SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
People key to preventing cyber attacks in 2023 - SCC Cyber
Tue, 6th Dec 2022
FYI, this story is more than a year old

With 2023 fast approaching, many business leaders will be looking at ways to prevent cyber attacks from happening. Over the last few years, a large percentage of attacks have been because of digitalisation, increased use of mobile phones and lack of knowledge about types of attacks.

Paul Allen, practice director at IT-managed solutions company SCC Cyber, has put together a list of the top cyber security trends for business leaders to look out for in 2023.

Allen says strategic planning and resourcing take time to turn into operational excellence. 

"The process of establishing a baseline capability, understanding current vs. future state requirements is complex. The journey may not be an easy one. To be successful business buy-in is needed from the C suite down," he says.

"This is often most effectively carried out in conjunction with an expert 3rd party who can offer support and advice in the most appropriate form," says Allen. 

"This can be provided in simple terms around thought leadership, or as paid engagements."

Allen says a clear plan relating to Governance, Risk and Compliance must be developed, reviewed, and evolved. 

"This must include people and resource planning as well as strategic service providers. As these are themselves clear risks. Tracking milestones on the journey ensures progress can be reported back to the business sponsors."

People - Recruiting and retaining quality staff for an increasing number of cyber roles.

Allen says people are the greatest asset in any organisation. This is especially important within cyber security.

"Cyber threats are evolving and become more difficult to spot. This applies to professionals, and end users. As such, organisations need skilled and motivated staff importantly - who are listened too and engaged with, to counter threats," he says.

In any skills shortage, salaries go up as demand increases. If an organisation does not embrace the need for effective governance and practical application of cyber security, then staff become demotivated and have no problems finding a new job where they are valued.

Cyber Security is a team sport

While much is made of machine learning (ML) and artificial intelligence (AI). Allen says it is worth remembering that both capabilities are also used by attackers. So, its not all good.

"The fundamental creation of effective cyber security defences is based on people, process, and then technology. Vendors will wish to say its all about technology, but that would be too easy," he says.

"In my experience, getting the people and process right is harder and more important. Working with a managed service provider allows for the augmentation of people and processes to achieve maturity much more quickly."

Allen says this need for skills staff will impact all sectors, especially those who have difficulty justifying higher salaries for their cyber security staff.

"Building a strategic plan that specifically addresses cyber security resource requirements over a two-year period will prove an important tool, this should be reviewed and updated quarterly.

"This plan will enable you to assess areas for internal growth and development, and the need for external recruitment to augment the skills and experiences you have or are building," he says. 

"This longer-term view is needed to ensure resilience in your teams, and responsiveness to evolving business risks."

Allen says that cyber professionals are increasingly seen as highly valuable, and as such want to feel valued. So, training and development plans help to reinforce that perception of value.

"It's also worth considering business continuity or succession planning for roles with skills that are particularly hard to find. Building strategic relationships with a service provider, who can take on responsibility for specific tasks or services is a good way to mitigate risk."

Ransomware / Extortion

While ransomware is still at the top of the trends, or risks, within 2022, attackers are increasingly resorting to more extortion-based attacks and missing out data encryption. As this saves time, reduces complexity, and speeds up getting paid.

Extortion is a Ransomware attack without the encryption element. The data is exfiltrated and the owner threatened with exposure unless they pay a fee. Extortion is becoming more common as its easier to carry out and requires the attacker to spend less time dwelling inside the victims network.

"For attackers, they also work in teams. With many experts in initial access passing off their success to those who want to buy an open door into a business data repository," says Allen. 

"Extortion is just the same approach as Ransomware, but without the data encryption. The feedback Ive had from Incident Response teams is that in this way its easier for the attacker. They have proof they have a copy of your data they can release. By not encrypting you, its easier to pay them quickly.

"Risk of ransomware and extortion can be reduced with a structured and consistent approach to cyber security. This must be as part of a maturity plan, with a method of tracking progress against defined objectives," he says.

"Staff training is at the centre of any plan, as should be appropriate internal processes aimed at mitigating the risks of an attack.

"Lastly technology, looking at email security, internal governance and backup to ensure the confidentiality, integrity, and availability of data."

Artificial Intelligence, and Machine Learning

Allen says skilled staff are in short supply and are expensive to recruit and retain. 

"There is a huge pressure to defend better and be more dynamic and agile in our methods of cyber security. Using ML and AI (if you have the appropriate specialist skills and data to create the data models) can be a game changer," he says.

"The downside is you need people with the skills and defined governance (People & Process). This direction of travel is for organisations with mature policies and governance. Not those chasing a quick win. The whole engagement must be about reducing business risk, with clear outcomes. Otherwise, you will end up with expensive technology to implement and maintain, and no credible benefits.

"So, my first recommendation is to ensure you have a firm foundation of cyber security governance and capability. (Do the simpler things well)," says Allen.

"By using a framework such as NIST its possible to understand internal maturity and capability, onto which more advanced capabilities can be applied."

Can Intelligence and Automation reduce the pressure on people?

"Working smarter with machine learning (ML) and artificial intelligence (AI) can address the challenges of staff recruitment and burn out due to a high workload," Allen says.

"ML and AI enables huge volumes of data to be analysed on a continual basis looking for anomalous activity. Data models are created that enable accurate searching of potentially huge data lakes of data to present results. Some things that might be out of the normal, that might be indicative of a threat.

"Decisions will be made based on thousands of elements, with risk scoring presented back to the analyst. This analytical process can be built into products or carried out as aggregated actions across multiple products," he says.

"With the addition of automation, its possible to condense the amount of work analysts must carry out to get the information and context they need. The results have the potential to be highly effective."

The expansion of IoT

"The internet of things, or IoT, is an object that contains software, sensors, and a connection to a network or the internet. As you can imagine, this encompasses a huge array of technology at home and the workplace," Allen says.

"Almost everything you can buy in the consumer world has internet connectivity now. The connected world is upon us. Security by design for many is severely lacking. Manufacturers are looking to mass produce at the lowest possible cost of sale. As such common hardware and software is likely to be widespread. This is likely to mean that a single vulnerability can impact a wide range of products, including those that are totally unexpected.

"This has been highlighted in a range of published vulnerabilities and will continue to be an ongoing challenge in the commercial and public sectors, when its possible to introduce organisational risk very easily," he says.

"Given that wide array of capability and the speed of development, IoT security standards and governance need to catch up with the reality from vendors. Governance will be addressed in forthcoming legislation."

Common risks and vulnerabilities can be outlined as:

Based on ineffective software development practice and version controls. Poor design standards and quality can mean its easier for an attacker to compromise the device.
Lack of physical hardening.
Insecure storage and transmission of data
Due to the relative low cost of many IoT devices they are often unmanaged, untracked, and isolated.
With the potential volume of mass produced and insecure IoT devices, malware can compromise huge volumes of devices to create botnets of infected assets.
Specific IoT security tooling is available to firstly understand what devices exist within an organisation setting, and then considering what risk those assets pose. Building on this and integrating the capability into a wider monitoring solution allows for an ongoing view of threats.