What are the top cyber security threats that a business owner faces in 2023? One of the biggest cyber threats business owners face today is arising because of the geopolitical landscape, which affects all nations and businesses, and especially big businesses that are running global supply chains. An action by the government in China, for instance, could have an impact on your supply chain, which could then impact you from a business perspective, and something that has started as a geopolitical issue, can very quickly manifest itself in a cyber attack. That is one of the biggest threats that today’s organisations are suffering from, and the worst thing is that you can't do much about it.
One of the biggest emerging cyber threats which organisations really need to focus on is AI. A person who has limited or zero experience in compromising environments can suddenly start to write code and exploit and steal data with the help of AI. So, where I was worried about 100 people potentially attacking, attacks could now become more mainstream, and that is going to be a huge challenge that organisations will start to face.
Do smaller businesses face the same risks as the large ones we see being hacked in the news? There are two kinds of risk organisations are faced with, but in small businesses most risks are at an individual level using social engineering, where the attacker might ask themselves how do I use a person working there to compromise the organisation or compromise a bank account. While in big organisations they might want to steal IPs instead.
What are some misconceptions businesses have about cyber security? There are some good basic patterns that we tend to follow day to day, like when we are driving a car, we drive on the left side of the road, or when you go up the escalator you follow a particular pattern, and those patterns are designed so that people can exist and cooperate in society. There are similar patterns and guidelines for cyber, and organisations have developed a misconception that they need to be focusing on the most leading and complex problem solving, rather than focusing on the basics - you might want to jump 50 steps, but you still need to know how to walk down those steps. I think that businesses really need to ensure that the fundamentals are in a good place before starting on the funky stuff in cyber. There could be bigger problems which you are not focusing on because all your attention is redirected to the new shiny cyber solution of the day.
I was at the InfoSec conference in Europe recently, and of the 100 companies there, I think every one was talking about managed detection and automatic response, and what they will and won’t be able to find for you. What is happening is the industry is creating confusion and misconceptions that this is a bigger problem than it actually is, because they want to sell more shiny things rather than focus on the basics, because that’s where the money is for them.
What are best practices for today and how can businesses avoid cyber threats? I would say education is still the most important thing, and one of the easiest ways to attack today is still, and has always been, social engineering. With the advent of AI, social engineering will become more common, because it will be much easier to put together a profile of a person and understand his or her behaviour much faster; the research which people used to spend days and weeks on to understand an individual and how to compromise an organization will shrink significantly.
Today’s businesses are changing quickly with the technological landscape, with maybe 10 to 15% iterations every five years, which means that in five years you have a what is effectively a completely new company, and how do you ensure that people are aware and doing the right thing for their organisation in that time?
Rather than trying to focus on geopolitical issues affecting your business which you can’t fix, the focus should be more around how you can ensure someone using AI is not able to compromise a known problem, or how you can maintain the minimum level of health of the environment, and ensure the basics are being done to a very good level. You should be following the basic principles around user passwords, identity and patching.
There are 5 to 7 things that were universally true 20 years back, and are still true today in cyber security, and the funny thing is that organisations still haven’t got those things right. It’s much easier for me to go to management and tell them AI is becoming a threat, we need to put money into it, rather than going and saying my patching is not in place. Senior management will say you asked for that money 5 years back and ask why you didn’t you fix it then. There’s a lot of focus on the fancy new thing because that’s where the budgets get approved.
If you were a cybercriminal, how would you try to gain access to secure data? Generally you have two types of attack, either to steal and sell the data or just to make money. The attacker who steals data may have been tasked to steal specific information for a buyer, or they might have stolen the data to sell to the highest bidder, but they won’t know the value of the data on the open market.
The attackers who just want to make money, are becoming more and more prominent, and instead of stealing the data they just make the data unavailable in a ransomware attack. They won’t know value of that data on the open market, but it could be very important data for that particular company. They will compromise your environment, if you have weak security somewhere and haven’t patched it, and they will gain unauthorized access, then escalate their privileges to get more privileged access to the environment, and once they have their privileged access, rather than stealing the data, they can now encrypt it.
