Ransomware problem evolves on multiple levels – make sure not to get blindsided
Through 2021, the EMEA region has seen an increase in cyberattacks, in particular, ransomware attacks have risen in prominence. The Unit 42 Threat Report, 1H 2021 Update found that the average ransom demand increased by 518% and the average ransom paid climbed by 82% from 2020.
Part of the evolution is how ransomware functions will continue to evolve, as communities such as nomoreransom.org have fought back, and we are seeing nations lean in further to shut down groups and their campaigns, as well as looking at how they can interrupt or intercept the money flow.
One side effect of this evolution is the term “ransomware” now has an almost intangible meaning, conversations become confused as where one sees it as traditional ransomware compromising a local device or user, another may see it as structural elements and infrastructure being compromised before it even reaches our internal landscapes.
As a result, CISOs need to train and educate their executives and peers across the business on the different types of attacks, why they are important, what the different business impacts are and how to strategically build tailored approaches to best detect and respond.
2022 – passwords will be deleted
Gartner predicts that by 2022 90% of mid-sized and 60% of global enterprises will shift toward passwordless authentication methods. Every business is currently dealing with an explosion in the number of sets of credentials each user has, and with these new credentials comes an amount of risk. With the collaboration, SaaS & cloud adoptions skyrocketing due to the new flexible ways of working, we will see attacks focus in two directions.
Firstly, the obvious targeting of these new credential systems, this can be down to poor user management, are weak passwords being used? Is the same password being used? Secondly, there will be a focus on the backend systems. Whilst many have been using AD, Radius and other authentication processes for years, many of the new SaaS tools each have their own credential management processes, that being nascent can be more prone to exploitation.
Moving forward we will continue to see password authentication slowly being replaced, as companies want to try to remove the reliance on passwords. It all started with the iPhone, and we are now seeing a significant increase in the number of people and organisations using passwordless authentication such as Windows Hello.
The compromised home
Hybrid working is here to stay – working-from-home enterprise employees are increasingly using a broader range of IOT devices – both corporate and personal devices – to access enterprise applications from wherever they are working.
So it is only natural that our home networks should become a target for cyber criminals. This is especially true when controls on home networks are typically not nearly as strong as those on corporate networks. Businesses that had historically locked down laptops, USB ports, personal printers and many other things typically would be blocked. However, to function in the hybrid working world users now need these capabilities so security controls have had to be relaxed. This spans the gap into shared family devices.
Even when turned off for a short period of time, the business device is at risk to all the other systems connected to the same network, many probably have never been patched and most are still using their default admin passwords, if they had one, that is!
The good news is that awareness around this topic is increasing across the EMEA region, with leaders feeling more confident than ever, when it comes to having full visibility of the IoT devices on their organisation’s business network, with 70% completely confident in 2021 versus 58% in 2020 – as highlighted in our 2021 IoT Security Report “ The Connected Enterprise”.
Cybersecurity education needs to evolve with new work lifestyles
As we become a more connected society we must also think about how we make cyber education have greater longevity in such an agile digital world. This means moving away from the risk du jour “don’t click on this” “don’t open that” into what will be fundamentally good design and utilisation principals.
For example, how many now work from their own homes? What happens if you let someone else use your work device, just for a minute? Or what happens if you need to do some work and you can’t use your work device?
The lines between personal and work are becoming increasingly blurred and complex, and we are all becoming integration points in our own worlds, as a result. From grass roots to late technology adopters, we have to start thinking of every person as a digital innovation point. Let’s ask ourselves: What are the core principles of good information sharing both in our personal and professional lives?
Today, most education focuses on what should and shouldn’t be done – for example: clicking on a questionable link, opening phishing emails, sharing your password. These are now 10-15 year old lessons, valuable yes, but they don’t align with the new ways of working.
Cyber Hygiene: will it get worse before it gets better?
So much has changed so fast in business IT. Evolution is not slowing down and the inconsistency of security capabilities, especially Cloud and SaaS, are challenging businesses where everyone is now a CIO.
While DevSecOps is still maturing and lacks industry standards, and there is no industry “best practice”, CISOs still need to switch from a tactical approach to thinking strategically (the bigger picture) or risk being in a lot of trouble by the time that the standards do arrive. Getting buy-in from executives and key stakeholders on a solid cybersecurity approach for the business is an important part of this strategic mind shift.
As policies continue to take shape and regulations fall into practice, organisations must work from the ground up by laying a solid foundation of good cyber hygiene and best practices.
Shedding the cyber safety blanket
The digital world has evolved so much in recent years, and the expectations from cyber security teams have never been greater. More threats and more business processes to secure, go hand in hand with more cyber security capabilities. The challenge – typically businesses are less tolerant to downtime and outages, as their dependencies on digital systems grow. This is the cyber time paradox – more with less.
As our cyber security world evolves, it is time to embrace that mantra in a different way. The only way we can do more, is to have less legacy. For every one new capability required, the security team should look to relinquish two. The challenge being, we are humans and we become emotionally attached to things that have had a material impact on our lives. Most security people can attest: “this capability saved my bacon”. The problem being: our world is evolving at pace! As a result, we have to continually reassess the value of legacy security controls, and be willing to let go faster than what “saved our bacon” in the past, and what has been superseded by smarter, better capabilities.
This has never been more key than now – as cloud services provide evergreen capabilities. How can security teams have the time to look at the incremental new cyber security technology provided, as part of the service? Or be required to keep pace with the changing scope of a service, if they are restricted by a legacy world that continues to grow unabated?
Zero Trust Enterprise becomes the security standard
As organisations shift to support new, digitally enabled working models, to accommodate the shifting work environments, it’s increasingly important to ensure that their assets and traffic to those assets are secure.
Zero Trust Enterprise is an approach to risk reduction based on the concept of “never trust, always verify.” It spans everything: users, applications and infrastructure. Zero Trust is about applying the relevant identity, device/workload access or transactional controls to verify and limit the risks to the business. But doing this with disparate point solutions will only create complexity and security gaps. It will be imperative that organisations choose an interoperable ecosystem of security providers aligned on the company’s security goals.
While many businesses will get Zero Trust wrong, the ones that embrace a Zero Trust Enterprise Ecosystem approach will get it right. We live in the instant gratification world, as such, we can expect some to look for a quick fix Zero Trust solution, which will reinforce that many simply haven’t understood that Zero Trust is a strategy, not a product or project.
Haider Pasha, Chief Security Officer at Palo Alto Networks, Middle East and Africa (MEA) said, “In the Middle East, organisations need to remove the safety blanket and educate employees on cybersecurity whether junior or most senior. The shared responsibility model for cybersecurity has become really critical, especially as we start further adopting cloud platforms. Organisations must prioritise awareness campaigns and be more creative with cybersecurity education, especially as employees shift to home and hybrid workplaces. In addition, in today’s time, CISOs, CIOs and IT heads must partner with cybersecurity experts and understand all functions within security, risks and DevOps.”
“In addition, as the digitisation of Operational Technologies (OT) accelerates, mostly bound by legacy OT systems and IoT, finding and stopping shadow IT will continue to be a challenge. The energy industry is expanding the usage of IoT sensors and the identification, classification, and protection will take precedence albeit using concepts like Zero Trust to reduce the risk of breaches or sabotage. SOCs are merging between IT, OT and IIoT. Some did this a few years ago, but as more Energy/Utilities deploy IoT, IIoT and OT than ever, many more will need to consider, post COVID-19, merging their SOCs,” Pasha added.
Discussion about this post