victims of ransomware
  • Overall, 46% of organizations surveyed that had their data encrypted paid the ransom. However, larger organizations were far more likely to pay. In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion. This could partially be due to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransom payments

“With two thirds of organizations reporting that they have been victimized by ransomware criminals for the second year in a row, we’ve likely reached a plateau. The key to lowering this number is to work to aggressively lower both time to detect and time to respond. Human-led threat hunting is very effective at stopping these criminals in their tracks, but alerts must be investigated, and criminals evicted from systems in hours and days, not weeks and months. Experienced analysts can recognize the patterns of an active intrusion in minutes and spring into action. This is likely the difference between the third who stay safe and the two thirds who do not. Organizations must be on alert 24×7 to mount an effective defense these days,” said Wisniewski.

Data for the State of Ransomware 2023 report comes from a vendor-agnostic survey of 3,000 cybersecurity/IT leaders conducted between January and March 2023. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

The importance of investing in EDR for SMEs

960 640 Guest Blog

In 2022, there were over 10,000 new ransomware variants discovered in the first half of the year alone. And, as threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. No organisation is immune from a breach, as demonstrated by the many cases making headlines today. So, how can SMEs combat this?

High-end, enterprise-level security tools may be perceived to be out of reach for many small businesses, but that thinking is quickly changing. For the new year, companies should look at smart endpoint detection and response (EDR) solutions that include a robust incident management portal that efficiently tracks all open threats.

Without investing in smart software, smaller organisations are underprepared, and therefore at risk, explains David Corlette, Vice President – Product Management, VIPRE Security Group…

The Heat Is On

Not only are small businesses facing more pressure to protect their company from cyber threats, but attacks are also becoming increasingly innovative, with ready-made tools available in multiple forms accessible even to casual attackers, from Ransomware-as-a-Service and Phishing-as-a-Service, to Malware-as-a-Service.

Small businesses make an average of £2.8 million per year, but average breaches cost upwards of £4.5 million. That’s a tight margin, and one with severe consequences – with one out of eight small businesses closing down due to a data breach.

Discouragingly, a recent poll revealed that most small business owners are not adequately concerned. Sixty-one percent weren’t worried about the possibility of their company becoming the target of a cyberattack in the next 12 months and only 4% put cybersecurity as the top risk facing their business. For these reasons alone, SMEs need to be more cautious – and more prepared – than ever.

Closing The Gap

In the same way that bad actors have targeted larger corporations, small businesses are increasingly becoming targets as well, but are more often victims due to their “it won’t happen to us” or “too small to hack” attitude: they lack  sufficient solutions to protect themselves. Prevention is difficult when the traditional methods – hire large IT teams, level up solutions, train existing team members – are often cost- and resource-prohibitive for smaller businesses.

However, small businesses can leverage their existing expertise to create an enterprise-grade endpoint detection and response strategy using newer Endpoint Detection and Response (EDR) technology. In terms of protecting their business, some EDR solutions make it possible for smaller companies to compete with the bigger players, as they provide the sophistication of high-performing, cloud-based solutions without the challenges that users may expect. This advanced technology provides better detection and discovery of more anomalous behaviour than users would receive from standalone antivirus file, process, and networking analysis solutions while also providing investigation and remediation tools to speed response times.

By automating much of the busy work – threat detection, remediation, and response – EDR can close the skills gap and actually put small businesses ahead. This can be more cost-effective compared to directly employing someone full-time to defend against the modern threat landscape; not only are new staff expensive to hire but they are increasingly hard to find.

Additionally, having an EDR tool that uses security automation is important to detect and stop an attack in its early stages. Using behavioural engines, security teams can track each component of the attack as it happens in near real-time. With the help of AI and Machine Learning (ML), a modern EDR can natively identify anomalous activities, such as zero-day ransomware behaviour, and automatically terminate these processes upon detection.

Looking Ahead

Experts anticipate that the growth of the market for EDR solutions will continue. By 2025, according to Gartner’s estimates, more than 60 percent of businesses will have switched from traditional antivirus software to solutions that offer endpoint protection and endpoint detection and response.

Having a modern Endpoint Detection and Response tool is a must-have in any security team’s arsenal, especially for SMEs. It provides a holistic security approach necessary to fight successful battles in the current threat landscape, as EDR solutions supply crucial and quick containment measures, stopping the breach from doing further damage to a network. But EDR solutions also offer strategic long-term benefits by strengthening security posture and enabling organisations to defend against known and zero day threats.

Now is the time for smaller businesses to make the investment in cybersecuritytechnologies, such as EDR, in order to help smaller teams meet the same securitydemands as larger corporations, and to safeguard the SME and its workers against cyberattacks. Ultimately, using the right tools can make all the difference for small business security teams in the year ahead.

