By Sean Duca
Business emails with nasty surprises, attached
Businesses are quickly becoming cybercriminals’ favoured targets. Over US$ 12 billion worldwide has been stolen over the past five years due to business email compromise. As the theft of passwords and login details becomes increasingly common in enterprise environments, attackers have grown more confident and motivated, targeting small and large organisations by masquerading as partners or internal stakeholders – a pattern that will continue to plague businesses if they fail to adapt. This alarming rise in business email compromise underscores the increasingly diverse and sophisticated methods attackers use today, from mimicking corporate websites to targeting employees’ personal social media accounts to launch exploits. As attackers find increasingly crafty ways to bypass internal checks, will 2019 be the year businesses beat cybercriminals at their own game? Doubtful!
Where possible, businesses will need to assess their internal flow of information as well as implement more comprehensive checks and approval processes, especially with regard to the movement of resources. As we have seen, passwords remain amongst the weakest links in computer security – easy to steal, difficult to secure and offering little proof of a user’s identity. In response to this, 2019 will see measures such as two-factor or multi-factor authentication and biometrics become increasingly commonplace.
Supply chain will be your weakest link
The digital age has helped break down barriers to create an interconnected, global supply chain, making it very easy for businesses to tap suppliers and outsourced services from around the globe. These links, including the sharing of data and networks, have empowered organisations to embrace new efficiencies through connectivity and analytics. However, this will also prove a boon to opportunistic attackers preying on weaknesses in existing security. These risks have become more apparent in the healthcare sector, where third-party connected medical devices – such as MRI and X-ray machines – plug in to internal networks daily, providing multiple new attack surfaces and vulnerabilities over which hospitals have almost no control.
Pinpointing and avoiding cybersecurity risks will soon be nearly impossible as the global supply chain becomes increasingly complex. Perhaps it is time for organisations in other sectors to start asking, ‘Do we know who or which individuals, organisations and other third parties have been connecting to our networks? Do you know which systems and services your organisation is dependent on?’
CSOs will need to look carefully at traffic within the network to ensure sensitive information is kept separate and secure, away from external devices and systems. As multiple unsecured devices connect to corporate networks, the internet of things, or IoT, can quickly become an ‘internet of cyberthreats’. Although the use of certain third-party apps and connected devices may be unavoidable in many cases, businesses and organisations need to pay more attention to internal security standards around the procurement of such devices or services. This includes ensuring that firmware and applications are always up-to-date, and login configurations should be changed from the default configuration. If third-party systems and devices reside on your network, apply a Zero Trust mode to inspect and verify all traffic by placing them in a zone which only allows approved users and apps to communicate with them. In 2019, an unsecured connected device could serve as a gateway for attackers as easily as any computer or smartphone.
Data protection legislation gains ground in APAC
As Asia-Pacific countries pledge greater cooperation with cybersecurity initiatives, the move towards formalising data protection frameworks seem inevitable. Countries like Australia and Singapore have taken the first plunge, and others in the region will soon follow as they wake up to the urgency of national security and data protection for their citizens. As digital maturity varies across the region, the framework for these countries to roll out their own version of GDPR could take some time to develop, and the path ahead is not straightforward. However, 2019 could be the year many countries take the first steps towards protecting their citizens’ data.
In India, there have been serious discussions around the subject of data protection laws. In fact, India is now close to having its own legislation the proposed Personal Data Protection Policy 2018.
The European Union’s General Data Protection Regulation has served as a clarion call for organisations in the APAC region to pay attention to the data they collect and store. Businesses in this region can use the GDPR as a baseline to assess current gaps in compliance and help determine their overall prevention posture. It may take several years before a similar region-wide framework emerges in APAC, but businesses can use the GDPR’s policies as a way to start minimising unnecessary personal data collection, which could help minimise risks and exposure in the process.
Forecast for 2019: Cloudy skies ahead
This app-powered era is thriving partly because of cloud computing, which has become a go-to resource for businesses looking to deliver new products and services without bearing hefty initial investments in compute resources. Cloud computing helps simplify a few areas of security, but it also presents newfound challenges. Implementing a cloud computing strategy often means that mission-critical data and systems will sit with third parties. These assets will need to be securely stored and transmitted, and only accessible to authorised personnel is of utmost importance. The security of the cloud is not the sole responsibility of the cloud service provider; but is shared with enterprises that also must grapple with the security of data, applications, operating systems, network configurations and more. This intertwined ecosystem has made security a much more complex undertaking, especially for organisations already dealing with the difficulty of finding cybersecurity talent and making sense of the many point products available in the market today.
With the speed at which enterprises are moving to innovate and deliver new services, all while dealing with a complex web of compute resources, it’s easy to let the discipline required for security slip. DevOps can help speed development, but it can be challenging to get and keep security in place, especially in the transition from traditional IT management to DevOps.
To succeed, enterprises must ultimately have the processes, technology and – most importantly – people in place to keep systems adequately secured.
It is critical to remember that legacy security systems, made up of various point products, have proven inadequate to prevent the rising volume and sophistication of cyberattacks. Too many security tools depend heavily on manual intervention, which can’t enact new protections quickly enough to have a meaningful impact on ongoing, targeted attacks. Reducing cyber risk requires having integrated, automated and effective controls in place to detect as well as prevent threats, known and unknown, at every stage of the attack lifecycle.
We’ll finally realise what makes Critical Infrastructure so critical
More than just a catchall term to describe public infrastructure and resources, the definition of critical infrastructure (CI) today has evolved to encompass other essential sectors, such as banking and financial services, telecommunications and the media. As CI goes digital and automated, cross-pollination between corporate and industrial networks has made them easier targets for cybercriminals. This is especially dangerous as industry systems such as supervisory control and data acquisition (SCADA) and industrial control systems (ICS), which are critical to the energy, water and public transport sectors, often rely on legacy and unpatchable systems.
The UK’s National Cyber Security Centre has already warned that a cyberattack in the UK is inevitable, potentially taking aim at the elections and CI targets. This view has been echoed by the World Economic Forum Global Risk Report 2018, which has identified cyberattacks as a top cause of disruption globally, coming only after natural disasters and extreme weather events. How will Asia prepare itself in 2019?
Thus far, infrastructure owners have primarily focused on the confidentiality of information and overlooked the other two principals of information security: integrity and availability. This will be especially crucial as countries in the region adopt industry 4.0 technologies (e.g., machine learning for autonomous vehicles). These innovations will rely on telemetry and always-on connectivity, putting the lives of the public in the hands of systems that rely on accurate and accessible data. As a start, CI owners, both public and private, will have to put in place Zero Trust systems and ensure the segregation of access.
Perspectives about compliance need to change as well. CI owners must move away from a compliance-driven approach to security, towards a stance that live and breathes security. Regulators and owners can co-create a regulatory framework that works for both, while cultivating a security-first approach to designing and maintaining all CIs. Think less “tick and flick”, more “secure from the start”.
(The author is the Vice President and Chief Security Officer, Asia Pacific at Palo Alto Networks)