News & Views

Key cyber risks for CISOs​

CISOs must be more alert to new methods, tactics and targets used by cyber-criminals to perpetrate familiar types of attack, according to Infosecurity Europe’s  (www.infosecurityeurope.com) community of security leaders and analysts.  The organisers of Europe’s most influential information security event – running from 21-23 June 2022 at ExCeL London – asked its Advisory Council about the biggest cyber threats organisations will face this year.
 
While individuals, criminal groups and nation states will continue to favour ‘tried and tested’ approaches, they are expected to employ these in novel ways to generate revenue from attacks.  “The threats don’t change hugely from year-to-year, it’s more the sophistication of the threats and the actors that evolve,” says Maxine Holt, Senior Research Director, Omdia.  “There will always be organizations without strong cyber-hygiene to defend against those threats, and when they do get through, without an adequate incident response plan.”
 
Unsurprisingly, ransomware was pinpointed as an area requiring close attention, with Maxine Holt citing ‘double whammy’ ransomware as a particular concern: “The first ‘whammy’ is the attacker locking the data so the victim can’t access it.  If the organization refuses to pay, this can lead to the second ‘whammy’ of the data being exposed or put up for sale, often resulting in a breach of data privacy regulations.  Prevention requires defence-in-depth: comprehensive and frequent back-ups, and the use of multi-factor authentication (MFA) and privileged access management (PAM).”
 
“In addition to an increase in the frequency of ransomware, we expect to see more sophisticated attacks, with new methodologies being used,” agrees Peter Yapp, Head of Cyber and Partner, Schillings.  “Many countries may try and impose legislation around ransomware payments, but this is unlikely to stop criminals continuing to attack.”
 
Mark D Nichols, Head of Information Security, Risk and Compliance, Ramsey Healthcare UK points out that protecting an organization from the impact of ransomware has become harder.  “Because ransomware is more prolific, the cost of cyber insurance is going up,” he says.  “Some insurers refuse to cover organizations, or the list of controls to make the policy valid is huge.  Organizations have to weigh up cost versus reward – and things can go horrendously wrong when firms try to negotiate; some have been getting the decryption keys and finding they don’t work.  Attackers are also threatening to release sensitive information, including personal data, which could lead to fines.”
 
Supply chain attacks will also continue to pay significant dividends, including software attacks, says Maxine Holt.  “Having a perfectly legitimate organization spread your attack for you – what’s not to like?  It’s incumbent upon the source software provider to take every precaution to protect its code, including open-source code, from malicious activity so it cannot be changed or altered during an update or patching process and still appear perfectly legitimate.”
 
Supply chain risks have risen to the surface due to external factors such as extreme weather and the pandemic, according to Barry Coatesworth, Director Risk, Compliance & Security, Guidehouse. “This has equated to increased risks around who is connecting to your network and supplying resources and services,” he says.  “Third party risk assessments only go so far towards solving the problem, because it gets murky when suppliers subcontract out work.”  Peter Yapp adds: “Businesses need to realize that their security relies on a web of third-party suppliers, and they’re only as strong as the weakest link.  Due diligence should be carried out on any supplier of IT delivered services.”  
 
Information security investment overall is still not sufficiently prioritised within businesses or government.  “There has been an underinvestment in cybersecurity,” says Yapp.  “Change needs to happen from the top, with budget, strategy and systems in place to ensure cyber is a major business focus.  Programmes like the UK government’s new cybersecurity strategy, which is focused on being pre-emptive rather than reactive, do increase awareness of threats, but increased funding is needed to make a tangible difference to the risk landscape.”
 
The insider threat continues to challenge organizations, with negligence and error causing as many problems as malicious intent.  “Behavioural analysis of what employees are doing on your network and what data they’re accessing can pick up abnormal behaviour when baselined,” advises Barry Coatesworth.  “Education, though, has always been the cornerstone of reducing insider threat.”
 
Mark D Nichols agrees. “Because we’ve been working in this agile way for two years, people may be a bit complacent,” he says. “Continuous education is needed to keep everyone alert to the threat.”

Rik Turner, Principal Analyst with Omdia, anticipates that not all individuals will find it easy to adjust their behaviour.  He says: “The Zero Trust approach, for example, can be expected to meet with resistance across the organization.  C-level executives may have grown accustomed to a broad ‘access all areas’ entitlement and resent being reined in.  Developers and sysadmins may also resist this kind of approach.  A cultural change will be required, and it’s certain to need careful evangelisation to guarantee widespread acceptance and adoption.”
 
“A concerted effort to improve threat intelligence is the only way we can anticipate, detect and respond to threats in the current landscape,” says Nicole Mills, Exhibition Director, Infosecurity Group.  “We’re not looking for major changes in the kinds of threat we need to address, but constant, perhaps subtle, shifts in how attacks are planned and carried out. That’s one of the principal reasons we chose Stronger Together as the theme for Infosecurity Europe 2022, to encourage and facilitate greater collaboration between businesses, law enforcement and government.  The more eyes we have on the criminals and their approaches, and the more information and knowledge we share, the more likely we are to stay a step ahead of emerging risks.”
 
The threat landscape will be covered extensively in the conference programme at Infosecurity Europe 2022.  The full conference programme can be found at www.infosecurityeurope.com/en-gb/whats-on/conference.html