Here’s what CISOs will be focused on in 2023/24

960 640 Stuart O'Brien

Fifty percent of chief information security officers (CISOs) will adopt human centric design to reduce cybersecurity operational friction; large enterprises will focus on implementing zero-trust programs; and half of cybersecurity leaders will have unsuccessfully tried to use cyber risk quantification to drive enterprise decision making.

That’s according to the top cybersecurity predictions revealed in the opening keynote at the Security & Risk Management Summit in Sydney by Richard Addiscott, Senior Director Analyst and Lisa Neubauer, Senior Director, Advisory at Gartner.

“There’s no question that CISOs and their teams must be laser focused on what’s happening today to ensure their organizations are as secure as possible,” Addiscott said. “But they also need to make time to look up from their daily challenges and scan the horizon to see what’s coming down the track that might impact their security programs in the next couple of years.

“These predictions are a signal flare for some of those things we see emerging and should be considered by any CISO looking to build an effective and sustainable cybersecurity program.”

Gartner recommends that cybersecurity leaders build the following strategic planning assumptions into their security strategies for the next two years.

Through 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs to minimize operational friction and maximize control adoption.
Gartner research shows that over 90% of employees who admitted undertaking a range of unsecure actions during work activities knew that their actions would increase risk to the organization but did so anyway. Human-centric security design is modeled with the individual — not technology, threat or location – as the focus of control design and implementation to minimize friction.

By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10% of organizations will have successfully weaponized privacy as a competitive advantage.
Organizations are beginning to recognize that a privacy program can enable them to use data more broadly, differentiate from competitors, and build trust with customers, partners, investors and regulators. Gartner recommends security leaders enforce a comprehensive privacy standard in line with GDPR to differentiate in an increasingly competitive market and grow unhindered.

By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.
A mature, widely deployed zero-trust implementation demands integration and configuration of multiple different components, which can become quite technical and complex. Success is highly dependent on the translation to business value. Starting small, an ever evolving zero-trust mindset makes it easier to better grasp the benefits of a program and manage some of the complexity one step at a time.

By 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility – up from 41% in 2022.
The CISO role and purview of responsibility is shifting from being control owners to risk decision facilitators. Reframing the cybersecurity operating model is key to the changes coming. Gartner recommends thinking beyond technology and automation to deeply engage with employees to influence decision making and ensure they have appropriate knowledge to do in an informed way.

By 2025, 50% of cybersecurity leaders will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making.
Gartner research indicates that 62% of cyber risk quantification adopters cite soft gains in credibility and cyber risk awareness, but only 36% have achieved action-based results, including reducing risk, saving money or actual decision influence. Security leaders should focus firepower on quantification that decision makers ask for, instead of producing self-directed analyses they have to persuade the business to care about.

By 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors.
Accelerated by the pandemic and staffing shortages across the industry, the work stressors of cybersecurity professionals are rising and becoming unsustainable. Gartner suggests that while eliminating stress is unrealistic, people can manage challenging and stressful jobs in cultures where they are supported. Changing the rules of engagement to foster cultural shifts will help.

By 2026, 70% of boards will include one member with cybersecurity expertise.
For cybersecurity leaders to be recognized as business partners, they need to acknowledge board and enterprise risk appetite. This means not only showing how the cybersecurity program prevents unfavorable things from happening, but how it improves the enterprise’s ability to take risks effectively. Gartner recommends CISOs get ahead of the change to promote and support cybersecurity to the board and establish a closer relationship to improve trust and support.

Through 2026, more than 60% of threat detection, investigation and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today.
As organizational attack surfaces expand due to increased connectivity, use of SaaS and cloud applications, companies require a broader range of visibility and a central place to constantly monitor for threats and exposure. TDIR capabilities provide a unified platform or ecosystem of platforms where detection, investigation and response can be managed, giving security operations teams a complete picture of risk and potential impact.

IT Security Hygiene: Prioritising cybersecurity training and awareness

960 640 Guest Blog

Cybersecurity remains a critical challenge for both small and large businesses, particularly as workforces continue to work from home, and with the amount of innovative cyber attacks increasing. Yet, a recent survey found that 41% of employees are still not provided with adequate cybersecurity training, and 33% of companies are not offering any cybersecurity awareness training to users who work remotely.

IT security hygiene measures – and particularly the lack of them – are one of the most common reasons why cybercriminals gain access to business-critical systems in the first place. With humans as the first line of an organisation’s defence, John Trest, Chief Learning Officer,  VIPRE Security Group emphasises that the key to reducing cyber threats and mitigating human risk is by prioritising and investing in the right security awareness training… 

The Threat Landscape

Cybersecurity is an issue that affects nearly every industry, and businesses of all sizes. From ransomware, phishing to malware, and new innovative methods and technologies being utilised by attackers, it is becoming increasingly difficult for businesses to stay one step ahead and secure their infrastructure.

