The New Year is here and we wanted to consider the state of cyber resilience as we moved into the last year of the second decade of this century.
In this piece we’ll examine:
- why cyber resilience is the future of cybersecurity in 2020
- greater questioning over the value of the Internet of Things
- why an even greater cybersecurity threat may come from within
New Cyber Resilience Initiatives Supported By The UK Government
From the 17th to 23rd February 2020, Cyber Scotland Week takes place with the aim of promoting:
- personal and corporate protection from online and social engineering crimes,
- innovation to maintain a competitive advantage in the field, and
- growth in the numbers employed in the cybersecurity sector and in their knowledge and skills.
We see this is a very positive development – as are, indeed, all government-launched initiatives to protect citizens and corporate entities against the threat posed by cyber criminals. The CyberUK 2020 event covering England and Wales takes place on the 19th and 20th of May at the ICC Wales in Newport.
“Cyber resilience in the future of cybersecurity”
In a very well-researched and engaging white paper, consulting firm Marsh & McLennan Advantage pointed out that “the rise of cyber attacks is far outpacing the level of investment in protection from cyber threats” highlighting a 33% rise in the incidence of attacks against a 10% increase in investment.
In fact, the only investment outpacing expenditure on cybersecurity is investment in cyber insurance which was expected to grow at a compound rate per annum of 20.1% from 2014 until the end of next year.
There are encouraging signs however that IT staff and outsourced partners are learning to work well and efficiently within these constrained budgets, set as they are against a backdrop of increased cyber-criminal activity.
Dwell times in 2018 fell by 23% - dwell time is defined as “the number of days an attacker is present on a victim network from first evidence of compromise to detection”.
They conclude that most future cyber resilience investment should be targeted towards companies’ human firewalls because 96% of all attempted breaches are currently either email cloning or phishing attacks.
And, for legal firms, while technological investment will still be of vital importance in providing overall cyber resilience, staff training and education will continue to produce an impressive return on investment when compared to financial and reputational losses incurred through a successful attack.
More companies and individuals are questioning the value of the Internet of Things…
…in what are considered to be “dumb devices”. “I envision ransomware effectively targeting devices in homes in the next 5-10 years", Gary Davis, Chief Consumer Security Evangelist of McAfee, told Forbes.
In fact, in May 2019, so serious was the threat considered to be from insecure IoT devices that the UK government started consulting with industry and consumer groups on what measures could be taken to ensure that products entering the market had “basic cybersecurity features” including the introduction of an “approved security label”. This is despite an already apparently aware government releasing the fourth version of their guidelines on the subject the previous October.
But will “basic cybersecurity features” be enough to provide protection to legal firms whose data is considered as one of the most valuable targets for cyber criminals to steal?
The number of attacks against connected IoT items increased threefold in the first half of 2018 compared to the same period in the previous year.
50 popular IoT products were tested by Princeton University and they were found in general to lack standard encryption and authentication features – easy targets for experienced attackers. In fact, the Mirai botnet attack of 2016 used 100,000 insecure IoT objects to launch distributed denial of service (DDos) attacks targeting CNN, Amazon, Netflix, and Twitter.
When installing IoT devices in your premises, consider whether they are all actually needed. For those devices that are, please make sure that:
- you keep the software in the IoT devices up to date with any patches released by manufacturers,
- you have an endpoint security solution consisting of at least a firewall, and
- you regularly change passwords, making sure that each password selected is likely too complicated to be compromised.
Looking inwards as well as outwards for threats
It’s traditionally been very difficult for the police and other regulatory authorities to accurately predict the number of incidents of employee fraud every year yet alone to give the scale of the losses incurred a monetary value.
According to NatWest bank, the figure is around £190m a year with £88m of that caused by employees – around 40% of the total. The average loss is estimated at £62,000 per incident.
No matter how long any of us have led a business – even in the legal sector – a confidence trickster can successfully pull the wool over yours and everyone else’s eyes because that’s exactly what they’re particularly skilled at doing. Consider the cases of Dennis O’Riordan and Leanne Harris.
Employee fraud occurs as early on as the recruitment process to stealing client cash to disappearing with sensitive data for a former staff member to start up on their own or to take to a competitor.
There is no 100% guaranteed way of protecting yourself against internal fraud threats. However, there are plenty of steps you can take to mitigate risk including:
- performing the deepest level of enquiry about prospective staff members’ histories prior to hiring (including interrogating any recruitment agency you use about their methodology)
- restricting the access to new members of staff to sensitive personal, financial, or medical information
- consider a data-sharing agreement with CIFAS (making sure that you secure an applicant or an employee’s agreement to a Fair Processing Notice)
- introducing privileged access policies, preventative control technology, and a series of activity logging and auditing procedures
- assessing the potential security implications of the introduction of any proposed new technology, technology services, software, and apps
- carrying out reviews at set periods to assess supply chain risks
- a robust “Bring Your Own Device” policy which is fit for purpose and which is enforced
- taking the Cyber Essentials course
Achieving cyber resilience in your practice or chambers in 2020 with Sprout
To speak with one of our team about cyber resilience challenges and opportunity in the New Year and beyond, please call Sprout IT today on 020 7036 8530 or email us.