In 2020, ransomware attacks were more expensive than data breaches, costing companies $4.4 million on average. Ransomware is a type of malware that denies users and admins access to files or entire networks. Once the malware infects systems, attackers will send a ransom note demanding payment in exchange for restored access.
Experts noted a marked increase in encryption attacks in 2020 (150% over the previous year), where cybercriminals steal a company’s data and encrypt it so the company can’t access it. Encryption refers to the practice of changing the original data from a readable format known as plaintext to ciphertext, which can only be interpreted by someone who has the corresponding cryptographic key. Attackers may offer to restore access in exchange for a ransom; they may also threaten to release the company’s private data unless they agree to pay a ransom. The most common entry point for ransomware is phishing emails, in which attackers use a combination of social engineering and spoofing to trick people into clicking on malicious links or surrendering their personal information by impersonating a reputable company.
Remote work is changing the way companies allow employees to access their corporate networks. Until now, most companies relied on Virtual Private Networks (VPNs) to provide access to their corporate network. However, these are proving inadequate against the ransomware attacks of 2021.
Now that VPNs are on the outs, companies are starting to transition to Zero-Trust Network Access (ZTNA), which has emerged as a more secure option for controlling remote access to servers. Gartner predicts that by 2023, 60% of businesses will phase out of VPNs and transition to ZTNA.
One of the most active ransomware families right now is Maze ransomware, which is a sophisticated strain of Windows ransomware. What makes Maze so dangerous is that it operates via an affiliated network, where Maze developers share their proceeds with groups that deploy maze in organizational networks.
In fact, ransomware led to the first reported death associated with a cyberattack. In 2020, a hospital in Germany was locked out of its computer systems and was unable to treat patients. Consequently, a critically ill woman was rerouted to a hospital 20 miles away but did not survive.
AI adoption in cybersecurity is ramping up on both the offensive and defensive fronts—as companies increasingly turn to AI-powered cybersecurity controls, cybercriminals are deploying automated cyberattacks to scale their efforts. AI-powered threat intelligence can recognize patterns in historical data to anticipate future attacks, enabling companies to reduce incident response times and comply with security best practices. The main strength of an AI system is its ability to triage alerts, surfacing only the most critical ones. Data shows that 56% of large companies handle over 1,000 cybersecurity alerts per day, meaning that the bulk of a SOC analyst’s time is spent determining which alerts merit a response and which can be dismissed.
Traditional cybersecurity techniques use signatures or indicators to identify threats, which is effective at detecting and intercepting 90% of attacks. This is effective for the types of attacks the system has already encountered, but not unforeseen ones. The use of artificial intelligence can increase detection accuracy to 95%, but analysts will also receive a lot of false positives. Blending the two is an ideal approach, resulting in a 100% detection rate. AI-powered cybersecurity controls are vulnerable to attack in non-traditional ways, such as through poisoning of the training data, which embeds errors in the algorithm, causing it to mischaracterize or fail to recognize a threat, a phenomenon known as adversarial machine learning. Also, the increased adoption of AI in business makes companies more vulnerable to cyber attacks. More than 60% of companies adopting AI recognize cybersecurity risks generated by AI as the most prevalent threats.
Aside from phishing attempts, one of the primary infiltration points for cybercriminals is unpatched weaknesses in computer systems. Patches are software code fixes for security vulnerabilities and bugs, which cause the software to behave abnormally. All software has bugs—resulting from flaws in design and/or implementation. Bugs can range from minor nuisances that affect nonfunctional requirements (such as loading speed or site capacity) to the potential for a major data compromise. Patch management is the process of identifying, prioritizing, remediating, and reporting on security issues in software or firmware. The goal of a patch management program is to ensure that patches are judiciously implemented companywide.
In the past, internal IT teams were responsible for finding security vulnerabilities and shipping patches across the enterprise, but now most companies rely on SaaS vendors to provide these services without having to install expensive third-party tools. Outsourcing patch management in whole or in part is essential because even large organizations with dedicated IT staff struggle to keep up with patches.
