GDPR; ransomware; WannaCry; data breach. All of these terms are becoming increasingly commonplace – and this is indicative of the continuously evolving threats present throughout the digital sphere.
Organisations – irrespective of their size, where they operate, the services they offer or anything else – must be both mindful of and able to address the growing threat of cybercrime. The threat posed by nefarious digital actors continues to grow and, following the introduction of GDPR and data security, the consequences of being a victim of cybercrime have increased exponentially.
We caught up with our Development Director Andy Murtagh, Product Manager Chris Flynn and Security Operations Centre Lead Shane Howells to discuss cybercrime, how it’s likely to evolve in 2020, why organisations need to take it seriously and, of course, how ROCK can help.
What, in your opinion, will be the biggest threat to organisations' cyber security in 2020?
Shane: Businesses will face an increasing number of threats, from cybercriminals leveraging AI to exploitable gaps in infrastructure brought about by IoT and more but the biggest threat to their cyber security hasn’t really changed: network users that aren’t aware of the fact that most cyberattacks actually start with them. User’s knowledge, typically, isn’t up-to-date and business decision-makers need to work hard to change this.
Andy: The adoption of virtualised infrastructures is generating the biggest threat in my opinion. In just a few short years, the methodologies that organisations have typically used to protect themselves are simply no longer effective. They were designed with on-site infrastructure in mind whereas, today, most of it is virtualised and decision-makers' mindsets aren’t where they need to be to address this.
Chris: For me, it’s social engineering, particularly leveraging deep fake technology. It’s reaching the point where a hacker could call an IT company and mimic a CEO’s voice in order to gather credentials or other sensitive information. We've seen this applied to politicians or celebrities - but what happens when a video of a FTSE 500 C-Level exec is made that brings the company into disrepute?
What if the share price falls? We're seeing the next generation of industrial espionage come racing towards us. Internally, we’ve already begun putting extra security measures in place to prevent this and other organisations, in my opinion, need to do the same.
And what should organisations do to address these problems?
Shane: Cyber security awareness training is an absolute must for all organisations and can be delivered in multiple ways from on-site training to mobile applications. Beyond this, business decision-makers need to be more proactive, to consistently scrutinise their practices and the measures they have in place. They also need to conduct research or, alternatively, speak to cyber security experts because, in the current climate, no organisation is safe.
Andy: Personally, I’d say that decision-makers need to be more aware of the fact that, ultimately, they’re responsible for ensuring their organisation’s digital infrastructures are secure. If a business is compromised, it’s the decision-makers who are accountable.
There’s a common misconception that once cyber security is outsourced, the provider is accountable, but this is not the case. CEOs, and directors – whatever their title may be – are ultimately responsible for their organisation’s cyber security strategy. Making stakeholders aware of this would, I’d hope, drive a lot of the required changes.
Chris: In my experience, there are an alarmingly large number of SMEs that aren’t even doing the basics; things like having anti-virus on their machines or using firewalls or spam filters. These basics need to be addressed first of all but, beyond this, all companies need to understand that their needs can be very different depending on their practices and enlist, I’d say, a consultant that can identify precisely what they need.
Dark web monitoring is a good example of why bespoke approaches are needed. If an organisation’s data – or even a key supplier’s data – is compromised and for sale on this medium, action needs to be taken rapidly, but most organisations would be unaware of the fact that such a threat even existed.
If I, as the owner of a business with fewer than ten employees and a limited budget asked you what cyber security solutions I should adopt, what would you say?
Shane: I’d say that anti-virus is absolutely essential. I still encounter organisations using free software like AVG or McAfee’s free solutions and these, sadly, don’t actually do anything. In fact, they’re probably only slowing down machines.
As Chris said, spam filters are also essential. Office 365, for example, recommends that users leverage an external spam filter. If your budget allows, I’d also recommend a firewall.
Andy: I’d agree that spam filters and anti-virus software are essential but, with email still being the most common attack vector used by cybercriminals, a well-thought-out and robust email management policy that is regularly reviewed is equally vital.
Also, as Shane stated previously, staff need to be educated and made aware of how their actions can either increase or greatly diminish the prospects of cyberattacks succeeding. Doing so isn’t expensive, it’s instead dependent upon a workplace culture within which awareness of cybercrime is given the gravitas it deserves.
Chris: Personally, I always tell clients that we’ll build them the perfect solutions – develop strategies that address all of their needs – and consider budgets later. Following this, we can review the strategy that’s been developed and trim away any excess.
As far as cyber security is concerned, though, if a small business owner were to ask me what solutions they could afford, I’d simply ask them if they could afford to go out of business. To me, it’s not a conversation about budget, if you don’t protect your business, you don’t have a business – it really is that simple.
That said, if someone was adamant, I’d say they should use multi-factor authentication – much of which is free.
Andy: That’s an excellent point; keeping a business secure doesn’t necessarily result in high expenditure. Take cyber security awareness training, if you don’t want to pay for training for your staff, there are plenty of YouTube videos that’ll do a pretty good job of keeping them up-to-date on hackers’ attack methods.
There still seems to be something of a blasé attitude around cyber security. What would you say to a business owner that claimed that they don’t think they’ll ever be affected by cybercrime?
Chris: To be completely honest, I’d tell them that they were being let down by their in-house IT team or service provider. Yes, cybercrime is a serious threat but, in defence of decision-makers, running a business is no mean feat and keeping up-to-date with cyber security is a time-consuming task. We regularly have conversations with clients about cyber risk because ensuring they’re aware of it and the damage it can cause is our responsibility.
