Finance Director Europe speaks to cybersecurity experts to find out how to fight cybercrime in an age of digitalisation.
Companies face a variety of cyber threats to the commercial integrity of their data on an almost daily basis. Those threats are numerous and varied. Martin Morris speaks to experts across the cybersecurity realm to understand the latest threats, how companies can beef up their security to reduce potential reputational damage, and how partnering with cloud services could be one way of fighting cybercrime long-term.
Confronted by so many potential threats, from outside hackers to disgruntled employees undermining security from the inside, organisations face a constant battle – not only to maintain data integrity, but also to forestall potential reputational damage.
Factor in the Covid-19 pandemic, leading to more employees working from home, as well as ever more stringent compliance requirements, and it quickly becomes clear that the myriad challenges facing companies are symptomatic of a wider threat landscape. More to the point, it’s one that’s likely to only become more dangerous over the coming years.
Tom Kellermann, head of cybersecurity strategy at VMware’s Security Business Unit, says the solutions provider noted a 148% surge in ransomware attacks between February and March 2020 alone, just as much of the Western world was moving into lockdown – and moving away from the security they enjoyed in the office.
“Traditional perimeter defences like firewalls are failing, due to increased telework protocols,” Kellerman explains. “Additionally, the modern-day cybercriminal is an expert in exploiting the vulnerabilities of remote systems, as well as the inherent lack of visibility that security teams have into these complex environments.”
If proof were needed of the damage cybercriminals and state actors are capable of wreaking, the recent hacks at solutions provider SolarWinds, as well as tech giant Microsoft, both provide salutary lessons – even if the outcomes aren’t yet fully known.
As the SolarWinds hack shows, moreover, organisations can have the most secure systems at their disposal – but this will count for nothing if external hardware or software boast more holes than Swiss cheese.
After all, hackers, believed to be Russian state actors, found a back door into SolarWinds scalable infrastructure monitoring and management platform tool Orion – subsequently distributing malicious code via software updates. Even worse, the breach wasn’t detected for months after it happened in early 2020.
Given the nature of the Texas-based company’s business – providing computer networking monitoring services to major corporations and government agencies around the world – people in high places and senior positions have been unsurprisingly worried.
And while the scope of how far the criminals actually burrowed down has yet to be determined, SolarWinds has confirmed that up to 18,000 of its customers (or 60% of the total) installed updates leaving them vulnerable to hackers.
Potentially even more serious, meanwhile, is the fallout after hackers exploited holes in Microsoft’s mail server software – potentially affecting 30,000 organisations across the US alone, according to a recent report by KrebsOnSecurity. According to Microsoft, a previously unidentified Chinese hacking crew known as ‘Hafnium’ have been conducting targeted attacks against its email servers.
In a number of cases, hacking tools known as ‘web shells’ were placed on victims’ systems before Microsoft announced it had issued patches to cover the holes – the implication being that organisations would still be vulnerable, even if they had downloaded the patches. While there is still no evidence that the SolarWinds and Microsoft attacks are connected, in short, the damage caused by hackers, harvesting data across numerous organisations and all sectors, still has the potential to be huge.
Stopping the stuffing
How to address these challenges? For Kellermann, it’s fundamentally a question of organisation. “CISOs should report directly to the CEO in an effort to elevate awareness of the security risks and defence recommendations for an organisation,” he says. “Cyber threat hunting techniques must be expanded, and network security platforms need to be integrated with endpoint protection platforms and solutions.”
Of course, that’s not enough to counter the threat. Although phishing, distributed denial-of-service (DDoS), and ransomware attacks remain the preferred weapons of choice for cybercriminals, so-called ‘island hopping’ – where supply chains and partners are commandeered to gain access to the primary target, including major financial institutions – is increasingly popular too.
“Application attacks and island hopping are spiking as a result of rapid digital transformation,” notes Kellermann. “With that, rigorous testing on the security of these applications is critical. It’s also important that the remediation timetable for hardening security be mandated along with deployment of application controls. Finally, the principle of least privilege should be applied to better control who has administrative rights.”
Another potentially destructive practice, meanwhile, is credential stuffing, whereby stolen account credentials are used to gain unauthorised access to user accounts.
Typically, this is done through large-scale automated login requests directed against a web application. In 2020, indeed, malware and ransomware incidents rose by more than a third, while there was an over 50% increase in phishing, scams, and fraud, according to INTERPOL.
In the insurance claims sphere, meanwhile, Catharina Richter, global head of the Allianz Cyber Center of Competence, describes losses from incidents such as DDoS attacks, phishing and ransomware campaigns as accounting for a significant majority of the value of cyberclaims today.
All the same, Richter is keen to emphasise that though cybercrime tends to be a popular story in the papers, more mundane failures can be just as troublesome. “While cybercrime generates the headlines, everyday systems failures and IT outages, [as well as] human error incidents, can also cause problems for companies, even if their financial impact is not, on average, as severe. Employers and employees must work together to raise awareness and increase their company’s cyber resilience.”
Allowed on the cloud
As Richter implies, potential business interruption is evidently a crucial issue in boardrooms up and down the continent, but companies shouldn’t take their eyes off the ball when it comes to bread-and butter-issues – especially around data security, cybercrime and compliance.
A great example of this principle comes in the person of Jerry Finley. “Data security and compliance has been the cornerstone of our organisation since our inception,” says Finley, CISO at OakNorth Bank. He means what he says. Beyond regularly testing staff on their cybersecurity skills, the bank also conducts simulation exercises and tests throughout the year.
The point, Finley says, is “to keep everyone vigilant, and to determine where our vulnerabilities lie”. At the same time, he adds, his bank also provides “regular reminders and guidance to our customers about how to stay vigilant and identify potential fraud”.
That’s shadowed by more fundamental changes. In May 2016, OakNorth Bank became the first UK bank to be fully hosted on the cloud – not just ancillary services, but everything, including its core platform. “Our provider is Amazon Web Services, which provides the very best security to its clients,” Finley says. “It invests a lot more in security than we’d ever be able to so we’re glad to be working with them.”
The bank has for several years also partnered with Illusive, a computer and network security provider, for several years, helping get insights into the lateral movement of attackers across the bank’s infrastructure.
“This capability gives us confidence that we have another layer of defence as threat actors become more sophisticated and learn to evade traditional countermeasures,” Finley explains. “In terms of other factors, the biggest consideration is human error, which is why we have put in place several systems to try and minimise the risk of this.”
Low risk, high reward
This process is ongoing, of course, with Finley stating that his bank is constantly examining other measures to protect both itself and its customers. All the same, he accepts that it’s always going to be an ongoing and uphill struggle. “We know our work will never be done,” he adds. “Attacks are becoming more sophisticated, and hackers are constantly developing new tactics and procedures to circumvent existing technologies.”
Whatever the successes of Finley and his team at OakNorth, indeed, the global cost of cybercrime is forecast to grow 15% annually over the next five years, reaching $10.5trn by 2025.
And, given the likelihood of detection or prosecution rates of a cybercriminal was recently estimated by the World Economic Forum to be as low as 0.05%, it’s patently obvious that criminals continue to operate in this low-risk, high-reward environment.
As the old adage goes, the security of a given network is only as strong as its weakest point. And with the number of data points increasing, due to more people working from home because of Covid-19, organisations would do well to bear this in mind.