Using outdated legacy systems can weaken an organization’s security defenses as older software sometimes cannot be patched. Organizations also struggle with patching third-party applications, most notably web browser plugins. Patches are typically issued after a vulnerability has been found either by the organization that uses the software or the vendor, so applying the patch in a timely manner is absolutely critical. Once a vendor issues a patch, it is the company’s responsibility to apply the patch.
In fact, the infamous Equifax data breach, which exposed the personal data of 143 million customers, is a prime example of poor patch management. The data breach was caused by a failure to patch a known vulnerability in Apache Struts. Overall, the breach has cost the company over $1.7 billion since it was first disclosed in 2017.
According to a report from VMWare, 50% of cyberattacks today not only target a network but those connected via a supply chain. A supply chain attack occurs when cybercriminals gain access to an organization’s computer networks via a third party, such as an external vendor or service provider. This has radically altered the attack surface for enterprises in recent years now that more suppliers and service providers touch a company’s sensitive data than ever before. In a supply chain attack, hackers actively exploit weak links in the supply chain to gain access to a target organization. Supply chain attacks typically begin with an Advanced Persistent Threat (APT), in which attackers gain in-depth, unauthorized access to a computer network and observe the victim’s activities over a period of time in order to determine a way in via whichever third party has the weakest security defenses.
In fact, the high-profile SolarWinds attack in 2020 represented one of the most devastating supply chain attacks, in which cybercriminals infiltrated over 250 federal agencies, including the U.S. Treasury Department, State Department, Energy Department, and even parts of the Pentagon. Other victims include Fortune 500 corporations like Microsoft, Cisco, Intel, Deloitte, and FireEye—the cybersecurity company that first uncovered the attack. All of these federal agencies and companies affected were customers of SolarWinds, a Texas-based cybersecurity company.
When a software company is hacked, it spurs a chain of events that renders its customers vulnerable to a breach— hence why hacking the “supply chain” can have more catastrophic consequences than targeting a specific company or government entity.
For example, if the hack goes undetected and the company ships a software update that contains a virus or malware planted by the hackers, all of the company’s clients who download the update will be infected, which is what happened in the case of SolarWinds. With cloud computing enabling automatic software updates, the effect of such hacks can be immediate.
Extended Detection and Response (XDR) is a cybersecurity technology that monitors and mitigates cyber threats. XDR collects and automatically correlates data from multiple security layers—email, endpoint, server, cloud networks—so threats are detected faster. Ordinarily, IT staff would be dealing with each security layer individually, responding to security alerts and monitoring for suspicious activity in a silo. This is known as layered visibility.
XDR gives visibility across networks, clouds, and endpoints. It does so by ingesting and distilling multiple streams of telemetry (data on real-world usage). XDR enables organizations to do more thorough investigations and detect threats faster. IT teams are often overwhelmed with security alerts triggered by multiple solutions. XDR allows them to deal with all alerts in one place. They have few ways to correlate and prioritize these alerts. The software automatically ties together a series of lower-confidence activities into a higher confidence event, surfacing fewer alerts that have already been prioritized. Most importantly, XDR enables a proactive rather than reactive approach to threat detection and response.
Surprisingly, one of the top cybersecurity threats affecting an organization comes from individuals within the organization, such as current and former employees, contractors, and partners. For example, they may disclose, modify and delete sensitive data—intentionally or unintentionally. Sensitive information includes an organization’s security practices, employee or customer data, login credentials, and financial records.
In 2019, a former employee at Amazon Web Services (AWS) gained access to the personal information of 106 million Capital One credit card applicants and stole data from 30 other companies by breaching Capital One’s AWS storage space. Negligent insider threats include things like falling victim to phishing emails, inadvertently sharing login credentials, or storing data on insecure devices. Intentional insider threats are committed by disgruntled current and former employees who wish to steal intellectual property, sabotage a company or steal data for financial gain.
The rise of remote work has made negligent insider threats even more high-stakes. Weak passwords, unauthorized remote access, and the use of unsecured personal devices creates more attack vectors for cybercriminals to exploit. According to Stealth Labs, 30% of data breaches are caused by insiders, with a 47% increase in insider threat incidents in the last two years. Phishing attacks continue to be the main conduit for insider threats, responsible for 67% of insider-related incidents. Forrester predicted that insider data breaches would increase by 8% and account for one-third of all cybersecurity incidents in 2021.