Combined with the challenges that hybrid working brings, it creates the perfect storm for cyberattackers to take advantage of. According to the latest report, remote work during the COVID-19 pandemic drove a 238% increase in cyber attacks, as attackers leveraged the fact that employees are away from IT teams, and are working on potentially open networks, or surrounded by new distractions.

Within the rapidly evolving cybersecurity landscape, it is crucial that businesses invest in its IT security hygiene by implementing the right measures to prevent such attacks. However, despite there being a number of technologies available to help improve businesses IT cybersecurity posture, 95% of cyber security breaches result from human error. And therefore, if employees are not educated in how to keep themselves and others safe from an attack – these technological investments are set to fail before they even begin.

Training and Education 

Any effective digital security approach must start with security awareness, by teaching employees about the ever-evolving threat landscape. By having a securityawareness programme in place, users are encouraged to adopt safe security best practices and form habits that will keep them and the company’s data safe from bad actors. However, traditional security awareness initiatives frequently fall short in terms of sustaining staff engagement, which limits their effectiveness – being a once a year tick box exercise. Instead, it is vital that businesses invest in engaging, frequent training content for their employees to improve workforce retention and to strengthen its security measures. Learners typically forget 90% of what they learn in a class or course in a matter of weeks. Therefore, it is necessary to reinforce training on a regular basis to keep up the retention of information, and thus the knowledge of the learner to apply best practices in the event of a cybersecurity attack or incident.

Adaptive learning is a powerful teaching tool created to complement human learning styles in order to increase security awareness engagement and strengthen the businesses’ overall security posture. By offering employees a personalised learning experience, any weaknesses or unique needs can be easily identified, and the learning can be tailored to the individual. This especially helps in situations where a course must be deployed to learners at varying levels of understanding on a topic. Often, training administrators must accommodate employees who may be new to the idea of cybersecurity but also employees, such as IT staff who are very familiar with this subject. If a learner can be given content that can adjust itself to the level of their understanding or at least allow a learner to skip material they are already familiar with, then this will help motivate the learner to pay attention as well as make the best use of the limited time they have for training. If adaptive options are available in an organisation’s training, then they should certainly be considered.

Investing in cybersecurity training has become essential for business survival, with research finding that security-related risks are reduced by 70% when businesses invest in training and awareness. It enables organisations to reach the goal of creating a security-conscious culture and protecting them from potential securitythreats.

Legislative Changes

Given the variety of existing regulations, requirements and legal guidelines, it may come as a surprise that until recently, there have been no specific rules in place dedicated to procedures for internal security training and education for employees.

Many companies may have internal rules in place regulating who has the authority to open certain files, for example – but these rules are rarely maintained, reviewed or updated. Furthermore, with the cybersecurity landscape constantly changing and evolving with new sophisticated attack methods, it is vital that employees remain updated and aware of the potential threats they face.

Thankfully, the emergence of NIS 2 (The Network and Information Security Directive 2.0) is expected to place legal requirements on IT security training for employees across Europe, pushing it up the priority agenda for organisations.

The NIS 2 directive outlines that both essential and important entities should implement additional cybersecurity risk-management measures that are commensurate with the cyber risk, including; risk analysis, information securitypolicies, and business continuity (backup management and disaster recovery) – ensuring basic ‘cyber hygiene’ practices and offering cybersecurity training. The implementation of the NIS 2 directive should be seen as a positive – strengthening cybersecurity resilience across Europe – with a specific focus on appropriate training procedures.

Conclusion 

Businesses that lack adequate cyber hygiene best practices and measures put themselves at a higher risk of a cyber-attack. A key factor of any organisation’s cybersecurity defence is its workforce, as the responsibility of clicking on a link, or sending an email to the right person lies with the individual. Therefore, business ideas need to prioritise their security investment by making education and awareness a top priority – which will continue to be driven with new legal regulations coming into place, such as NIS 2. Companies cannot expect their employees to remain ahead of evolving risks without training.  Security Awareness Training enables users to become more vigilant and security conscious, in turn, helping to reduce an organisations cyber risk whilst encouraging secure user behaviour in the workplace and at home.

Getting your cyberSecurity foundations right

960 640 Stuart O'Brien

Over 2022, the cybersecurity industry continued to accelerate, with rising numbers of attacks (global attacks increased by 28% in the third quarter of 2022) and sophisticated methods.