Shane: I’ve found that SMEs tend to have this attitude. Basically, they feel like they’re too small to be attacked but, truth is, it’s not a case of if they’ll be attacked but when. Every business, irrespective of its size, the sector it operates in or anything else will be targeted by cybercriminals.
Andy: I know from personal experience that cybercriminals will happily target anyone in the hope of turning a profit. A friend of mine was the victim of a ransomware attack that encrypted his family photos. If a cybercriminal is willing to encrypt consumer data, you can rest assured they’ll attack organisations of any size.
Chris: I’d add that ROCK offer two free audits, one where we simulate phishing to show how likely it is that employees will click on malicious links and another where we scan the dark web for company information. Both, but particularly the latter, consistently terrify people. In nine out of ten instances, these audits are all that is needed to make decision-makers take cyber security seriously.
We know businesses need to adopt new technology to stay competitive, in fact, we espouse such practices at ROCK. In doing so, however, can organisations generate vulnerabilities that cybercriminals can exploit?
Shane: It’s a definite yes.
Andy: 100% - no grey area at all.
Shane: Any technology, when implemented, can – if it's misconfigured, missing patches, recent firmware etc. – generate gaps in security.
Andy: People typically assume that out-of-the-box products from major brands are inherently safe when, in actuality, the opposite is true. Tech products from large organisations are designed to cater to a broad array of commercial enterprises, public bodies etc. The institutions that design software, cloud services and so on simply cannot create solutions that are inherently secure because it is not possible for them to do so. Different organisations need different cyber security solutions sculpted by the context of their practices.
Take Microsoft, the literature they provide with OS servers states quite clearly that these products should initially be considered fundamentally insecure. They provide an online document that provides guidance for what they refer to as ‘baseline server hardening’. Of course, the term ‘baseline’ strongly implies that the parameters, setups etc. it sets out should already be in place but not even Microsoft knows what basic steps organisations should put in place for their various infrastructures.
Chris: Whenever a business looks to introduce a new line of software or hardware, they need to not just consider costs, ROI, ROO and so on, but also conduct a cyber assessment and determine what vulnerabilities implementation will cause before pulling triggers.
When installing a new phone system, for example, providers will typically request that massive port ranges are left open. It's incredible that the practice still exists because it creates huge vulnerabilities.
Andy: When setting up firewalls, we often use the term ‘pinholes’ when referring to the small gaps this can create. If you needed to leave multiple ports open, it’s akin to an anvil falling through a window – it’ll create huge gaps that cybercriminals could exploit.
Shane: Clients’ vendors will regularly request that they open ports to facilitate installations and, in turn, our clients contact us and request that we open them. As we’ve discussed, though, doing so can bring about significant risk. Before opening a port, you need to ensure that it’s safe to do so. It’s entirely possible someone could be trying to access it and, in the event that you simply opened it, they’d gain immediate access to infrastructures, sensitive data etc.
Andy: The zero-trust framework appears to be gaining some traction and I think all organisations need to adopt it. Essentially, decision-makers should not trust any entity that is inside or outside of their perimeter at any time.
Businesses – and their key stakeholders, in particular – need to be more mindful of the fact that they are responsible for maintaining their cyber security. External vendors, ultimately, are in no way responsible for protecting their customers from cybercrime. Responsibility, ultimately, never extends beyond the organisation itself.
Shane: I think businesses need to be patient when implementing projects and installing solutions, too. AI-driven anti-virus will need to run on critical policies, for example, and this may result in less efficient practices but these will only be temporary and, most importantly, will secure infrastructures.
How has the introduction of GDPR legislation affected cyber security practices?
Andy: Ultimately, it’s made it clear that organisations must maintain secure infrastructures and that they cannot, under any circumstances, discharge this responsibility to anyone else. If a business outsources this charge, they are still accountable if the solutions that are put in place are insufficient.
The other major change is the consequence: prior to this legislation being passed, fines for failing to protect data were essentially capped at £250,000. Now, organisations can be fined up to €20 million or 4% of their annual global turnover. The Information Commissioner’s Office is currently pursuing British Airways for £183 million as a result of poor security arrangements having brought about a data breach, for example.
In short, GDPR has clarified who is accountable and has given regulators more power. In spite of this, though, an alarmingly large number of businesses and decision-makers still aren’t giving cyber security the attention it so clearly warrants.
AI now plays a prominent role in cyber security, but does this potentially create problems in and of itself? Could an organisation rely on it too heavily?
Shane: AI could certainly create problems for organisations but these would stem from cybercriminals adopting the technology rather than their implementation of it.
Chris: People have all seen the films within which the concept of AI has been a central theme. It’s vital that they put any preconceptions they may have formed as a result of this aside before considering how it can be used within organisation settings.
It’s going to be some time before AI is able to manage an organisation's cyber security efforts independently. A human element will still be needed to draw relevant correlations – links that could, potentially, be missed by AI. As it stands, AI and machine learning can take on a lot of the ‘heavy lifting’ requirements but more nuanced attacks could be missed.
Finally, can you summarise what ROCK’s SOC team do for our clients?
Chris: Our SOC team are essentially a team of analysts, passionate about cyber security, who blend their expertise with advanced solutions to protect our clients’ digital infrastructures. They identify trends and patterns, proactively identify necessary solutions, ensure all countermeasures are optimised and more. Basically, cybercriminals will continuously strive to develop newer and more powerful ways of profiting from businesses; our SOC team counter them by keeping up to date with developments and ensuring that our clients are always one-step-ahead.
I’m firm of the opinion that, within the next decade, SOC teams will not just be an integral part of all cyber security teams but will be a regulatory requirement within various industries.