Imagine you have a customer database with a million customer names and details in there, there’s probably limited value today in the market for that customer data, so if you try to sell it in the international market it won’t be worth much, but for the company you’ve attacked it's significantly more valuable, because their business would stop without that data, so rather than stealing it, it’s cheaper to just encrypt it and ask for a ransom to give the data back. Attacks are becoming a lot more targeted, and all an attacker needs to do is to figure out a way to get into that organisation, and the easiest way is still phishing via unsolicited email.
I once ran a test at an organisation just after the performance review period, where we sent an unsolicited mail with “your bonus options” in the subject line. It was a fake mail, but people would typically expect to get an email like that following their performance review, when new salaries have been announced and they were awaiting their bonus information. We got 40% clicks on it. Phishing is still the easiest way to target an organisation, and all an attacker needs is the first foothold in the business, from there they can navigate, escalate, and reach the target they need in a slow attack so it can’t be discovered via traditional tools.
Could you walk us through a recent real life scenario and how the business was affected? I was working for a FTSE50 business that had a cyber attack in which the attacker wiped out the whole network including all laptops, desktops, backups, and their server for supplier management like raising orders and delivering orders. The attacker encrypted the whole server and, in the end, they just had to pay out, but there was a wider impact on the business even after they paid out. It was a manufacturing company selling products into established supermarkets, and in the time their server was down, they started to lose shelf space in the supermarkets, because the supermarket will always just find another product to fill that empty space. So although the attack could last just 30 or 60 days, the impact of the attack can be much bigger.
More people than ever before are now working from home, which has exposed businesses to more threats. What preventive measures would you recommend a business takes to fill those gaps? Before the pandemic organisations had physical organisational barriers like secure rooms in the office, or surveillance, or special access control because the work they are doing is confidential so you need a secure set up. Following the pandemic, organisations needed to rethink their definition of security and confidentiality, because people had to work from home. That forced the organisation to rethink what is really critical and they realised that physical security was still compensating for logical cyber security, especially in small to medium sized organisations that aren’t in the cloud.
Since the pandemic it has became more common to put preventive controls at a data level rather than at the end machine level, and because organisations still need access to confidential or important information, and they couldn't put it on VOID, they might give you a machine with dedicated network connectivity, so you can’t connect any other machine. There are different kinds of extreme measures for specific industries like banking and defence, where they’ve really locked the whole system down because you’re doing complex transactions for instance, but in general, the model of security where physical security compensates for logical security, is gone.
For a lot of organisations using a physical device as a security boundary, perhaps a laptop or a desktop issued by the organisation, has also gone, because a lot of people started to bring their own devices. So effectively all the security which was sitting on the edge had to be moved back into the organisation, and there used to be a concept of zero trust network, but with the pandemic organisations really started to implement the principles of zero trust, where you don't trust anyone, and only the person who is authorised to see the data can see it.
What are the biggest cybersecurity threats you see coming in the next 5 years? I think the biggest cybersecurity threat will be at the point of human and machine interactions. If you look back just 5 years, smart home technology started to arrive, and now it's pretty ubiquitous, and perhaps we don’t even realise we’re living in a smart home, but some portions of it will be, and we’re seeing more and more things become smart. Cars today, for instance, are getting more IoT enabled, and in everything we do and touch our human to machine interactions are increasing, and that interaction always creates a digital footprint and a digital trace. I think attackers will also be able to access that digital footprint and trace to build a profile of you and use that to compromise you or your business. That will be the biggest cyber issue which will start to come in the near future.
Vikas Rungta was the managing director of Accenture for 12 years, and is the CEO and founder at Ravity.io, a B2B SaaS connected mobility platform that leverages the power of connected vehicle data to deliver valuable and actionable insights for customers. He is available to hire via hubbado for your cybersecurity projects.
Looking to hire a cyber security expert like Vikas for your business? To hire a cyber security expert for your business please contact us here and visit our cyber security page to learn more about the 900+ cyber security consultants in our expert vetted community, including Vikas. 250 are available to hire now, including 38 CISSPs, 13 CISMs, 6 CISAs, 11 GIACs, 10 Certified Ethical Hackers and 148 Cisco Certified Network Professionals - security.