With high-profile companies like Twitter and Dropbox electing to allow remote work for the foreseeable future, cybersecurity controls like cloud data protection and authentication will top the list of CISO budget priorities in 2021. Remote work creates a need for endpoint protection as employees increasingly rely on digital collaboration tools like Zoom and Slack. The biggest threats to organizations include the use of unsecured personal devices, improperly configured home routers, the transfer of sensitive data over unsecured channels, and the use of cloud-based word processors. A study by Rebcyc found that 35% of organizations surveyed plan to accelerate workload migration to the cloud in 2021. One advantage of working in the cloud is that security patches are immediately installed—but this also poses a threat in the event that the cloud service provider falls victim to a supply chain attack (see above). The risks for organizations using cloud services are generally associated with misconfigured storage, poor identity and access management controls, insecure application programming interfaces (APIs), data loss, breaches, and leaks.
These recent changes have led to the rise of secure-by-design principles in the software development process, which means that security and data privacy are baked into the code, rather than an afterthought towards the end of software development.
While SaaS (Software-as-a-Service) companies provide software to customers on a subscription basis, MaaS (Malware-as-a-Service) enterprises lease malware (in the form of software or hardware) in exchange for a subscription fee. Consequently, anyone can become a hacker without any prior knowledge of computer systems, programming languages, or cybersecurity controls. By engaging a MaaS company’s services, customers can lease a botnet, which is a network of infected computers that are programmed to do a hacker’s bidding. The network comprises “zombie” computers that have been infected with malware and can be programmed remotely to execute a range of repetitive tasks, such as sending millions of spam emails, flooding a website with traffic to the point where it crashes, cracking servers, and mining cryptocurrency. Typically, clients are offered a personal account through which to control the attack, as well as technical support. The software is updated regularly just like if it were legitimate software. With malware, the entire hacking process from identifying potential targets to delivering malware is completely automated.
Mobile threats accelerated during the COVID-19 pandemic—a trend that is expected to continue. Employees routinely access company data from smartphones, which creates a huge cybersecurity risk for organizations. In fact, 60% of devices interacting with corporate data are smartphones, according to Zimperium. Scammers know people are working from home, accessing work-related software and data on mobile devices, and not taking the same precautions as they would on a traditional computer. Data leakage is widely perceived as the most prevalent cybersecurity threat to enterprises. According to the latest research by IBM and Ponemon Institute, having a purely remote-based team can increase the average cost of a data breach by a whopping $137,000. Most data leakages result from negligence, where employees don’t fully understand which apps can see and transfer their information. The use of unsecured Wifi networks—at home or in public places—and out-of-date devices and poor password hygiene make mobile devices vulnerable to attack. One method by which attackers target mobile devices is network spoofing—setting up fake access points that look like legitimate Wifi networks—in high-traffic areas such as coffee shops and airports. These access points will have common names like “Free Airport Wifi” to encourage unsuspecting people to connect. Usually, users will be prompted to create an account with an email address and password. The hackers then steal these login credentials and use them to break into the victim’s other accounts, such as PayPal or their online bank, taking advantage of the fact that 52% of people use the same password for multiple (but not all) online accounts.
Another innovation hastened by the rise of the remote workforce, Secure Access Service Edge (SASE) is a network architecture that is designed to provide organizations with uninterrupted access for their users, no matter where they are located, without compromising security. SASE is the convergence of wide-area networks (WAN) and security into a simplified cloud service that promises simplified WAN deployment. Think of SASE as a gatekeeper for corporate computer networks: the architecture identifies users and devices, applies policy-based security measures, and delivers secure access to the appropriate applications or users.
Organizations are increasingly gravitating towards one-stop cybersecurity platforms that offer a full suite of services—such as threat prevention, web filtering, DNS security, and data loss prevention— rather than purchasing and managing multiple point products. Seeing as SASE is a cloud-based service, it can be easily scaled, while allowing organizations to simplify their IT infrastructure by minimizing the number of security products IT teams must oversee.