16 October 2023
All organisations are potential targets and need to build a robust defence strategy. With bad actors continuously evolving their methods and finding new ways to perform more complex attacks, it’s key for companies to raise awareness of the cyber-dangers and get ready to combat ‘hackers.’
The security challenges of digital transformation
Technology is now firmly at the core of most organisations’ business strategies. However, this has widened the attack-surface and keeping businesses and consumers safe is becoming an increasingly complicated challenge.
As more companies continue to digitally transform, moving towards IoT-connected solutions to evolve their business capabilities, David Collins, product management EMEA at Cradlepoint, recognises that "the best option for them is a converged network and security solution, optimised for 5G, which includes secure access services edge (SASE) principles. As part of these, the Zero Trust Network Access (ZTNA) principle provides a great foundation where the network plays a major role in protecting IoT devices."
The continued rise in online transactions shows no signs of slowing down, so businesses must ensure their processes are watertight as we look to end the year. Sameer Hajarnis, SVP and GM digital agreements at OneSpan agrees - "with so many high-value transactions conducted online, getting customers to trust that the digital agreements they're making are secure is top priority. Businesses need to ensure their security measures are bolstered with tighter verification practices, such as continuous identity verification and biometric authentication, and that these are woven throughout the transaction lifecycle."
While deploying best-in-class solutions is crucial to keeping businesses safe, being fully prepared for the eventuality that an incident occurs is equally important. Jake Moore, global cybersecurity advisor at ESET, recommends "regular data backups are essential to safeguard against data loss stemming from cyberattacks or hardware failures. Simultaneously, maintaining a vigilant watch over your accounts and access on a frequent basis enhances the detection of compromised passwords and personal information. Finally, it's equally important to account for all your devices – a practice typically undertaken by larger businesses for ongoing risk management purposes as part of a well-defined cyber-resilience plan."
The biggest threats CISOs are facing in 2023
AI-generated threats are essentially the 'talk of the cybersecurity town' this year and the most pressing issue on Paul Inglis, SVP, EMEA at ForgeRock's mind: "AI is being increasingly weaponised against businesses and consumers to conduct ultra realistic and highly targeted phishing campaigns. It's increasingly difficult to spot what's real from what's fake. While we've seen some politicians and celebrities mimicked to cause reputational damage, many other deepfakes are being circulated to steal money or credentials. And all a hacker needs is an Instagram story or a TikTok video to create an audio and video likeness in a matter of seconds."
And Paul's not the only one heralding the warning. Simon Horswell, fraud specialist at Onfido, states that "fraud continues to rise to new levels, enhanced over the last year by the impact of generative AI. Fraudsters are using it to craft scams such as fake IDs, voice cloning, and deepfakes, and as bad actors adopt the latest technology for offensive means, identity verification companies such as Onfido have put in place many defences and are continuously monitoring and mitigating new fraud vectors."
But it's not all about AI. The same old threats are still raring their ugly heads. F5's threat research evangelist, Sander Vinberg, sees credential stuffing as a particularly pertinent ongoing threat: "credential stuffing is widely recognized as a fundamental source of cybersecurity risk. It is, in essence, a numbers game." However, the only silver lining is that the process remains somewhat inefficient: "it hinges on the fact that people reuse passwords, but the likelihood that any single publicly compromised password will work on another single web property is still small."
Credential-based threats are also front and centre for Renske Galema, area vice president Northern Europe, CyberArk, who states that "high-profile cyberattacks using stolen or leaked employee logins to breach and hijack entire IT systems are on the rise, but over half (55%) of UK workers still use insecure practices to keep track of their credentials, causing headaches for security teams. Amid ongoing economic turbulence and a continued cyber skills gap, threat actors are continually innovating to access critical data and assets to cause monetary and reputational damage."
If there’s one vulnerability that has continued to be a thorn in the side of CISOs everywhere, it’s their own employees. Lacework’s CISO, Lea Kissner shares this sentiment: “insider threats should always be top of mind for CISOs. I worry about what someone can do if they managed to take over an employee's access (e.g. malware, account hijack), that they might hurt our customers or our coworkers.”
It's important to acknowledge that even though new threats are emerging on what seems to be a daily basis, the older and 'less exciting' methods are just as crucial to guard against.
Training is vital to keep up with evolving threats
When it comes to training, it all begins with those building our apps, the developers. Veracode's CTO, John Smith, agrees: "with the right developer training, businesses can make a big difference to the security of their software. In fact, our research found the completion of 10 training courses correlates to a 12% reduction in the number of flaws introduced by developers. It's never too late to start. Let this Cybersecurity Awareness Month serve as a reminder for developers to brush up on their cyber safety, and businesses to put in place the right training to make these secure practices stick."
Ian McShane, VP of MDR at Arctic Wolf, believes there is specific training we should move away from: "it's important to remind ourselves that the true goal of this month is to encourage more people to understand and adopt behaviours that protect themselves. My hope is that we focus less on things like ‘punishment training’ when small errors are made, which is the least impactful, and instead focus on things that the average person will benefit from. At the end of the day, the business benefit must be the byproduct, not the entire goal."
Similarly, Aaron Rosenmund, director of security curriculum and research at Pluralsight, argues: "Only 17% of tech workers are completely confident in their cybersecurity skills. This needs to change, and to do so businesses must provide cyber teams with opportunities to practice in low-risk environments, and build confidence."
In today’s rapidly evolving threat landscape, companies must make sure their security teams are up to date with the latest cyber-dangers. Training is key to helping employees develop the knowledge and skills needed to defend the business. With organisations increasingly threatened by nation-state actors and sometimes suffering the consequences of employee mistakes, Cybersecurity Awareness Month serves as a reminder to remain vigilant.