Member Article

How Cybersecurity Awareness Shifted in 2021

Cyberattacks are no longer the esoteric concept that people have heard about but rarely experienced firsthand. With the National Cyber Security Centre (NCSC) recently revealing that it has defended the UK from a record number of cyber attacks in the past year, there is growing recognition that these events are more commonplace and more impactful than ever.

Take, for example, the major ransomware attack on the Health Service Executive (HSE) of Ireland in May - an event which caused all of its IT systems nationwide to be shut down and marked the largest known attack against a health service computer system to date. The attack had real-life consequences, with dozens of hospitals affected and appointments and surgeries needing to be postponed.

There is no doubt that organisations of all sizes across all sectors need to take cybersecurity seriously and bolster their defences to adequately protect themselves against attacks. So how has cybersecurity awareness changed in 2021? And what are the lessons for businesses in 2022?

Critical Infrastructure Security

The NCSC’s 2021 Annual Review revealed that it had dealt with an unprecedented 777 cybersecurity incidents over the last twelve months with around 20% of organisations supported linked to the health sector and vaccines. The NCSC’s world-leading services protected NHS, healthcare, and vaccine supplier IT systems from malicious domains “billions of times”.

As our critical infrastructure and key services become increasingly interconnected, the threat to the systems we rely on for our health, power, and national security increases in tandem. The cyberattack on the leading US pipeline operator, Colonial Pipeline, earlier this year should serve as a stark warning to the UK after it closed down half of the US East Coast’s fuel supply, sparking increased gas prices and nationwide shortages for millions of consumers.

With ransomware attacks in the UK doubling over the past year, the risk to critical services goes beyond costing money; they put human health and lives at risk.

Mistakes Can be Just as Catastrophic as Malicious Attacks

Faced with improved security defences, 2021 marked the year that cybercriminals increasingly turned to zero-day exploits and other vulnerabilities such as mistakes made by end users or IT personnel in order to access private systems and devices.

Dozens of organisations using Microsoft Power Apps, including high profile multinational corporations and government agencies, unintentionally exposed 38 million records in August including personally identifiable information such as COVID-19 tracing data. The root issue was in the PowerApps API which, until recently, had been configured to “expose records for display” by default—unless IT personnel disabled it.

More recently, in October, a server misconfiguration combined with a lack of network segmentation enabled cybercriminals to compromise streaming platform Twitch and leak 125GB of company data.

These are merely examples of the attacks that are becoming common every week. No organisation or company is too small or too insignificant for attackers. There is clearly always a cost associated with these attacks, be it financial, reputational, legal or privacy-focused.

Businesses Have as Much to Lose as Their Customers

It is often forgotten that customer personally identifiable information (PII) isn’t the only private asset cybercriminals are interested in accessing. Indeed, digital intellectual property (IP) and other confidential business information is just as valuable - in many cases, even more so.

While creators’ login credentials and financial details weren’t exposed in the recent Twitch hack, their earnings on the platform dating back to 2019 were. However, Twitch itself arguably suffered far greater harm than its creators. Cybercriminals successfully obtained a wealth of digital IP including source code, internal red-teaming tools, proprietary SDKs and AWS services.

Given this, there is a case for businesses being ‘in it together’. Indeed, in 2021, we have seen how companies can share information within their sector to help thwart active threat campaigns. The fact that additional pipeline companies weren’t hit following the Colonial Pipeline breach signals this type of backchannel information sharing that exists within certain sectors. Sharing cybersecurity intel in this manner, without disclosing trade secrets, is a critical component to staying protected from new and emerging threats.

The Fragility of the Supply Chain

Typically, the larger the organisation, the tighter the cybersecurity needs to be. For cybercriminals targeting larger companies, it is a popular tactic to compromise a softer target further down the supply chain in order to access their ultimate goal. This is an unfortunate side effect of an age where even medium-sized companies have hundreds of third-party systems within their IT ecosystems.

In the UK over recent weeks, we have seen very clearly the immediate and far-reaching impacts of the supply chain crisis. Whether in the shortage of truck drivers prompting panic-buying at fuel stations, or the very immediate ramp up of goods stockpiling UK businesses are needing to do to cope with shortages during the festive season, never has the UK’s supply chain system been so stretched.

We have seen that it only takes one component to suffer for the entire chain to be knocked out, triggering a ripple effect on our everyday lives. Considering the extent of the existing problem, a full-scale cyber-attack on our supply chain has the potential to cause major damage.

Many aspects of security awareness are universal and timeless - such as the dangers of clicking on links in dodgy emails. However, with a threat environment that is continually evolving it is critical that security awareness training keeps pace. Employees’ knowledge of cybersecurity risks also fluctuates, thus training must be an ongoing process to remain effective. Security tools must be designed with users in mind: they must be simple and intuitive to be effective. If we can achieve this efficiently, our critical infrastructure will be in a much better position to combat a threat landscape that is progressively becoming more complex and complicated.

This was posted in Bdaily's Members' News section by Darren Guccione, CEO & Co-Founder, Keeper Security .