Cyberattacks have remained basic while proliferating in sophistication: Do we have the cyber-maturity?
As new cyberthreats loom over cyber citizens and organisations, the human element in a cyber setup remains the most vulnerable point. New and savvy netizens continue to be vulnerable to the same cyberthreats as before.
The new State of Cybersecurity 2021 Part 2 survey report from ISACA, sponsored by HCL Technologies, indicates that many organizations in India are experiencing an increase in cybersecurity attacks, with 32% of respondents indicating they had experienced more cyberattacks than the year before.
While organisations and governments, including big tech companies, are falling prey, they are also becoming aware and cyber-mature. But are they doing enough?
People: The Weakest Link
People remain the weakest link in the cyber equation of today. Tech support scams, which began as cold calls in the 90s and evolved into fake pop-ups of today, are still a global problem, impacting people of all ages.
While the new generation of netizens becomes savvier by the minute, they are still the ones who fall prey to the various cyberattacks.
Microsoft commissioned YouGov for a new 2021 survey across 16 countries to look at tech support scams and their effect on consumers. According to the survey, three out of five consumers have encountered a tech support scam in the last 12 months. In addition, one out of six consumers was conned into continuing with the scam, with victims losing up to hundreds of dollars.
While the new generation of netizens becomes savvier by the minute, they are still the ones who fall prey to the various cyberattacks
Also, millennials (aged 24-37) and Gen Zers (aged 18-23) showed the highest exposure to tech support scams. One out of 10 millennials and one out of 10 Gen Zers fell for scams.
World over, the survey found that those conned reported higher engagement in risky online activities. They also “overestimated their abilities with respect to using computers and the Internet.”
With those who continued with a scam, the most common issues in an interaction were reported to be computer problems (30%), followed by compromised passwords (23%) and fraudulent use of credit, debit, or store cards (18%).
Big Tech Isn’t Immune
Even big tech, with enough funds and prowess to deploy the best structures and systems, isn’t immune to these cyberattacks.
Big Apple 0-day in the wild. If you have an elevated threat model (activist, journalist, being harassed, in the public eye, etc) would recommend updating software on all Apple devices within the hour, if possible. All folks with all threat models, by EOD.https://t.co/HY9Uq91Twr
— Rachel Tobac (@RachelTobac) September 13, 2021
Recently, cyber company, Trend Micro detected almost 13 million malware events targeting Linux-based cloud environments. For context, 90% of public clouds workloads have been running on Linux since 2017.
Even big tech, with enough funds and prowess to deploy the best structures and systems, isn’t immune to these cyberattacks
In August, Microsoft had to warn thousands of its cloud computing clients about a potential flaw in their cloud, after a research team at security company Wiz spotted a vulnerability in Microsoft Azure’s flagship Cosmos DB database, Reuters reported.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Wiz Chief Technology Officer Ami Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Same Crimes Higher Numbers
Cyber criminals have been becoming sophisticated by adding to their knowledge over time, giving rise to the number of attacks. However, concerns that remain in cybersecurity are still the same. Cyberattacks have remained basic while proliferating in sophistication.
The ISACA report says that while the number of cyberattacks are higher, concerns are similar. Its research shows social engineering, APT, and ransomware emerge as the top three attack types.
Cyber criminals have been becoming sophisticated by adding to their knowledge over time, giving rise to the number of attacks. However, concerns that remain in cybersecurity are still the same
“While respondents indicate that nearly one in three enterprises are getting attacked more, the most frequent types of attacks are similar to those faced in prior years,” it says.
These include social engineering (13% have experienced these attacks this year), advanced persistent threat (APT), ransomware (11%), unpatched system (10%), injection flaws (10%), broken authentication (10%), and sensitive data exposure (10%).
Cyber Secure Policy
Cyberattacks are now so prevalent and their consequences so devastating that government machinery is sitting up and taking notice. It’s not surprising that cyber awareness is seeping into government policy as well.
