Cyberattacks: how can companies limit the risks in a global environment of growing security threats?
In 2022, 9 out of 10 businesses were targeted by cybercriminals¹. Faced with the increase in attacks, governments are taking concrete action: releasing budgets, strengthening international cooperation, creating new regulation. Companies are well aware of the importance of strengthening the security of their environments, especially as hybrid working is known to increase the risk of attacks: 79% of companies acknowledge that working from home has had a negative impact on their security systems, as risks can come from employees or external partners². Paradoxically, companies have only planned a 10% budget increase this year to tackle this³.
Tip 1: Protection against social engineering and insider threats – a layered approach
With the current waves of layoffs at many technology companies, insider threats could increase exponentially this year. They can create a flood of disgruntled employees who could potentially harm the business of their former employers. And former employees who had access to sensitive data and/or critical environmental knowledge could potentially cause irreversible damage.
Social engineering and insider threats are well identified malicious acts, however, there is no silver bullet to protect organizations from these attacks. Security strategies need to be built into the architecture and design principles of an organization (rather than considered an afterthought) and composed of various complementary defense mechanisms, from people to technology tools. For example, businesses could:
Implement a robust MFA method and exploit FIDO 2.0 with hardware keys to reduce exposure to 'MFA fatigue' exploitation.
Implement a comprehensive trust policy for devices with extended security tools for end-user devices to complement the MFA method.
Consider RBAC (Role-Based Access Control) & CBAC (Contextual-Based Access Control) as part of business authorization mechanisms. Assign roles and privileges based on employees’ roles, access needs (privileges, system...) and ensure there is proper mapping between employees’ roles and responsibilities and the adequacy of their access to critical data to perform their jobs.
Include and refine behavioral detection mechanisms to report and investigate suspicious or unusual activity, e.g. the same user logging in to multiple sessions from different locations or systems.
Build a tailored training awareness program for employees, specifically based on their role and the data they have access to - and then test their awareness with engaging and rewarding methods to enable them to learn from their mistakes.
Develop least privilege access and zero trust models in an organization's security architecture, assigning the least necessary access and permissions to perform specific tasks.
Tip 2: Scaling to the current threat landscape : Rely on Automation and Artificial Intelligence
Companies should not rely solely on humans and manual processes when it comes to security as Artificial Intelligence has advanced enormously in recent years. AI analyses a staggering amount of signals, which would be impossible for a human to handle, and can identify unknown threats or malicious activities to prevent them spreading in near real time. In this way, defense mechanisms not only keep up with threats, but can also be proactively preventive to reduce the risk of attacks.
Many tools can anticipate upcoming threats such as which types of attacks are most likely, or which employees and teams are most likely to be at risk. In addition, they can automate manual controls and recurring processes such as security policies, which takes the pressure off already busy teams.
Tip 3: Risk exposure is a part of your daily routine Prepare for emergencies with "Red Teams"
Security experts need to raise security awareness amongst their staff and the best way to do this is to simulate real threats. This is done by using so-called "Red Teams", who act like real cyber criminals. In doing so, they have to reveal themselves as late as possible to keep up appearances. Red Teams not only test the security awareness of employees, but also help the security teams themselves to detect, react to and contain a potential crisis without exposing organizations to real threats.
But even without Red Teams, regular tabletop exercises across various organizations should be conducted to learn about how teams will react during a breach. These should be leveraged to enhance incident response procedures and build readiness and reflexes within organizations when those critical situations arise (eg: social engineering simulations, phishing)
The current global economic and political situation made the work of cybersecurity teams more challenging last year. The situation is unlikely to ease this year. This makes it even more important for businesses of all sizes and sectors to be proactive and to use the industry standards frameworks (NIST, AAA, FIDO 2.0 etc...), as well as Red Teams and AI-based tools to help identify threats early. However, security tools and methods are always evolving and sometimes they overlap. The important thing here is to develop business plans and technology processes that will enable companies to best implement layered security strategies and defense mechanisms, all while raising awareness of the importance of security within organizations, demonstrating that it is the heart of the business and is vital to its continued existence. Security should never be considered an afterthought and should be a priority for all employees - ultimately, security can only be successful if it is seen as a catalyst for moving businesses forward.
This article was originally published in French in IT publication, Journal du Net (JDN).
To learn more about how Box keeps more than 100,000 organizations secure, visit: https://www.box.com/security-compliance
¹ Dell Technologies Survey: Global Data Protection Index 2022
² Kaspersky IT Security Economics Report
³ Verizon Report 2022