Cyber-Punks: Cybersecurity Failure Among Top Three Global Risks

In January 2021 the World Economic Forum published the Global Risks Report, its annually depressing read of things that can and might go wrong with the world.

Among the highest likelihood risks of the next ten years were digital power concentration, digital inequality and cybersecurity failure. It is worth remembering that back in 2006 the same report warned that ‘lethal flu, its spread facilitated by global travel patterns and uncontained by insufficient warning mechanisms, would present an acute threat’. So the report is definitely one worth taking seriously.

ACCELERATED RISK

The Covid-19 crisis accelerated digitalization in ways nobody could have ever predicted according to research from McKinsey. Consumers have headed online in their droves and companies have responded rapidly. Video has replaced coffee-shop meetings and conferences and cloud accounting solutions have seen a boost. Companies moved 40 times faster than they thought possible before the pandemic to implement remote working solutions.

The cybersecurity implications are eye-watering to consider, but cannot be ignored – particularly in light of recent cyberattacks, including one that shut the largest U.S. gas pipeline and jeopardized supplies to major U.S. cities. There is also risk from software bug-related internet outages, like the one from infrastructure provider Fastly that knocked out many of the world’s biggest websites. Incidents like this serve to highlight how increasingly vulnerable we are as digitization increases. Research from SEO agency Reboot suggests that the Fastly outage could have lost Amazon as much as $32 million in sales.

ONGOING THREATS

The majority of cyber threats fall broadly into three areas, says cybersecurity specialist Norman Comstock, managing director of UHY Consulting.

The first is phishing – attempts to obtain sensitive information or data, such as usernames, passwords, credit card numbers or other sensitive details by appearing to be a trustworthy entity in a digital communication. Secondly, there is ransomware – a type of malware that employs encryption to hold a company or individual’s information to ransom. And thirdly, business email compromise (BEC) is a cyberattack involving the hacking, spoofing, or impersonation of a business email address.

“Ransomware and business email compromise have been increasing over the past few years,” says Norman. “So far this year we are getting four times as many reports from our US customers experiencing significant attacks, and across many industries. The dollar amount of ransom is creeping up too, making it difficult for some businesses to recover control and resume normal operations.”

There are multiple risks contributing to the rise in incidents. The advent of ransomware as a ‘service platform’ makes it easy for unskilled bad actors (those with criminal intent) to seek a high return on investment by renting ransomware platforms to target vulnerable companies. “The fact that ransom is being paid emboldens the threat actors to execute more ransomware campaigns,” says Norman. Colonial Pipeline paid $4.2 million in ransom after significant disruption and concerns for public safety.

VULNERABLE SOFTWARE

The number and severity of software vulnerabilities is also growing. The challenge is to patch known vulnerabilities, as ransomware platforms are not overly sophisticated. Much of the ransomware relies on poor security hygiene – unpatched vulnerabilities, misconfiguration of software, insecure network protocols, not closing unnecessary networking ports, insecure coding practices, or users failing to recognize phishing attempts.

More recently, Norman Comstock says he has seen small banks, law practices, healthcare and manufacturing clients hit with BEC. “Our forensic review revealed that their Microsoft 365 mail had been compromised primarily because multifactor authentication was not configured or inadvertently disabled. Customers using Microsoft 365 mail should review their configuration and turn on multi-factor authentication to reduce BEC risk.”

Data and system backups are also worthy of close attention. “Whether backups are done on premises or to the cloud, all companies should verify that their backups are periodically tested to ensure recovery. This will minimize costly exposure and perhaps the need to pay a ransom,” he says. To make matters worse, none of these risks is diminishing. In fact, reports suggest that hackers are getting smarter.

EXPERT ADVICE

While many accounting firms, consulting firms, and IT vendors offer some aspect of triage to identify security risk, small and mid-sized businesses often do not have dedicated security teams. This means they rely on products and third parties to help identify risks and implement protective technologies.

“What is generally missing or ineffective in this approach,” says Norman, “is the personnel, technology and process to detect unexpected network, account, or system activity.” And naturally, the slower the detection the slower the response. But, he adds, “The response should involve investigation, confirmation, communications and corrective actions to disrupt hacking activities. This is critical, as protective controls are fallible and detective controls may be under resourced, leading to undetected and unresolved hacking activity and longer and costlier recovery.”

A combination of poor governance through incomplete information security policies, coupled with non- security conscious users who make errors are the main reasons for cybersecurity breaches. Businesses are seeing wide-ranging threats including data theft, financial loss after ransomware attacks, system disruptions that cripple businesses, and reputational risk after news of an attack spreads to the public.

UHY's cybersecurity expertise means clients can benefit from the latest advice, tools and implementations, including the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, a voluntary framework of standards, guidelines and best practice in managing cybersecurity risk in five key stages – identify, protect, detect, respond and recover.