The leaked memo from Facebook that defines the ‘normalising’ data leaks is a worrying development. In this feature, we consider if a shifting attitude to data leaks making these incidents just a consequence of doing business could reduce the effort companies make securing their systems and the data they hold about their customers.
Last month a leaked memo from Facebook that described how a new attitude to security breaches is needed was concerning reading. Shifting the view that a level of security incidents is a fact of life can diminish how cybersecurity is viewed, supported, and more worryingly, the mindset that some level of cyberattack is inevitable. GDPR clearly defines the role of the data controller. If businesses reduce their attention and the resources they allocate to cybersecurity defence, this could potentially place everyone’s data at risk.
Cybercrime has continued to expand, especially since the pandemic took hold. According to the COVID Crime Index 2021, three-quarters (74%) of businesses particularly in the financial services sectors have experienced a rise in cybercrime since the pandemic began, with 43% of banks and insurers revealing the remote working model has made them less secure. Adrian Nish, Head of Cyber at BAE Systems Applied Intelligence, comments: “Attackers are building increasingly advanced capabilities to target core banking systems and becoming more aggressive, harming victims’ ability to respond to attacks. Online criminals have reacted fast, adapting their approach to hunt out remote working security gaps and prey on the vulnerable.”
The heightened security awareness COVID-19 has bought to all businesses and organisations has meant a move to more robust security status. The expansion in the use of hosted services as workforces moved to mass remote working, added to the potential for security incidents. Derek Taylor, the lead principal security consultant at Trustwave, comments: “Privacy requires cybersecurity, but cybersecurity does not need nor imply privacy. Effective privacy and cybersecurity are possible predicated not just on the ability to protect, but also to detect and respond. There are reasonably agreed best practices globally on these, predicated on broader risk management approaches. Simply throwing up one’s hands and stating we cannot protect everything all the time and so breaches should be normalised demonstrates poor custodianship.”
Andrea Babbs, UK General Manager, VIPRE SafeSend, also stating to Silicon UK: “The Facebook statement is a very worrying coming from a business which holds the personal and business data of millions across its platforms. For such a large organisation to casually dismiss data leaks is startling, particularly in the wake of increasingly stringent regulations appearing globally.”
Babbs continued: “To give businesses an excuse to no longer invest time, money and effort in data security is a dangerous step in the wrong direction. Personal data is a very valuable currency and people are right to want it protected. For example, leaked medical conditions, credit card numbers or the personally identifiable information (PII) of politicians and other public-facing people. Leaking data such as these can have far-reaching consequences for both individuals and businesses.”
What is clear for all businesses is that they can’t normalise what security means for them. Being vigilant of the changing attack surfaces and the threat actors all enterprises now face, must be supported with adequate resources. But it’s maintaining a strong attitude with zero tolerance for less than comprehensive cybersecurity that must be constantly preserved.
Normalising security
The question then becomes, do we need to evolve what cybersecurity means in practice and what cybersecurity means as a mindset? The UK government has publicly stated that cybersecurity standards will be improved across all digital devices.
Commenting on the initiative, David Emm, principal researcher at Kaspersky‘s Global Research and Analysis Team, said: “The UK Government has long recognised the importance of securing smart devices, and in 2018 it introduced its code of practice for IoT security, setting out security standards for developers of such devices.
“The problem with voluntary standards, however, is that there’s no obligation for vendors to follow them, and it’s clear that many smart devices are developed without security in mind,” Emm continued. “We’ve all come to expect that everyday object – from children’s toys to furniture – will ship with certification marks indicating that they are physically safe, but developers of smart devices do little to secure digital equipment. The new legislation will force vendors to take steps to make smart devices more secure.”
If there is a ‘new normal’ of security, this must be expanded with heightened awareness. In addition, security should be everyone’s concern and not just the CTO. “Security is no longer a separate function left to specialists who ‘make the problem go away,’ but an ongoing board-level concern,” states Yaraslov Rosomakho, global solutions architect for Netskope.
“To address this concern, organisations can no longer rely on legacy static black boxes such as hardware firewalls, legacy proxies and on-premises sandboxes. Instead, they should look to implement cloud security services that dynamically adjust to the ever-changing threat landscape. Like cloud, cloud security has the ability scale upwards on downwards according to the needs of the business and can intimately integrate with business processes. They can take sensitivity levels of processed data into account as well as learned history of individual user behaviour when taking action or raising an alert.”
