Cybersecurity is hard. Technology is continually changing, cyber criminals’ tools and techniques are always evolving and maintaining the security of a network with users who each want to do their own thing without being restricted by security is a constant challenge.
Ransomware remains a significant problem, as cyber criminals threaten to encrypt networks and victims give into their extortion demands for the decryption key, while cybersecurity agencies in the US and the UK have issued warnings about the potential rise in cyber threats as a result of Russia’s invasion of Ukraine.
But while these are some of the most headline-grabbing cybersecurity threats, there are other issues that might not be discussed as much, but are still significant cybersecurity problems that organisations must be prepared to deal with.
And they need to start thinking about them now — before it’s too late.
Remote work is making easy targets for hackers
For many businesses, hybrid and remote working has become the norm in recent years and organisations have shifted towards cloud-based applications and services to enable this.
But while this shift has been effective for productivity and improving employee happiness, hybrid working also comes with additional cybersecurity risks that organisations might not be thinking about — and that’s making life easier for cyber criminals.
“The main concern that remains for me around remote work is inadvertent exposure and public-facing applications,” says Jamie Collier, senior threat intelligence advisor at Mandiant.
For example, cloud applications like Microsoft Office 365 and Google Workspace offer employees the ability to work from anywhere — but if a malicious hacker got hold of their username and password, they could enter the network. That’s especially true if the password is weak enough to be cracked in a brute force attack.
It’s also possible that entire sections of the network containing sensitive information could be exposed to the open internet due to cloud misconfigurations. In these instances, attackers might not even need a password — they can just walk right in and raid the server for exposed information.
“We increasingly see all of those configuration issues and threat groups are actually getting a lot of success — they don’t even necessarily need an exploit because the defenders provided that open goal,” says Collier.
Simple cybersecurity updates are being ignored
But it isn’t just security vulnerabilities in cloud-based applications that are flying under the radar or outright being ignored. For one reason or another, cybersecurity teams often struggle to manage vulnerability management and patching across the board.
Applying security patches as quickly as possible is often said to be one of the best things to help protect networks from cyberattacks — but new vulnerabilities regularly appear, and many information security teams aren’t keeping up.
“The velocity of vulnerabilities to our infrastructure, technologies and tools over the last year has created quite a challenge for organisations,” says Thomas Etheridge, SVP of services at Crowdstrike.
Add to this the unknown security flaws that can lurk within software that many companies use every day and assume is secure. For example, Log4j was a significant vulnerability that emerged in December last year and one which Jen Easterly, director of US cybersecurity and infrastructure agency CISA, described as “one of the most serious that I’ve seen in my entire career, if not the most serious”.
Cyber criminals began trying to exploit it almost immediately and businesses were told to apply the patch as quickly as possible. But months later, many still hadn’t applied the updates, leaving their organisations vulnerable to network intrusions.
And Log4j isn’t the only vulnerability that many businesses have ignored: even older vulnerabilities like EternalBlue, which powered global cybersecurity events like WannaCry and NotPetya, haven’t been patched by some, and cyber criminals are still looking for vulnerable networks they can take advantage of.
In many cases, the vulnerabilities and cybersecurity issues aren’t being addressed because businesses simply don’t have eyes on their network — despite it being a vital element of cybersecurity.
“IT hygiene has been an ongoing problem — understanding what assets you actually have in your environment, what’s connected to your network, what’s the patching status of that? Having viability and understanding the actual security posture of those devices is an ongoing challenge,” says Etheridge.
“It’s the least glamorous, the least sexy, the least recognised part of what security and IT organisations do, but it’s absolutely critical to stay ahead of risk,” he adds.
Business email compromise attacks cost billions
Those risks potentially include data theft, malware attacks, ransomware and even nation-state backed cyber espionage. But one of the most significant cybersecurity threats is also one of the most simple attacks that cyber criminals can carry out: phishing .
Phishing is used in several ways, from stealing sensitive information like bank details and passwords from individuals to being used as the opening stage in sophisticated cyberattacks targeting whole organisations.
All it takes is a convincing email lure and a well-designed fake version of a real website, or any other online service that people use a login name and password to access, and data falls right into the hands of the attackers.
But despite the relative simplicity of phishing attacks, they can be incredibly lucrative for cyber criminals, particularly in cases of business email compromise (BEC) attacks.
As the name suggests, the hackers target businesses using phishing emails and social engineering to target businesses and trick employees into transferring large sums of money to bank accounts owned by the fraudsters.
It might sound simple, but it’s providing cyber criminals with an extremely effective way to make money — according to the FBI, billions of dollars are lost to BEC fraud every year.
“If you actually look at the amount of money business email compromise groups are making, it’s significantly higher than what ransomware groups are making,” says Jason Steer, chief information security officer (CISO) at cybersecurity company Recorded Future.
Many BEC attacks start like any other malicious cyber campaign, using phishing emails or stolen usernames and passwords bought from dark web forums to gain access to the network.
From there, the cyber criminals take time to examine interactions in the inbox, perhaps even using their initial access point to send phishing emails to the compromised victim’s contacts to get hold of their usernames and passwords too. It’s also possible for the attackers to spoof messages from these known contacts.
Either way, they wait for a moment to strike, such as waiting for a significant business deal to be completed, before playing their hand. They’ll take control of a legitimate email account involved with the deal and claim that the money, which is often hundreds of thousands of dollars, needs to be transferred to a particular account and with urgency. Emails that look like they’re from someone’s boss telling them that they need to sort an issue now are particularly effective.
By the time anyone has noticed something is wrong, the money has already been transferred and the attackers are long gone.
“In some organisations, it’s highly likely there’s one financial controller who logs on to the bank account and does the transaction, there’s no other scrutiny before that happens and that’s exactly the thing they’re trying to exploit,” says Steer.
This means it’s vital to have governance procedures in place to ensure that significant financial transactions are legitimate and they’re going to the expected account. Involving multiple people in this decision-making process can help provide the extra layers of protection. It could slow down the transactions, but a deal being slightly delayed in order to follow due process is a better outcome than large sums of money being lost to cyber criminals.
Cybersecurity basics can go a long way
When it comes to securing cloud services, emails and the wider network, there are steps that information security teams can take that can help protect users — and the network — from most cyberattacks.
First, applying security patches as soon as possible prevents cyber criminals from exploiting known vulnerabilities in software to enter or move around networks, so it should be a pillar of cybersecurity strategy for any organisation in any sector.
Rolling out multi-factor authentication (MFA) can also provide a significant barrier to cyberattacks, because it means that — even if a hacker has a legitimate username and password — they’re unable to take control of a cloud service or email account without the user approving it. According to Microsoft, using MFA blocks over 99.9% of attempts at hacking into accounts.
To many people, these measures might sound like basics of cybersecurity — but in order to ensure that people and networks are safe from cyberattacks, the basics need to be put in place before anything else.
“In some ways there’s at least some room for optimism, because the solution is known and it’s actually very simple — it’s about security fundamentals,” says Collier. “A lot of this work is actually making sure that the mundane issues are solved”.
MORE ON CYBERSECURITY