Cyber security threats facing organisations
Let us start by saying that the cyber security threats facing each organisation will differ. For some the challenges could be more internal, in getting everyone to take responsibility for cyber, getting the board to move away from the “it won’t happen to us” mentality, or even malicious insiders. For others, they could be the target of sophisticated nation-state attacks.
This blog looks at some of the more common threats facing all organisations, and ways that they can all be combatted. Most of these common threats aren’t especially sophisticated and rely on pushing campaigns out far and wide, knowing that some companies will be breached. When applying any of this advice to your organisation, you should view everything with your specific lens, covering your people and culture, network, data, industry, suppliers and customers to name a few. At e2e, we run these as ‘threat workshops’, taking external threats and applying them to the specific customer context, with the result being a series of processes mapped to different eventualities, alongside a tailored roadmap to continuous cyber improvement, not an instant fix.
With that in mind, let’s look at three of the biggest cyber security challenges facing organisations today:
Ransomware is everywhere in the news at the moment and with good reason. A recent study by Fortinet found that 67% of organisations had been a ransomware target. Another report by Fortinet showed that ransomware had increased by 1071% in the last 12 months. These numbers make for worrying reading, especially when you consider the fact that it will likely only continue to grow as threat actors make more money out of it.
Ransomware has evolved rapidly in recent months and years, with reports of up to 4 techniques used (‘quadruple extortion’) to try and force victims to pay:
- Encryption – the more traditional method of ransomware; victims pay to regain access to their network and encrypted files
- Data theft - hackers steal data to further ransom organisations with the fear of releasing it should they not pay
- Denial of Service - attackers launch DoS attacks to shut down the victim’s websites, giving customers and the media clues that there may be an issue
- Harrassment - customers, employees, media and partners are engaged with to tell them that the organisation has been hacked
Ransomware is particularly concerning as, unlike a nation state (and generally sophisticated) attack, anyone can be a target – if an organisation cannot operate, they are likely to pay and so even SME’s, schools and charities are targets. This is even more the case with Ransomware-as-a-Service (RaaS) removing cost and technical skills needed to launch an attack.
In general, ransomware will start with either a phishing attempt or an attack on web-facing networks (‘external systems compromise’).
We’ll review ways to combat all challenges mentioned here at the end, but ransomware in particular is very noisy when unpacked. By having a 24/7 monitoring service (such as our SOC-as-a-Service), you can spot attacks at various stages, from initial attempts and compromise to lateral movement and encryption, file theft and more and take appropriate action at those points. The key challenge with ransomware is not that organisations don’t get thousands of alerts, it’s that there aren’t the people or processes in place to deal with them.
Watch our video to see what different stage of ransomware look like through the eyes of a SOC.
Business Email Compromise (BEC)
Whilst ransomware gets more of the headlines, BEC costs businesses a lot more in reported losses. According to the FBI’s 2020 Internet Crime Report, BEC accounted for some 37% of all cyber-related losses in 2020. It’s fair to say that ransomware is underplayed due to this only counting direct loss (mostly ransom payments) and not reputation damage and cost to get systems back up, but whatever the true values and ranking, BEC is another significant challenge for organisations.
BEC is a type of spear phishing attack, with a more specific aim of tricking individuals into transferring money, or revealing important information (that may support a ransomware attack), such as login credentials.
Sometimes the goal of an initial cyber-attack (and a follow on from a successful ransomware attack) may be to camp out in a network (through use of malware), watching email and network traffic to understand more about how the users interact and use this to the attacker’s advantage in BEC. A common example would be an attacker pretending to be a senior figure (e.g. a CEO or CFO) and requesting that a member of the finance team pays an invoice urgently to a supplier.
BEC tends to use more sophisticated social engineering elements than a traditional ransomware-phishing attack, gathered from the ‘camping out’ stage – understanding calendars (e.g. when a CEO is in a meeting with a particular supplier, they may activate the phishing email asking for payment) as well as learning the style of communication to make the emails seem more legitimate and reduce questions asked.
External Service Compromise
External service compromise is a broad term that involves attackers scouring the web to find any known vulnerabilities (either public knowledge or zero-day exploits they’ve found or purchased information on). This can include web apps, SaaS compromise, remote access, mis-configured clouds or simply leaving open external ports, for example after a test development build.