Businesses and organisations, then, should reinforce their security stance and not relax their approach. The pandemic has shown that cyberattacks can evolve rapidly and require a consistent and comprehensive approach to combatting these threats.
Digital security must evolve
As VIPRE SafeSend’s Andrea Babbs concludes, cybersecurity is ultimately everyone’s responsibility: “Cyber threats are only going to increase in sophistication and become more personalised to the individual by using social engineering attacks. We have already seen an increase in new threats, such as fileless based attacks. Attackers are going to continue to take advantage of current events, such as the ongoing pandemic, to trick users into clicking a link, downloading an attachment, or signing into a phishing website etc.
“Users have to become a part of the solution rather than the problem. To do this, businesses need to place cybersecurity as a priority throughout their processes and invest in the right tools and training to make this more of a business-critical solution and less of an ’emerging necessity’ as it is now.
Babbs concluded: “We can see some organisations already adapting to these changes, but they are the exception rather than the norm. Remote working is going to become the new normal, and as more organisations discover the advantages of home-based workforces, this new way of working brings with it a huge question around data access and security that needs to be resolved.”
The Facebook memo leak is a timely reminder that security in all its forms is central to the sustainability of all enterprises, no matter their size or market sector. Cybercriminals are a clear and present danger.
Silicon in Focus
Rick Jones, CEO at DigitalXRAID.
Rick Jones is the CEO and co-founder at DigitalXRAID; he has an impressive career spanning 20 years delivering cybersecurity strategies and network security architecture to large corporate businesses across the UK. Before launching DigitalXRAID, he ran a successful security consultancy where he honed his skills for developing and growing technology business and worked in the security teams at a number of high-profile telcos, including TalkTalk, 3, Ericsson and Orange.
In your view, is the ‘normalising’ of data leaks a worrying development?
“As data leaks become more commonplace, they begin to lose their sense of severity, and businesses will, unfortunately, take Facebook’s approach as a justification to do very little to mitigate further breaches. In fact, with only a few days of bad publicity, the repercussions of a data leak may seem very minimal on the surface.
“Yet falling victim to a breach could result in extremely damaging financial repercussions, not to mention the danger it puts customers in if their data is affected. In my view, fines, such as those imposed by the GDPR, for those organisations that do not take the necessary precautions to protect their customer’s data is one of the only solutions to ensure businesses understand the severity of the issue and recognise the immediate financial impact of complacency.”
Are businesses now at a point where digital security attacks have become so common; they are reticent about their abilities to combat them?
“Each company will take a different approach to digital security attacks depending on their size and the type of data that they hold. However, it often seems an unfair fight. Cybercriminals only have to succeed once to penetrate a company network, yet SecOps teams must successfully protect their systems at all times. For some organisations, one mistake could cost them large quantities of sensitive data and ultimately lead to a loss of reputation and revenue. The cybersecurity battle is constant, and both sides must continually innovate to succeed.
“It is a common misconception that cybersecurity has to be complex, which perhaps leads to businesses feeling reticent about their own ability to combat attacks. Yet the foundation of tackling the increasing threatscape is to understand the basics. Business leaders should get to know the data within their organisation – how it is used and the risks it poses as an extremely valuable resource. While everyone is looking for the silver bullet in network protection, it actually comes down to good education about basic cybersecurity and implementing an ‘always on’, 24/7 security strategy that can mitigate risks and detect attacks day or night. Hackers don’t sleep – so why should your defences?”
How has the pandemic changed the digital threat landscape businesses now have to navigate?
“The last 18 months have opened up various security holes for many businesses, specifically for those that rapidly sped up digital transformation initiatives to enable entire teams to work from home. According to research by Microsoft last year, two years of digital transformation took place in just two months. For those without the IT infrastructure in place to enable remote working, ad-hoc solutions were introduced that are often still in place today and are intended to support the hybrid workforce going forward. What’s more, educating individuals on evolving threats has become more challenging. At the same time, teams are dispersed, especially when it comes to digitally onboarding new staff and communicating the potential dangers they now pose to the business.
