It’s been the strangest year I can remember since way back in…2020.
It’s been the busiest and most challenging year to date.
From our side, we’re working with a record number of companies. And it’s very encouraging to see just how many decision-makers now truly grasp the cyber threats organisations face and want to take positive action to defend against them.
With that in mind, I think it useful to share what’s been keeping us occupied this year and what we forecast for us all in 2022.
It was Cybersecurity Awareness Month in October. We focussed on the evolution of cybersecurity threats, password vulnerability, business email compromise, and ransomware.
But looking at our web stats, it was phishing that most of you were seeking information on.
Visitors to our site were most concerned about phishing of which business email compromise is, of course, one manifestation.
The sophisticated psychological manipulation techniques employed with phishing attacks have not, and will not go away.
While many anti-phishing technical defences can be deployed (and if you’re a CISO I don’t envy the myriad options open to you), you can never get away from human error. Good people will sometimes make bad mistakes. While many will undertake due diligence to establish whether that email really was from the MD or FD, others will not. And it’s the hope of finding someone who doesn’t do that due diligence which is behind the 6,000 attempts at BEC every month, according to insurer Focus.
This leads to another important area — the human firewall.
According to IBM, 95% of all cybersecurity breaches are caused by human error. We erect a variety of different technological defences to protect our organisations against cyber threats but perhaps we don’t focus enough on our people.
In September this year, we wrote about how to build a cybersecurity awareness programme that really works.
In it, we stressed the importance of:
While a CISO must engage with all departments, many collaborate specifically with their HR areas to achieve these goals. This cyber-HR axis is vital to ensure staff are trained on the types of attack their organisation may face, how to spot them, and what to do if they spot something suspicious.
HR is involved further in monitoring compliance and identifying where training and awareness is working and where further, more detailed work is required.
This all drives towards creating a cybersecure culture within the organisation.
In January, we surveyed the cybersecurity threat landscape for the pharmaceutical sector with reference to the vulnerability of their intellectual property and clinic trial data.
This is a sector heavily targeted by cybercriminals, with intellectual property theft often the motivation behind an attack. Our article explored other reasons for and the methods of attack. Going forward we’ll be examining other sectors and specific cyber threats they face.
With phishing, a credible email might convince an accounts clerk, for example, to make payment on a fake invoice.
But what if you’re an FD and you get a similar request from someone claiming to be your MD? You know the MD personally and deal with him/her every day. Surely you’d know something was wrong?
In 2019, a UK company manager was persuaded to transfer $250,000 to an external account by a cybercriminal using “fake voice tech” to sound like his MD.
This type of deepfake technology, like its video counterpart, continues to improve. We congratulate HSBC’s Voice ID system on stopping £249m worth of fraud in the year to May 2021.
However, despite the bank’s best efforts, nearly a quarter of a billion pounds was still lost to fraud in that time.
While software detection tools to identify fake voice tech exist, they are not completely effective. When a request for an immediate financial transfer is made within your organisation, there continues to be enormous value in requiring staff to verify such requests from a second or even third person.
The financial world held its breath in September 2021 as El Salvador became the first sovereign nation to accept Bitcoin as legal tender. For centuries, the right to create physical or digital money has rested with central banks and governments.
Not anymore. If you purchase a significantly powerful enough mining rig, you can go into the money printing business. The problem is they cost a lot of money to set up and power.
There are hundreds of millions of computers in the world whose owners pay for their electricity. Cybercriminals have created malware that uses your computer’s processing power to hash for Bitcoin and other cryptocurrencies. Any device will do, even a server whose sole function is to open and shut one biometric door.
Cryptocurrency enthusiasts believe that the price of Bitcoin may rise from its current $50,000 to $1m. Companies should be aware that, the higher the price, the greater the incentive cybercriminals have to install malware on their systems.
Another emerging threat that has caught our attention is the targeting of application programming interfaces (APIs).
As more companies move to the cloud, so do their APIs. Potentially valuable data is at risk if APIs are misconfigured and the communication between different programs is not encrypted.
Vulnerabilities in APIs present yet another vector for cybercriminals to exploit. A report from Salt Security highlights the dangers and in their words: “The findings paint a picture of an industry struggling to protect these most vital of assets.”
Time will tell, of course.
I always think of cybersecurity as an arms race. From a technical standpoint, you’ve got a lot of ingenious bad people trying to create havoc for personal gain on one side. On the other side, you’ve got another lot of ingenious good people trying to stop them.
No matter what cyber threats they throw at us all in 2022, we can better protect our organisations by investing both in our technical and human firewalls.
For this year, thanks again for your custom and your trust. For 2022 we’ll see you all on the other side ready to continue the good fight.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
