Richmond, Surrey, UK, 0900 hours, 28 February 2022 – CISOs must be more alert to new methods, tactics and targets used by cyber-criminals to perpetrate familiar types of attack, according to Infosecurity Europe’s community of security leaders and analysts. The organisers of Europe’s most influential information security event – running from 21-23 June 2022 at ExCeL London – asked its Advisory Council about the biggest cyber threats organisations will face this year.
While individuals, criminal groups and nation states will continue to favour ‘tried and tested’ approaches, they are expected to employ these in novel ways to generate revenue from attacks. “The threats don’t change hugely from year to year, it’s more the sophistication of the threats and the actors that evolve,” says Maxine Holt, Senior Research Director, Omdia. “There will always be organisations without strong cyber-hygiene to defend against those threats, and when they do get through, without an adequate incident response plan.”
Unsurprisingly, ransomware was pinpointed as an area requiring close attention, with Maxine Holt citing ‘double whammy’ ransomware as a particular concern: “The first ‘whammy’ is the attacker locking the data so the victim can’t access it. If the organisation refuses to pay, this can lead to the second ‘whammy’ of the data being exposed or put up for sale, often resulting in a breach of data privacy regulations. Prevention requires defence-in-depth: comprehensive and frequent back-ups, and the use of multi-factor authentication (MFA) and privileged access management (PAM).”
Peter Yapp, Head of Cyber and Partner at Schillings, agrees. “In addition to an increase in the frequency of ransomware, we expect to see more sophisticated attacks, with new methodologies being used. Many countries may try and impose legislation around ransomware payments, but this is unlikely to stop criminals continuing to attack.”
Mark D Nichols, Head of Information Security, Risk and Compliance, Ramsey Healthcare UK points out that protecting an organisation from the impact of ransomware has become harder. “Because ransomware is more prolific, the cost of cyber insurance is going up,” he says. “Some insurers refuse to cover organisations, or the list of controls to make the policy valid is huge. Organisations have to weigh up cost versus reward. And things can go horrendously wrong when firms try to negotiate; some have been getting the decryption keys and finding they don't work. Attackers are also threatening to release sensitive information, including personal data, which could lead to fines.”
Supply chain attacks will also continue to pay significant dividends, including software attacks, says Maxine Holt. “Having a perfectly legitimate organisation spread your attack for you – what’s not to like? It’s incumbent upon the source software provider to take every precaution to protect its code, including open source code, from malicious activity so it cannot be changed or altered during an update or patching process and still appear perfectly legitimate.”
Supply chain risks have risen to the surface due to external factors such as extreme weather and the pandemic, according to Barry Coatesworth, Director Risk, Compliance & Security, Guidehouse. “This has equated to increased risks around who is connecting to your network and supplying resources and services,” he says. “Third party risk assessments only go so far towards solving the problem, because it gets murky when suppliers subcontract out work.” Peter Yapp adds: “Businesses need to realise that their security relies on a web of third-party suppliers, and they’re only as strong as the weakest link. Due diligence should be carried out on any supplier of IT delivered services.”
Peter goes on to emphasise that information security investment overall is still not sufficiently prioritised within businesses or government. “There has been an underinvestment in cybersecurity,” he says. “Change needs to happen from the top, with budget, strategy and systems in place to ensure cyber is a major business focus. Programmes like the UK government’s new cybersecurity strategy, which is focused on being pre-emptive rather than reactive, do increase awareness of threats, but increased funding is needed to make a tangible difference to the risk landscape.”
The insider threat continues to challenge organisations, with negligence and error causing as many problems as malicious intent. “Behavioural analysis of what employees are doing on your network and what data they’re accessing can pick up abnormal behaviour when baselined,” advises Barry Coatesworth. “Education, though, has always been the cornerstone of reducing insider threat.”
Mark D Nichols agrees. “Because we've been working in this agile way for two years, people may be a bit complacent,” he says. “Continuous education is needed to keep everyone alert to the threat, using different media to share key messages. We call out and celebrate when people spot phishing emails, and use it to show what people need to look out for. Our messages are also about being safe in your personal space: how do I put MFA on my social media accounts? How do I turn on privacy settings? Changing people's behaviours generally will have a good impact in the work environment.”
Peter Yapp underlines the need to be aware of the privacy and security risks that exist to us as individuals, and take steps to mitigate them. “This might be opting for MFA on devices, or realising that higher levels of security may mean compromising on speed and efficiency. We can expect to see consumers being more vocal about their security, and in turn, businesses placing more emphasis on and funding behind their cyber programmes. Board-level interest will increase.”
Rik Turner, Principal Analyst with Omdia, anticipates that not all individuals will find it easy to adjust their behaviour. He says: “The Zero Trust approach, for example, can be expected to meet with resistance across the organisation. C-level executives may have grown accustomed to a broad ‘access all areas’ entitlement and resent being reined in. Developers and sysadmins may also resist this kind of approach. A cultural change will be required, and it’s certain to need careful evangelisation to guarantee widespread acceptance and adoption.”
Nicole Mills, Exhibition Director at Infosecurity Group, comments: “A concerted effort to improve threat intelligence is the only way we can anticipate, detect and respond to threats in the current landscape. We’re not looking for major changes in the kinds of threat we need to address, but constant, perhaps subtle, shifts in how attacks are planned and carried out. That’s one of the principal reasons we chose Stronger Together as the theme for Infosecurity Europe 2022, to encourage and facilitate greater collaboration between businesses, law enforcement and government. The more eyes we have on the criminals and their approaches, and the more information and knowledge we share, the more likely we are to stay a step ahead of emerging risks.”
The threat landscape will be covered extensively in the conference programme at Infosecurity Europe 2022 (Tuesday 21 to Thursday 23 June 2022 at ExCeL London). Topics explored on the Keynote Stage will include key threats and adversaries, tackling insider threats, building a security culture, the paradigm change in ransomware, monetisation of threats, Cybercrime-as-a-Service (CaaS), third party risk, how cyber criminals are changing their approaches, and improving detection of known and unknown threats.
Visitors will have the opportunity to engage in discussions around evolving the latest cybersecurity challenges on the Insight Stage, equip themselves with new strategic approaches and techniques to tackle them, and exchange ideas and expertise. In the Talking Tactics theatre, real-world case studies will provide practical and actionable knowledge on how to keep up with the increasing sophistication of security threats, while Security Workshops will help visitors build the practical skills needed to ensure their company is fully prepared to combat cyber-attacks.
Full details about the exhibition and conference programme will be released on the website in the coming months.