Yet, recent research found that the majority of securityleaders believe that their organisation is still falling short in addressing cybersecurityrisks, with a lack of investment in cybersecurity (26%), inadequate training (24%) and security application (24%). 

With no sign of cyber attacks slowing down over 2023, these numbers are a cause for concern, as businesses continue to leave the door wide open to be infiltrated without the basic cybersecurity strategies in place.

Investing in cybersecurity should be at the top of businesses’ priorities for the new year, and a 360-degree approach is key – combining technology solutions, email protection and security awareness training, according to Usman Choudhary, Chief Product Officer, VIPRE

Education is Key 

Humans are the first line of defence when protecting an organisation against cybercriminals, as the employees make the final decision to open an email, or click on a link. However, research found that in 2022, 82% of breaches were due to human error.

If employees are not trained nor educated on the cybersecurity landscape, they cannot be expected to spot cyber attacks, protecting themselves and the business.  Therefore, it is crucial that organisations implement SAT (Security Awareness Training) programmes regularly, rather than a tick box exercise annually. This training is designed to help the user understand their responsibilities when it comes to keeping the company secure and preventing attacks, empowering them with the knowledge and skills to be more security conscious as part of the overall IT securitystrategy and protection.

Additionally, by making the workforce more confident, it means that there is less reliance on stretched IT teams and those who work from home can feel more empowered when they don’t have instant access to the IT team.

EDR Technology to Enhance Cybersecurity Protection 

As well as companies improving their employees’ knowledge of cyber threats, implementing technology can further support cybersecurity strategies by adding a second layer of protection against attacks.

Digital solutions such as Endpoint Detection and Response Technology (EDR) can be used to support organisations in monitoring, flagging and alerting cyber threats – such as ransomware and malware – by using endpoint data collection software installed into machines. If any suspicious activity is detected, the system is triggered. EDR technology can also block malicious activity, temporarily freezing an infected endpoint from the rest of the network, stopping any malware from spreading.

Email Prevention Tools

Email is considered the main method for both internal and external communication in any organisation – with 347.3 billion emails expected to be sent and received daily over 2023, which is a 4.3% increase from 2022. However, email is also a key entry point for a cyber attack, with 1 in 99 emails being a phishing attack. Therefore, ensuring that email communication is kept secure is vital.

Mistakes can easily be made – but they can also be easily prevented. Sending an email to the wrong person, or opening a malicious attachment can have catastrophic consequences. But, by having email prevention tools in place, users can feel secure with this extra layer of protection when sending and receiving emails internally. This is because such tools can alert the user to take a crucial ‘double-check,’ confirming that the recipient or attachment is correct, which will in turn, help to eliminate data leakage due to autocomplete errors.

Conclusion

In 2023, businesses must ensure that their cybersecurity strategy is prioritised and invested in. Whilst it may be difficult to predict the year ahead in terms of cyber attacks and tactics, businesses should be prepared for the threat landscape to continue to evolve, with bad actors continuing to innovate new methods for attacks. However, by adopting a 360-degree approach, organisations can cover all potential risks by empowering their employees with both education and technology, including email prevention tools, EDR technology and security awareness training programmes.

A multi-faceted approach to cybersecurity is crucial against the modern threat landscape, but it is best if these security strategies work in tandem, rather than separately. This approach means that businesses and its users will be given the confidence and reassurance they require, effectively closing any potential gaps for attackers to exploit, transforming its security posture for the year ahead.

IT Governance: 31.5m records breached in December 2022

960 640 Stuart O'Brien

In its latest analysis of data breaches and cyber attacks across the world, IT Governance has identified 78 publicly disclosed security incidents in December – resulting in 31,586,757 compromised records.

Compared to November 2022, we can see a slight decline, where we identified 95 publicly disclosed security incidents and 32,051,144 compromised records.

Alan Calder, Founder and Chairman of IT Governance, said” “Although November was a particularly bad month for security, December still shows an unnerving level of incidents. As organisations enter the holiday period, it’s important for them to remember that cyber attacks and data breaches don’t pause during this time, and can often have more of an impact – one factor being due to the absence of in-office employees.

“Cyber criminals are always seeking ways to take advantage, and the Christmas period is especially enticing to them as people are not always ‘on the ball’ during this period. The increase of online shopping and financial transactions around Christmas also gives plenty of opportunities for cyber crime, so it’s vital to stay vigilant and protect your personal information, as well as organisations taking the necessary precautions to stay one step ahead of criminals. Investment in strong cyber defence in depth is so important to ensure you can withstand a breach, not just during the holiday period, but throughout the year.”

You can find the full list of incidents with further details here, broken into their respective categories; Cyber Attacks, Ransomware, Data Breaches, Financial Information, Malicious Insiders and Miscellaneous Incidents.