GLOBAL-WIDE: An Introduction to Cybersecurity Risk
View firm profile
The cyber risk landscape has rapidly evolved over the past year and a half as the COVID-19 pandemic largely forced companies to move to a fully remote or hybrid work environment. The expansion of many companies’ security perimeter and the introduction of new technologies and tools to accommodate the remote workforce have posed numerous challenges for security professionals. In addition, an increase in widely-reported breaches and ransomware attacks has placed cybersecurity at the forefront of executives and boards' concerns. In this article, we explore some of the new or prominent areas of cyber risk and key trends in 2021.
Organisations are viewing life after COVID-19 as a time of renewal, focusing on what’s next and how to capitalise on the changes the pandemic forced upon businesses. With this renewal, we are seeing an acceleration of digital business initiatives, sometimes at a rapid pace in order to capitalise on the current relief afforded to the world before another spike in cases occurs and lockdown ensues.
While digitalisation might not feel new, the accelerated pace will become pronounced as business leaders focus on how to accelerate digital business to ensure the organisation’s survival. This desire to identify and implement solutions that will improve efficiencies and customer experience will unfortunately open the floodgates to cyber risks, propelling enterprise risk management to the forefront of executive and board level concerns, as well as demanding greater investment in vulnerability management programs and quicker mitigation of cyber threats.
Cyber Savvy Boards
Post-pandemic living and relentless media coverage of firms falling prey to cyber criminals has pushed cyber security to the forefront of boards. As a result of the pandemic, companies have extended their network surfaces to include vulnerable home devices and networks while at the same time accelerating digitalisation in an attempt to reach clients remotely. The plethora of cyber-attacks occurring and increased media scrutiny around cyber breaches threatens further negative impact to any financial or regulatory fall-out through reputational damage. In addition, regulators are scrutinising breached security programs and are poised to levy fines should negligence be proven.
In response, we are seeing an uptake in boards taking a proactive interest in cybersecurity matters, such as hiring a board member with security experience (such as a former CISO or a third-party consultant). An organisation’s CISO can expect increased scrutiny around cyber risks, as well as an increase in resources and support. As a result, CISOs who are traditionally technology-focused will need to be prepared for more communication with and tougher questions from the board.
As network edges begin to blur with the growth of Cloud and SaaS tools, it is indispensable that security perimeter defences go beyond traditional network perimeter security. Zero Trust architecture is a set of architecture design principles that incorporates the flexibility, connectivity and scalability expected from networks today, while continually maintaining a secure posture. The underlying concept of a Zero Trust security framework is to treat a network as hostile and remove all inherent trust from the network. An ‘authenticate and authorise everything’ model, based on ‘gaining trust’, reduces the impact of a breach that would otherwise let a rogue or compromised user account move laterally within the network once access is gained.
As with most security frameworks, it starts with ‘identify’. Before deploying Zero Trust it is imperative for a company to understand their network landscape, know their users, and inventory their devices. The recent Sunburst attack demonstrated the impact of “dropping your guard” on trusted services. While service accounts are essential to maintain operations and are the most logical means of vendors accessing and updating the system, these cannot be left unattended or uncontrolled. Understanding, restricting and monitoring user behaviour is all part of the principle of least privilege and Zero Trust.
Arguably, Zero Trust goes beyond network design, and encompasses a new approach of ‘security by design’. Moving legal architecture to a Zero Trust model is a strategic transformation that cannot be made overnight. A risk-based approach that prioritises business critical functions and keeps users at the heart of the transformation journey will lead to the most effective outcome for the organisation.
The cyber ecosystem around us continues to grow with the ever-increasing list of “smart” devices, such as smart cars, smart phones, smart grids or smart cities. Cyber-physical systems (CPS) that provide a seamless integration between computation and physical components are reshaping the way people interact, respond, and react to engineered systems. While this interconnectivity brings an array of opportunities and advantages, it also exponentially expands the security considerations that now span both the cyber and physical worlds, especially in respect to asset-intensive, critical infrastructure and clinical healthcare environments.
This connectivity and reliance on a bidirectional cyber-physical spectrum attracts an increased risk posture as vulnerabilities and threats on CPS mount. Greater legal and regulatory rigour is already showing effects on Internet of Things (IoT) and critical infrastructure-related systems. It is expected that as serious incidents resulting from failure to secure CPS increase, especially when these lead to physical harm to people, destruction of property or environmental disasters, senior management will no longer benefit from shielding behind the corporate veil.
Emergent Cyber Threats and Attack Vectors
1. Augmented Reality (AR)
Affected sectors: Traditional Entertainment, Gaming, Retail, Manufacturing, Engineering, and Healthcare
Augmented reality technologies will usher in new immersive opportunities, but businesses should be aware that attackers will be able to compromise the privacy and safety of individuals when systems and devices are exploited.
Attackers will perform man-in-the-middle attacks on AR-enabled devices and infrastructures, gaining access to intimate and sensitive information in real-time. Ransomware and denial of service attacks will affect the availability of AR systems used in critical processes, such as surgical operations or engineering safety checks. Attacks on the integrity of data used in AR systems will threaten the health and safety of individuals and the reputations of organisations.
2. The Internet of Forgotten Things (IoFT)
Affected sectors: Education, Engineering, Finance, Healthcare and Manufacturing
While IoT devices can provide invaluable data to improve process efficiencies, we are seeing risks posed by multiple forgotten or abandoned IoT devices emerging across many sectors, giving attackers poorly secured, unpatched, network-connected devices to discover and exploit.
IoT devices will be forgotten by organisations and abandoned by their manufacturers. They will be left vulnerable and remain embedded in places such as underground pipes, air conditioning ducts and assembly lines, yet will continue to connect to networks. Nation states, organised criminal groups and hackers will take advantage of these devices, exploiting homogeneous vulnerabilities and using forgotten IoT devices as an entry point into organisations.
3. The New World of the ‘never normal’
Affected sectors: All
Organisations will find themselves in the new world of the ‘never normal’ as established technologies, policies and processes are no longer fit for purpose. Businesses will face a reckoning with rushed digital transformations, amounting to an accrued security debt and a workforce more vulnerable to attack. Organisations will move away from a central office, opting instead for a remote or hybrid working model. This change from a managed and secured workplace to a fractured and disparate landscape will test previously proven security practices.
The overwhelming accumulation of vulnerabilities resulting from security debt will drive this threat. Attackers will exploit weak points, taking advantage of immature, evolving business models and practices.