The Indian Computer Emergency Response Team (CERT-In) identified more than 6.07 lakh cybersecurity incidents in the first six months of 2021, of which some 12,000 incidents were related to government organisations.
Cyberattacks are now so prevalent and their consequences so devastating that government machinery is sitting up and taking notice. It’s not surprising that cyber awareness is seeping into government policy as well
Thus, governments have had to sit up and take notice. For example, to help protect US national security, the White House on May 12, 2021, issued Presidential Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. This EO mandates ‘significant investments’ to help protect against malicious cyber threats.
“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid…security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)),” it said in a statement.
Security or User-Friendliness
While governments might have to take tough stands to protect user data, organisations face the choice of either providing ease of transaction for customers or a secure transaction. Work is on to replace the ‘or’ with ‘and,’ but for now, tough choices ensue.
For instance, in India, RBI is banning storage of card data by e-commerce sites. This means customers will be forced to enter their 16-digit numbers manually every time.
While people say goodbye to one-click purchases, organisations and consumers must choose between security and ease of shopping.
The central bank has decided there will be no storing debit or credit card information for online merchants no matter how secure their systems are.
While governments might have to take tough stands to protect user data, organisations face the choice of either providing ease of transaction for customers or a secure transaction. Work is on to replace the ‘or’ with ‘and,’ but for now, tough choices ensue
This means more steps to go through before making an online purchase as well as more failed transactions. While this is tough policy making, naturally unpopular now, it does show merit in the long term.
“When the RBI mandated two-factor authentication, the entire industry was up in arms. Five years down the road, as frauds fell, everyone was all praise and the same practice was adopted globally,” ET quoted a banker.
The RBI suggests the solution of tokenization of payment data, which will mean a collaboration between e-commerce sites and the card network who will issue them ‘tokens’ linked to every card number. No other entity can use these tokens.
Cyber-Maturity in Organisations
It’s high time organisations gear up and show ‘cyber-maturity’, a term referring to an organisation’s ability and degree of readiness to mitigate vulnerabilities and threats from hackers. After all, they are trusted with some extremely important customer information, the loss of which maligns their names as well.
But are organisations doing enough?
According to the ISACA report, organisations are facing obstacles in defining cyber-maturity for themselves. For example, 25% respondents in their survey said it was hard to communicate the concept of maturity vs. compliance to management.
It’s high time organisations gear up and show ‘cyber-maturity’… After all, they are trusted with some extremely important customer information, the loss of which maligns their names as well
Other obstacles were cited in selecting a framework or standard to follow, difficulty in scaling, integrating risk with maturity, keeping up with industry threats and trends, and validating assurance that practices are in place.
29% of respondents expected their organisation to experience a cyberattack in the coming year. 34% of the respondents also feel organisations under-report cybercrime.
The report revealed a high preference for the presence of a Chief Information Security Officer (CISO) in an organisation, with 61% of respondents saying their cybersecurity teams report to the CISO compared to 16% reporting to a CIO.
Also, 40% believed cybersecurity training and awareness programs have had a positive effect on cybersecurity awareness in their organisations.
Also, organisations are facing challenges in hiring and retailing cybersecurity talent, with 49% of the respondents saying that they have unfilled positions in the stream. Remote working has brought in even more challenges.
A United Front Against Cybercrime
As the vulnerability of organisations, big and small, becomes more and more apparent, partnerships are brewing within the ecosystem to fight cybercrime.
For example, the NIST’s National Cybersecurity Center of Excellence (NCCoE)’s public-private partnership applies standards and best practices to form modular, easily adaptable examples of cybersecurity solutions by utilising commercially available technology.
Microsoft is working with NCCoE to implement a Zero Trust architecture project.
It’s clear that the effort and awareness of cybersecurity must be a united effort. While the incidence of a crime still relies to a great extent on the individual, governments and organisations have to pull up their socks.