Organisations worldwide face a fast-evolving threat landscape. And those in the UK and Ireland are no exception.
In the past year, the landscape has developed further. Businesses worldwide have had to rapidly adapt to the challenges of the pandemic, and they commonly did this by accelerating cloud deployments and adopting new software-as-a-service (SaaS) technologies to enable remote working and collaboration. These changes created new and more complex attack surfaces – and cyber-criminals took advantage of this.
Recent Proofpoint research of CISOs and CSOs in the UK&I revealed that more than half (53 per cent) of organisations in the region reported at least one cyberattack in 2020. Looking ahead, this pace isn’t set to slow. In fact, almost two-thirds (64 per cent) of CISOs/CSOs believe that their organisation is at risk of cyber-attacks in the next 12 months.
Although IT leaders in the region are showing awareness of the level of threat they face, many need to think in new ways to enable their firms to be truly effective in protecting against them.
Preparing for future threats
Remote working is here to stay for the majority of organisations. However, there’s still some way to go for organisations to manage the new remote-working attack surface.
Over half of CSOs and CISOs in the UK&I (54 per cent) feel that the switch to remote working has rendered existing controls, systems and applications outdated and ineffective in defending against today’s cyber-threats. Indeed, only one fifth (22 per cent) strongly agree that their employees are well equipped to work remotely.
Overall, a majority (64 per cent) consider that implementing a remote working policy across 2020 has left their business more vulnerable to cyber-threats.
Despite the proven challenges brought by teleworking, ransomware remains the major threat keeping CISOs awake at night. Our research found that in the next 12 months, 46 per cent of CSOs and CISOs in the UK&I believe that ransomware, or other forms of extortion perpetrated by outsiders, will be the biggest cyber-security threat to their organisation. This was followed by cloud account compromise (39 per cent), insider threats (33 per cent), and phishing (30 per cent).
While these predictions largely align with current trends, worryingly, less than a quarter (24 per cent) of CISOs and CSOs in the UK&I consider impersonation attacks and business email compromise (BEC) attacks as the potential biggest cyber-threats to their organisation in the next year. These financial fraud attacks are the most expensive cyber-threats globally – the FBI estimates losses at $26.5 billion over three years, and cyber-liability insurers say payments for BEC are greater than all other cyber-claims combined. These threats are not as high profile as ransomware, but it’s essential that IT leaders in the region are correctly understand the relative risk levels.
Human error and security awareness
Where cyber-criminals once focused their attention on our networks and infrastructure, it is now increasingly our people who are coming under attack. Whether via malicious links, account compromise, or social engineering, threat actors have turned their attention to what, for many organisations, was expected to be the last line of defence.
Unfortunately, despite “security awareness” programmes, for many firms this last line of defence is often poorly motivated and ill-prepared. IT leaders in the UK&I believe that over half (55 per cent) believe that, despite all other security protections, it is human error and lack of cyber-security awareness that present the most significant risk to organisations.
Common employee behaviours likely to result in cyber-vulnerability include clicking on a malicious link or downloading a compromised file (43 per cent), followed by falling victim to phishing emails (39 per cent), intentional leaking of data (35 per cent), use of devices and applications (35 per cent), and mishandling of sensitive information (35 per cent).
Despite these recognised concerns and awareness of potential employee mistakes, inadequate training programmes remain commonplace. The majority of UK&I CISOs and CSOs (72 per cent) admitted to training their employees on cyber-security best practices as infrequently as twice a year or less, with only 28 per cent running a programme three times a year or more.
It’s a struggle to create communication so compelling that employees will internalise it and change their existing behaviour with such few touch points. Such programmes will likely push “awareness”, but not reach the real goals of behavioural change, or the creation of a supportive security culture, and it’s only these two stages that can have a real impact on detecting and deterring such attacks.
Putting people at the heart of your defence
Irrespective of the means of attack, threat actors continue to take advantage of the human factor.
While CSOs and CISOs across the UK&I clearly recognise the cyber-risks faced by employees and are prioritising their response and 2021 investments accordingly, there seems to be moments of disconnect in grasping the scale and importance of some vectors such as the true threat of BEC attacks, and the correlation between cloud account compromise and insider risk management. Both these threats are significant and growing, fuelled by the global shift to remote working.
A people-centric strategy is a must for organisations. This starts by recognising that the majority of attacks target people, and that these commonly arrive via email. Identify your most vulnerable users and ensure they are well defended from the majority of threats, but also equipped with the knowledge and the tools to defend your organisation.
Along with these technical solutions and controls, it is essential that a comprehensive training programme sits at the heart of your cyber-defence. Training should be regular, comprehensive and adaptative and cover a range of topics – ensure that staff understand the real significance of cyber-attacks and how these can have real consequences on their job and personal life. Only then will they develop the motivation to truly become part of the solution.
by Andrew Rose, Resident CISO, EMEA, Proofpoint