‘Improving cybersecurity’ showed the biggest increase in priority of all business issues among CIOs between 2017 and 2018, ranking higher than cost savings, improving time to market and better engagement with customers. The reason is digitisation. With IT now touching virtually every aspect of the value chain, the cyber responsibilities of today’s CIO are simultaneously more challenging and integral to business strategy than ever before.
Cisco threat researchers block 20 billion threats each day. But the problem isn’t just volume. Hackers are now using a wider range of malicious methods to steal or destroy businesses’ data, or hold it to ransom. Each cybersecurity threat poses its own type of risk, and prioritising threats successfully means understanding what could have the highest financial and reputational costs.
Fifty percent of global internet traffic was encrypted in October 2017, up 12 percentage points from November 2016. While this is a step in the right direction, criminals are already converting this good news into a bad omen for consumers and businesses around the world by adapting to weaponise these security measures. Cisco threat researchers detected a three-fold increase in malware lurking on encrypted networks in 2017.
Hackers are also finding ways to execute malware on systems that use sophisticated sandboxing environments to keep potentially harmful software away from important data and processes. For example, hackers in 2017 developed malware that hides in documents, waiting to infect the computer when the document is closed. Cisco discovered 38 percent of malicious payloads were in Microsoft Office documents, followed by 37 percent in archive files such as .zip and .jar, and 14 percent in PDFs. This technique evades sandboxing environments if files are only checked while they’re open. To protect your infrastructure against this threat, use a sandbox that analyses file metadata, which will identify files that trigger a command when the document is closed.
Ransomware can spread without needing users to open malicious attachments. Last year, ransomware program WannaCry hit over 200,000 machines and affected thousands of companies and institutions. A single unprotected workstation can be all it takes to spread a worm across entire networks.
Some malware hide on networks without causing obvious damage. Crypto-hacking malware – so named because they were designed to mine cryptocurrency – infect devices to steal computing power while hiding in plain sight. The Mirai botnet has hijacked thousands of IoT devices since 2016, launching DDoS attacks that have crippled the likes of Netflix, Twitter, GitHub and Reddit.
The prize of ransomware is no longer just about making money. Some bad actors are more interested in the destruction of systems and data, and criminal syndicates are now branching into cyber because of high rewards and low costs. The threat is real enough to make 77 percent of CIOs feel that, of the various types of digital warfare, organised cybercrime gives them the most cause for concern, up 8 points since 2016.
Compounding the cybersecurity challenge for IT leaders is the fact that billions of devices are now connected as part of the IoT. A third of all vulnerabilities discovered by Cisco researchers in 2017 were specific to IoT devices. Any unmanaged sensor, security camera or wearable tech can become an exploitable endpoint. These unguarded smart devices can be the entry point for a far-reaching cyber attack. DDoS attacks, which typically aim to take down critical online services by targeting them from multiple hosts, could therefore morph into ‘Denial of Things’ attacks, exposing sensitive data, damaging reputations, and forming a lasting mistrust in the minds of customers and partners.
One challenge CIOs face when considering how to prevent this kind of network-based attack is how to deal with the overwhelming amounts of data in play. Cloud-based security is one solution – 70 percent of CIOs say they’re making investments in cloud tech in 2018. For example, Cisco’s cloud-based security product Cognitive Threat Analytics uses machine learning to discover threats on its own by constantly learning and adapting to suspicious symptoms, rather than merely chasing specific methods of attack. This type of solution can work wonders when used on your own network but it’s becoming ever more important to consider the practices and policies of others in the value chain, including third-parties.
'AI can potentially help us stay ahead of cybersecurity threats by managing challenges like persistent changes in technology environments at scale and following patterns to comprehend and anticipate intent.'
Ronald van Loon, Top10 AI, Big Data, Data Science, IoT, Analytics, BI Influencer
Criminals have moved from directly targeting their victims to exploiting them through their supply chains. By compromising a trusted infrastructure or piece of software, they give themselves a stepping stone for directly attacking high-value victims. For example, in September 2018, Cisco Talos researchers discovered that CCleaner, a computer clean-up tool downloaded by 5 million people per week, had been compromised. 2.27 million people downloaded the malware backdoor hidden in CCleaner, 40 of whom – all employees of technology and IT enterprises – were then targeted through a second attack stage.
The incident made it clear that enterprises today are only as secure as their supply chains and that managing digital risk isn’t just about implementing new technologies. It also demands a shift in attitude, beginning with an understanding of the difference between cybersecurity and cyber resilience.
With cyber threats now coming from all sides including organised gangs, insiders, spammers, competitors and even foreign powers, the challenge is no longer creating a security shield that blocks 100 percent of attacks. It should instead be assumed that attacks are inevitable, meaning the priority for CIOs and CISOs is to build resilience and response, instead of just protection. This means strategising around how to get the organisation back on its feet in the wake of an attack with minimal downtime and expense. IDC research shows that infrastructure outages can cost large companies $100,000 an hour, while the failure of critical applications could mean losing up to $1 million per hour, so the financial incentive is certainly there to accept the inevitability of attacks and plan accordingly.
The holy trinity of modern cybersecurity is people, policies, and technology. ‘People’ includes encouraging a culture of security within the entire organisation, ensuring that everyone understands that they have an individual responsibility to support the whole system. ‘Policies’ means clearly defining rules to manage threats and vulnerabilities, getting them approved by management and executing them consistently across all aspects of the company. And a big part of ‘technology’ involves layering security barriers and using automated systems such as AI to prioritise threats. Some threats can be handled by software, others can be auto-flagged for review by a cybersecurity team and some still require the expertise of trained specialists.
Assessments by the Cisco Advanced Services Security Advisory team showed that if an organisation were to use technology alone to remediate security vulnerabilities, they would only solve 26 percent of issues identified during attack simulations. Likewise, if policies alone were relied on, only 10 percent of issues would be resolved. And, in isolation, training of people would tackle a meagre 4 percent. It’s only when used in concert that these principles form a toolkit capable of anticipating, not just reacting to, increasingly sophisticated cyber threats.