Cyberattacks though commonly reported as sophisticated, often are not. They are surprisingly simple and usually financially motivated. It seems so often that the media report that another so-called “sophisticated cyberattack” has breached a company’s security defenses causing widespread disruption at a huge financial cost. But cybercriminals' methods are not always sophisticated, and they will always choose the least noisy hacking technique that comes at the lowest cost. Today this typically means targeting humans and abusing their trusting nature.
For many companies today, incident response is in the spotlight. Their leaders are all too familiar with the idea: It’s not a matter of if you’ll become a victim, but simply when you’ll become a victim. After a breach, companies are inclined to point to the sophisticated nature of the cyberattack, implying they did everything to protect their sensitive data and that the cybercriminals or nation-state were highly skilled and well-funded, so it was not preventable. My job in cybersecurity is to reduce the risks to the business and keep cybercriminals out of the network and in my experience, most cyberattacks are not as sophisticated as they seem.
If it’s not sophistication, what is it?
Sophistication is a big assumption that is made about most cyberattacks, but what is the reality? The reality is that the cyberattacks carried out by most cybercriminals are quite simple, but they do invest a huge amount of time in preparing and planning the attack. The goal is to use their reconnaissance results to find an attack path that will be successful, create as little noise as possible in order to remain undetected and incur the least cost in performing the hack. Cybercriminals search for the weakest access point to an organization’s network and systems hoping to find misconfigurations, trusting and unsuspecting employees to exploit, default credentials and weak supply chain security.
The majority of data breaches typically result from poor security implementations, whereas the hacking is conducted by cybercriminals (not hackers), who are mostly financially motivated, using the cheapest and stealthiest technique.
What are the most common ways of launching cyberattacks on companies?
Company and personal email continue to be the top payload technique for delivering malicious malware. Office documents are typically used to compromise the devices, and the technique used to gain the trust of employees are phishing scams trying to lure people into clicking on hyperlinks ultimately and unknowingly giving up their credentials and passwords. Given that password reuse is a major issue, cybercriminals usually have access to almost all accounts.
The 2019 Verizon Data Breach Investigations Report indicated that the most common techniques used to compromise companies are phishing and stolen credentials, while over half of the breaches took months or longer to discover. Once a cybercriminal has one foot in the company’s door, they search for privileged accounts and credentials — also known as the "keys to the kingdom" — in order to move around the networks locating sensitive information. They then use the privileged accounts to extract data and cover their tracks to stay undetected for months or even years.
What can you do to reduce the risks?
Cybersecurity experts must educate others on how to protect their passwords by employing more efficient automated IT processes in order to safeguard their customers and employees from stolen passwords to identity theft.
Cyber awareness training is working, but organizations need to keep developing a culture of cybersecurity. We need to get the balance between people and technology right. There is too much complexity in the cybersecurity industry which is also contributing to the huge skill shortage, and it is crucial that we make it simpler and easier to use if we want people to adopt the technology. Here are my tips:
• Make cybersecurity a company culture where cybersecurity starts at home. Provide employees with skills that work beyond the office, empowering employees to take those skills home with them and share with family and friends.
• Implement cybersecurity mentor programs. The best way to engage with different departments within the organization is to have a cybersecurity mentor or ambassador program. I find the best employees that make successful cyber mentors are sometimes previous victims as they know what the impact can be.
• Listen to employees and peers to understand business risks. Our job in cybersecurity is to help employees be successful and the only way to know how to do this is to listen to how their jobs impact the business.
• Practice strong privileged access security. Protecting privileged accounts from cybercriminals and internal abuse is the best way to protect important business systems and sensitive data. This typically includes password rotation, auditing, session launching, monitoring usage and enforcing the principle of least privilege.
• Consider multifactor authentication. A password should never be the only thing protecting privileged access and it is important to use additional security controls that make it more difficult for cybercriminals and enabling frictionless multifactor authentication can be one of the best ways to achieve that.
• Improve password hygiene. Password hygiene continues to be one of the weaknesses within organizations and by providing employees with password managers this helps reduce the potential risk of employees reusing passwords and helps in creating complex passwords for each account.
Simple and easy to use is the best way to success.
The future success of cybersecurity is making it simple and easy to use. The balance between productivity, ease of use and security is with dynamic security building trust between people and technology. Zero Trust is a starting point but should not the goal; Zero Trust allows a company to start creating the building blocks of trust. An important part of Zero Trust and least privilege is limiting administrative credentials, protecting and securing privileged access ensuring that only authorized users can use them while satisfying security controls including auditing the usage.
The time has come to stop focusing on cybersecurity only and focus on business risks.
