How the cyber security threat landscape is changing
From worms to ransomware in 20 years – how can companies stay on top of threats?
This article originally appeared in the June edition of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.
The cyber security threat landscape changes fast, and for most companies it’s a struggle to keep on top of the latest trends, each designed to compromise operations.
As detailed in the Sophos 20-year retrospective, we have moved from worms in the early 2000s, to botnets and cyber weapons like Stuxnet in the period to 2012, and are now facing a huge rise in ransomware as a service, alongside nation-state-sponsored attacks, organised crime, hacktivists, and disgruntled insiders or angry customers.
This ever-adapting horizon forced the National Cyber Security Centre (NCSC) – a part of GCHQ – to refresh its 10 Steps to Cyber Security guidance in May. The publication assists FTSE 350 companies, and others, in understanding the upcoming challenges and how to deal with them.
This updated version included details on the growth of cloud services and the shift to home working due to the pandemic, plus an acknowledgement of how the face of ransomware is changing and becoming more severe.
In fact, according to Zscaler’s ThreatLabZ report, ransomware was cited as the third most common and second most damaging type of malware attack in 2020. It’s also estimated that ransomware accounted for 27% of attacks for a total of $1.4 billion in ransom demands, and an average of $1.45 million to remediate an incident.
The recent Colonial Pipeline extortion in the United States is just one example of this, with Colonial Pipeline CEO Joseph Blount confirming it paid a ransom of $4.4 million (£3.1 million).
Sarah Lyons, NCSC deputy director for economy and society, says: "Our 10 Steps to Cyber Security has been - and continues to be - a fundamental guide for network defenders and this update demonstrates our commitment to securing the UK economy.
"Following our advice will reduce the likelihood of incidents occurring but also minimise impact when they do get through."
Taking security seriously
Back in the early 2010s, cyber security was not a clear C-suite priority, whether due to a lack of understanding of the complexities involved or a complacent belief that 'it wouldn't happen to us'. But as the threats have evolved, so have boardroom attitudes.
Robert Hannigan, chairman of US-based cyber security services company BlueVoyant International and a former director of GCHQ, tells IT Pro: "In 2012 it was relatively difficult for us to get boardrooms to take cyber risk seriously; it was typically regarded as a problem for the IT department. Today, there are no CEOs of large companies who do not regard cyber attacks as a major threat to their business.
"Cybercrime business models have become more sophisticated, and some nation states have become more reckless, which is a toxic combination. Unfortunately, what hasn't changed is that many companies are still not taking the basic steps. The [NCSC’s] 10 Steps document was to demonstrate that most cyber risk could be reduced by getting the basics right."
Hannigan adds that although financial services were often the sole focus of cyber crime groups back in 2012, today every sector and business vertical is being targeted.
"Criminals will go after anyone who can pay, and they know that less-protected sectors or extended supply chains are easy pickings,” he says.
Nine traits you need to succeed as a cyber security leader
What characteristics and certifications make a successful cyber security leader?Free download
With critical infrastructure protection now far more crucial when it comes to cyber security, the EU is currently drafting legislation that would focus on this. John Smith, manager and solution architect at Veracode, says: "The Colonial Pipeline attack serves as a stark reminder of why this bill was put forward.
"It opens the eyes of many to how software now makes up the heart of our global infrastructure, and why it’s so important that any and all aspects of critical infrastructure – such as energy and electricity – should be running on software that’s secure by design."
That is brought into stark reality, too, as there is now the spectre of a "triple extortion attack", combining file encryption, data theft and DDoS attacks, according to Netscout.
Netscout cyber security technologist Philippe Alcoy explains: "The nature of these multi-pronged attacks highlights the threat of attack doesn't simply disappear if targeted organisations choose to pay the ransom straight away."
Human vs machine
Human error is often highlighted as the reason why so many cyber attacks succeed, with weak passwords, clicking on a phishing link, or a lack of awareness key to breaking through defences.
But machines are the greater concern now, say many experts, citing vulnerabilities such as API security. Imperva Research Labs found almost 50% of data breaches begin in the web application layer, while in 2020 it discovered API vulnerabilities grew by more than 5% compared to 2018.
"While the number of humans in the world remains fairly constant, the number of machines is exploding,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “This is widening the attack surface as increasingly hackers move to abuse machine identities – as seen within a number of high-profile attacks in recent years, such as SolarWinds.
"It's unsurprising Gartner has listed machine identity protection as one of its top security and risk trends of 2021,” he adds. “In the wrong hands, machine identities can allow attackers to hide malicious activity and steal sensitive data. With machine-to-machine communications predicted to account for more than half of all global connections in the next two years, IT leaders must act now to ensure machine identities are protected and managed efficiently."
However, while bigger corporate companies may have the talent, investment and knowledge at their disposal to tackle cyber threats, smaller ones in the private sector and organisations within the public sector, such as schools, councils and hospitals, are increasingly finding themselves in the eye of the cyber security storm.
This is especially true as they digitally transform and move to the cloud, with attacks often driven by stolen or compromised credentials. Netskope’s most recent Cloud Threat Report found 61% of malware – including ransomware – is now delivered from the cloud.
And in a nod to those days in the early 2010s, Redscan CTO Mark Nicholls believes that many smaller businesses across both private and public sectors seem to be either unaware of the potential risks or in a state of denial over the problems they face.
"Many businesses adopt the mindset that they're too small to be targeted, hoping to fly under the radar,” says Nicholls. “The reality is that businesses of all sizes are targeted by cyber criminals and it is those that lack mitigating controls which are likely to be the worst affected."
He added: "For small businesses, resourcing is a definite concern and it's true to say there is a very real cyber security poverty line. However, if ingrained in an organisation's culture, it's possible to find ways to strengthen cybersecurity without having to spend thousands."
IT best practices for accelerating the journey to carbon neutrality
Considerations and pragmatic solutions for IT executives driving sustainable ITFree Download
The Total Economic Impact™ of IBM Spectrum Virtualize
Cost savings and business benefits enabled by storage built with IBMSpectrum VirtualizeFree download
Using application migration and modernisation to supercharge business agility and resiliency
Modernisation can propel your digital transformation to the next generationFree Download
The strategic CFO
Why finance transformation propels business valueFree Download