You may have heard the saying that the only constant in life is change, and nowhere is this more apparent than when it comes to the ongoing arms race between the "hackers" and the defenders of your precious data. Each year it seems the threats to data (and reputations) mutate, becoming more complex and potentially more damaging. What worked last year as a defense is suddenly rendered much weakened in the face of the new threat.
IT security is in a constant state of flux, the threats have changed and the response of business's and IT companies have changed with them. To help you and your business stay up to date, we have the following brief guide to the trends seen recently.
Who is ultimately responsible for cyber incidents
A fairly dramatic shift with regards to responsibility has occurred over the past few years. Whereas previously the IT team held all responsibility, in roughly half of companies surveyed by Telstra, the buck stops at the C suite. Day to day management of security still resides with the IT team but due to the various new compliance regimes (GDPR, Notifiable Data Breach legislation) and the ramifications of falling foul of them, management teams are now in the firing line should something go wrong. This heightened focus from senior management has resulted in a marked increase in the frequency that security briefings occur. 85% of surveyed companies brief senior management at least once per quarter and about half do so at least once per month.
Driving this change of ultimate responsibility are the perceived impacts of a breach. Year on year, loss of productivity and corruption of data have been the top the fears of businesses and this has not changed significantly. What has changed however, is that a greater number of businesses are reporting serious concerns due to litigation and fines following the implementation of the new compliance regimes. These represent the direct costs of having to report breaches and can have a material impact on a businesses profitability. A secondary effect of reporting that is becoming more of a concern, is loss of customers due to distrust generated by negative publicity and the simple act of disclosure to customers that their data has been compromised.
- Increased senior management consultation is imperative to adequately address the increased risk from cyber attacks and the legal and reputational damage that can result. Quarterly management reviews of security are recommended to enable the management team to gain an understanding of where the business is at risk and how to mitigate against these risks.
- Businesses must review their IT security budget to ensure that it is appropriate. 79% of companies surveyed by Telstra are reporting increased security budgets to combat new threats.
What is the number one threat to IT security?
Perhaps unsurprisingly, the number one threat identified by security experts and IT teams are users themselves. In most cases of an insider driven breach, the breach was not due to a malicious act but was a result of an accident or an employee being targeted by a third party. Classic examples of these are the accidental emailing of confidential information to an unintended recipient, or in the case of a targeted insider breach, the transfer of information or funds to a third party through fraudulent use of credentials (log in information). Only around 10% of respondents to the Telstra survey identified malicious insiders as having been a source of breaches. While 10% is not insignificant, the 37% of breaches due to non-malicious insiders is still the larger concern and likely to be the easier to address.
- Businesses should implement (if they have not already done so), regular security / compliance awareness training. Employee awareness and increased maturity of the security culture of a business is not going to happen overnight. Rather, it is a gradual process that requires repetition and visible leadership from the management team to take hold.
Phishing is still the preferred attack method for those up to no good.
In their latest Security Intelligence Report, Microsoft analysed over 470 billion email messages and have found that the incidence of phishing emails increased by a whopping 250% in a 12 month period. Combined with the fact that email delivers about 90% of all malware and 4% of phishing email recipients will actually click on the contents, it's clear that this method of data breach is not going anywhere soon. Most worryingly, a Cofense report has found that 1 in 10 emails that users reported were found to contain malware/phishing that has managed to evade all network defenses including mail gateways and firewalls. What this means is that while automated tools can and do help to stem the flood, your final line of defense is a well trained and skeptical staff member.
- Invest in a robust anti-phishing training regime. This should form part of your overall security training program and can include simulated phishing campaigns, regular email bulletins and office signage to regularly remind staff to be on the lookout.
- Roughly half of all reported phishing emails are tied to credential phishing. Credential phishing is the threat to which users are most susceptible during simulations. While your training regime should reduce the incidence of users falling for these emails, implementing Multi Factor Authentication (MFA) will usually render these attacks impotent and provide a huge extra layer of protection to the user and the business. MFA is fast becoming a default in the same way that user names and passwords have been for a number of years due to the approach being shown to reduce effectiveness of identity attacks by 99.9%.
Has ransomeware disappeared?
The short answer is no. Microsoft data has shown that the incidence of ransomeware has decreased significantly compared to its peak in early 2018. What is concerning though is that ransomeware is becoming much more targeted as attackers are using social media to identify key users and departments to go after. By doing their homework on individuals instead of using the scattergun approach, attackers are able to tailor their communications to make it much more likely that a user will accidentally run their payload . This targeted approach has led to nearly a third of Australian businesses surveyed by Telstra to have been affected by ransomeware in the last year. Over half of these have admitted to paying the ransom despite the fact that only 77% of payers have been able to retrieve data. This 77% is actually a decrease of 9% from the previous year indicating that your chances of data retrieval are dropping at alarming rates (gentlemen thieves these are not...).
While ransomeware is on the decrease across the board, there has been a corresponding rapid rise of Cryptojacking. Toward the end of 2018 the incidence of Cryptojacking rose by 4000% making it about 2.5 times more likely than a user succumbing to ransomeware. During the past year, the prevalence of Cryptojacking has decreased due to the reduced price of most crypto currencies but it is anticipated that when these currencies rally, the rate of attack will again rise (proving that the laws of economics apply to cyber crime as well!). This type of attack is so prevalent that Malwarebytes have suggested that this may end up surpassing all other cybercrime.
- Implement effective offline backups. If the worst happens and you are ransomed, often a backup is the last line of defence.
- Ensure regular patching of not just operating systems but also commonly attacked applications such as Flash, Silverlight and Acrobat Viewer.
- Implement advanced techniques such as application whitelisting where appropriate and practical.
- Implement advanced endpoint protection. Traditional anti-virus is no longer sufficient to face the threat.
- Ensure a least privilege access control regime is implemented. Users should only have access to what they need to complete their jobs. Nothing more. Lock down network shares and permissions to reduce the scope of destruction should a user inadvertently run malware.
While there is no silver bullet to IT security, a robust 'defense in depth' approach will often mitigate against the majority of security issues your business might face. Always remember that security is a shared responsibility and everyone needs to do their part, including management, users and the IT team. Contact your Client Services Manager to start a conversation around security in your company.
In writing this post, I have relied on a number of sources including the Telstra Security Report, the Microsoft Security Report and the Verizon Security Report. There are links to these reports below for those looking for a more in depth analysis.