“Ironically, those that feared security issues within the cloud are now in a more precarious situation and lack sufficient cybersecurity to protect their business while teams are remote. Perhaps even more worryingly, the organisations that did introduce the cloud to support their shift to home working likely weakened their defence strategy with rapid migration and ignorance of potential security threats.
“While these accelerated digital initiatives may benefit a company’s business processes, they also benefit the cybercriminal, who now has more vulnerabilities to target. It is therefore important that company directors navigate this new normal by understanding the importance of an ‘always-on’ cyber defence strategy, with 24/7/365 network monitoring and threat detection to combat attacks.”
Do we need a new kind of cybersecurity as we move into a post-COVID business landscape?
“Moving into the post-COVID landscape, we do not need a new cybersecurity strategy – but we do need to change how we deploy it. While businesses should have always prioritised data protection, the reality is that many omitted to focus on data security as they navigated accelerated transformation programmes across the last 18 months.
“Organisations are now faced with the need to be more mobile and flexible with the way they protect their workforce and customers, especially as hybridity will take precedence moving forward. For example, instead of expecting every team member to connect to the LAN, businesses will need to prioritise VPN access instead. Security therefore remains a priority for many businesses, but the future lies in a constantly evolving security-first approach to suit the hybrid workforce.”
Are we entering a digital environment (AI, 5G, IoT etc. develop) that will need new security tools and approaches?
“With every new technological advancement comes new threats, and each technology – no matter how innovative – will harness some vulnerabilities that hackers will inevitably uncover and target. Yet, for the cybersecurity industry, this constant evolution of threats is not uncommon or unexpected. SecOps teams will continue to work with a ‘secure, monitor, test and prove’ approach, regardless of the technology at the centre.
“The IoT in particular will have a big impact on cybersecurity strategies, and it is crucial that consumers, manufacturers and businesses become cognisant of the real threat to privacy that the IoT and smart devices pose. With BYOD policies, and the growth in personal smart devices that now connect to company networks, cybercriminals will find opportunities to circumvent defences, pivoting from the personal device into an organisation’s internal systems. The larger the IoT grows, and the more expansive these networks of interconnected devices become, the bigger the threat vector. Knowing and understanding these risks is the first stage for security teams to begin mitigating them.”
Is the ‘new normal of digital security’ closely linked to how businesses have changed their processes and how they organise their workforces?
“The new normal of digital security and widened threat landscape is directly linked to the disruptions to business and the efforts made to achieve operational readiness post-COVID. As we all adapt to the hybrid way of working, it is, of course, essential that businesses prioritise flexibility and agility, but they must also continue with a security-first mindset and accept that there are now threats that were not considered prevalent before.
“For example, the ‘work from anywhere’ trend has not only made cybersecurity more complex, but also established physical security risks. Shoulder surfing is a type of social engineering that could become increasingly dangerous now that hospitality venues have re-opened and professionals may be working from public spaces, putting critical data and system passwords directly in the eye-line of those with nefarious intentions.”
Can we identify the potential digital security threats businesses might face in the future based on any current trends?
“Ransomware currently poses one of the biggest threats to businesses and it is certainly not going away any time soon. Recent reports from the BBC highlight the ‘urgent and aggressive’ action now needed to protect our schools, hospitals and businesses from ransomware. Yet, with half of all targeted UK organisations giving in to ransom demands – despite this being the opposite of what all cybersecurity experts will advise – it is clear that the first step in mitigation is better education. It is often phishing campaigns that act as the delivery mechanism for ransomware, and it is inevitable that the human workforce will continue to make mistakes. We, as employees, represent weak points within the cybersecurity chain, especially if the level of education on cybersecurity in businesses remains as low as it is currently.”
“As technology advances and 5G speeds up the movement of traffic, data breaches will also become a central issue for many industries. Companies that have always worked within IT are currently better positioned to integrate other technologies, as they already understand that they are targets for cybercrime. However, industries that are only recently adopting IoT technology and innovative digital solutions often don’t yet comprehend the danger that cyber-attacks pose, and they are likely ignorant to why and how they will be targeted.
“In fact, if an organisation harnesses data of any kind or implements any technology, cybercriminals will identify them as a potential target. Ransomware, phishing attacks and data breaches will all continue to pose serious risks in the future and every industry needs to be prepared with the correct knowledge and technology to protect their networks, their customer data and their workforce.”