The growing success of cyberattacks risks creating the impression that organisations are powerless in the face of criminality. In fact, organisations can reduce their exposure by paying attention to basic security rules while bearing in mind that the most dangerous threats will continue to evolve in ways that require constant reassessment.
Here we explore the risks that organisations are most likely to face in 2021 and we suggest some ways that these risks may be countered.
Threats and risks to watch for in 2021
Ransomware extortion
A big ransomware trend of 2020 was the evolution from simply encrypting data to stealing it and threatening to release it publicly, so-called double extortion. For any organisation, this ups the ante, turning a disruptive attack into a notifiable data breach that creates huge reputational risk. Even if a ransom is paid, there is still no guarantee that stolen data won’t be sold on or released at some future point. Fuelled by ransomware-as-a-service – a model which allows mainstream criminals to rent malware –this tactic is likely to become common in 2021.
Home working
The pandemic of 2020 has supercharged the trend for organisations to offer home working as an option. Although less pronounced among small businesses, even a small increase in remote working creates cybersecurity challenges, starting with the technical difficulty of securing both devices and data in the home context where a single mistake can allow an attacker behind a company firewall.
Secure collaboration
Many organisations now rely on software such as Microsoft Teams, Zoom and Slack to make remote working possible without considering their potential risk in terms of handling of sensitive data and the need to secure user accounts against external compromise. Securing these tools is a learning curve that requires early intervention and oversight.
Vulnerable IoT/IIoT
Patching vulnerable software is already a full-time task, made more difficult by a steady stream of weaknesses in many Internet of Things devices. As a recent report by security company Forescout confirmed, many of these are low-level flaws that are either difficult or even impossible to patch. Organisations should resolve to buy only products that have defined patching processes and a clear lifecycle.
Cloud misconfiguration
Many SMEs have adopted public and private cloud systems for storage and software development, creating new layers of risk. During 2020 there have been numerous reports of cloud databases inadvertently left unsecured, misconfiguration breaches which attackers are set up to quickly exploit. More generally, public cloud storage requires organisations to trust the security of their service providers and the good behaviour of their own employees.
Phishing spoofing
If a phishing email makes it to an employee’s inbox, the chances are it will have been routed or sent from the legitimate but hijacked domain, server, or cloud service that wasn’t on a block list. Combined with increased targeting, such tactics explain why phishing remains hard to detect. The last year has also seen a rise in smishing (SMS phishing) targeting business and personal banking accounts with often convincing-looking financial alerts.
How can organisations counter these cybersecurity risks?
While there’s no single fix, organisations can nevertheless reduce their exposure by sticking to a basic set of simple principles, technologies, and best practice.
Multi-factor authentication (MFA)
An underlying issue in many of the vulnerabilities already mentioned is an over-reliance on passwords. And yet many of these issues can be mitigated by adding a layer of authentication, the single technical upgrade which has consistently been shown to improve account security. Today, too many companies use authentication, whether managed MFA or simpler two-factor (2FA), in some contexts but not others. Authentication, including even basic SMS 2FA, raises the bar for attackers and should be deployed as a minimum rather than a maximum protection.
Data encryption
Encryption tends to be employed where compliance demands it, for example full disk encryption used on laptops in financial services or to meet regulations such as PCI-DSS. However, there is a growing realisation that securely encrypting all data at rest – on devices as well as servers – would give organisations a big security upgrade, immediately limiting the exposure from data breaches. Ideally, this should apply even when a file is moved or copied, including to the cloud.
Patching vigilance
Patch management best practice tends to assume that an organisation is managing an internal network. However, home working and bring your own device (BYOD) are good examples of trends that challenge this assumption. Organisations need to remember that the edge of their network is wherever their data and applications are being used, including shared home devices that might not have been patched against known vulnerabilities.
Penetration testing
Penetration testing comes in many forms but even a basic service can provide smaller organisations with insights into specific vulnerabilities or cybersecurity weaknesses. Government schemes such as Cyber Essentials and Cyber Essentials Plus include this as part of the certification process.
Ensuring staff are prepared and remain vigilant
Despite the high-tech threats and security risks presented by hackers, they are far from your biggest threat. In our free guide we explain why hackers aren’t your greatest threat and provide greater detail around the measures you can take to protect your organisation. One of the key measures you can take is to ensure staff are made aware of the risks and are properly trained on how to spot them and how to avoid becoming a victim.
We have produced a couple of low-cost, easy to understand e-learning courses that businesses can make available to their staff. Both our Cybersecurity Awareness course and our Phishing Course provide useful insights and guidance that may prove invaluable in the battle against cybercriminals.
Implementing an Information Security Management System (ISMS)
By implementing an ISMS you can reduce your organisation’s risks of exposure to cybercrime, minimise costs and limit the impact in the event that a breach occurs. An ISMS relies on the successful alignment of three key areas – people, processes and technology – to implement best practices for protecting your organisation, as well as complying with applicable laws, such as GDPR.
Successful deployment of an ISMS not only helps to protect your organisation, but it can also offer new business opportunities as it is common for businesses to require their partners and suppliers to demonstrate their ability to resist cybercrime. This is especially true if you handle their customers’ data.
Having your ISMS certified to ISO 27001 by a UKAS-accredited body provides government-backed assurance that your organisation has been assessed to internationally agreed standards, which provides business owners, their staff and customers with confidence that their data is appropriately protected.