The NCSC breaks external interfaces down into three approaches or types of network that can be attacked:
- Internet - as the service can be accessed from any internet connected device, attacks can be launched from anywhere. The service provider should be routinely testing to ensure any public-facing areas are secure.
- Community network - a cloud service set up for a particular group of users and only accessible via that network is obviously less exposed to remote attackers. In order to get in, attackers would need access to the community network, either by getting into it or by compromising someone with access to it.
- Private network - attackers attempting to get into a cloud-services only exposed to a private network will need to first compromise the private network. However, depending on the level of service there may be additional routes in, such as if the provider also offers internet connectivity.
The different attack vectors make it hard to defend against as there are elements of human error, third parties and technical configurations, meaning that if one of these isn’t quite right, there’s potential for a route in.
Defending against these threats
So – we’re all suitably terrified now, what can we do about it? In general, most types of attacks overlap in some capacity, for example a ransomware attack may include both phishing and external service compromise in order to get into a network. A BEC attack may have the goal of getting credentials to run a bigger ransomware attack and so on.
As we stated at the start of this blog, most organisations generally don’t need to worry about the sophisticated attacks as the time and cost to run these is normally only reserved for high-profile, high-value targets. By improving general hygiene and following some simple steps, all organisations can protect themselves from the majority of attacks:
Firstly, organisations must accept that now, more than ever, they are potential targets for a cyber-attack. Either directly as part of a mass attack or as collateral damage from a supply chain attack. With the increase in success of ransomware, the target organisation no longer needs to have anything of particular significance to be a target. By simply locking an organisation out of their network and preventing them from working, a ransom can be demanded, whether you’re an SME, school, charity or multi-national.
Having accepted that your organisation can and will be a target of a cyber-attack, it’s time to take control of your own defences. This doesn’t mean you need to deliver every bit of defence yourself, but you need to take ownership for your cyber security roadmap and building out defences, including the decision as to whether you have in-house or outsourced teams (read our blog on the pros & cons of a hybrid outsourcing SOC model).
Find a trusted advisor
It’s always worth finding a third-party advisor who you can trust to support your long-term strategy. The challenging bit will be defining what ‘trusted’ means. In our minds, it’s someone who has the same high-level objective as you – namely to improve your cyber security. Whilst that seems like something all organisations would want their customers to do, there will always be a conflict of interest with those that also sell technology – with the best will in the world, account managers will be targeted on upselling additional tech or licences.
That’s not to say that the technology recommended won’t improve your cyber security, but by working with an organisation only focused on improving your security posture (without it impacting their revenue), you’ll know that any recommendations are part of the wider plan of continuous cyber improvement.
Build and implement a long-term strategy
This is where working with a trusted advisor can really support your continuous cyber improvement. Finding an organisation that has those shared goals and has experience in building out effective cyber roadmaps, based on your specific challenges can go a long way to protecting you.
A good long-term cyber improvement plan focuses on three key areas:
- Assess - your current cyber security posture covering; your assets and data, your threats, current cyber technology, processes, policies, people and aspirations of the business;
- Build - starting with improving basic hygiene, hardening systems and running incident simulations, then looking at employee awareness, building processes and people to protect you and potentially even reducing your tech stack;
- Mature - constantly reviewing and moving onto the next improvements needed, there will be regular iterations of the assess and build stages and maturing is all about the next elements you need to improve, knowing that you can’t do it all in one go, but by making iterative changes you can very quickly improve your defences to reduce the next biggest threat.
This sounds easy on paper and clearly, it’s a long process spanning many years, but it allows you to focus internally on the biggest priorities for spend, without being rushed into buying a single piece of technology touted as the one thing to make your organisation Fort Knox. It also allows cyber teams to bring the board along with them, knowing that whilst there will no doubt be a need to make big tech purchases in the future, it’s all part of a bigger plan to close your main vulnerabilities first, to get the best ROI.
Get in touch
If you need help with any of the challenges and solutions above, then get in touch with our team today via [email protected] or by filling out the form below to discuss how we can support your organisation.