When it comes to cyber security, 2022 held both opportunities and challenges. With cybercrime set to cost an estimated US$10trillion by 2025, it is a growing problem that businesses must prioritise. According to the ENISA Threat Landscape 2022 report, ransomware and phishing are prime threats for businesses, with Distributed Denial of Service (DDoS) attacks also ranking highly. While the threat landscape can seem overwhelming, there are plenty of opportunities to keep your organisation safe. Understanding the dangers and shoring up your defences against them is the best way forward. Here are some key elements of cyber security organisations should focus on to secure their coming year.
Reassessing insider threats
No matter what industry you operate in, people are invariably your greatest asset and most innovative resource. But as we enter 2023, various pressures – from strike action to cost of living increases – are putting a strain on workforces and that breakdown in trust with the establishment is creating an environment where conspiracy theories and criminal actors can flourish. As team members struggle in difficult economic conditions, organisations need to re-evaluate insider threats. A recent example of what this might look like was in November where a security guard pleaded guilty to spying for Russia while working for the British Embassy in Berlin. Working with team members to minimise any threat they could pose to business operations and sensitive data is key.
Turning to memory safe code
Popular languages used to write software such as C++ provide lots of freedom but rely on programmers doing the right thing, every time. This results in a whole class of vulnerabilities that are fundamentally rooted in poor memory handling. Ideally, organisations should remove these risks by making a strategic shift to memory-safe languages like C#, GO and RUST, which have inherent memory protection. With that move comes a challenge in reskilling or recruiting new skills into your development teams. The NSA’s recently published Cybersecurity Information Sheet advocates for this change and provides additional guidance on how to protect against memory safety issues. Organisations should use additional, layered defences such as compiler options, tool analysis and operating systems regardless of which languages they are using to produce software.
Securing the supply chain
Bouncing back after the pandemic, global supply chains have proved incredibly resilient. Procuring systems and software have been central to this recovery and are important facets of today’s complex supply chains. Understanding what makes up these systems is vital, and examples like Log4j show how difficult it can be to know what components are in a black box, particularly Industrial Control Systems (ICS) which are ‘sold as seen’. This makes assessing the risk of devices directly very difficult. Alternatively, some procured systems are so complex that different approaches to risk assessment are needed. It is an area that is set to become more complicated in the future, as Executive Order 14038 paves the way for the Software Bill of Materials to potentially become a legal requirement in the US. Organisation should start now, ensuring that the procurement process either requires the right information from the supplier or connects to a suitable risk assessment process so that the business can make an informed choice when procuring. For existing systems, work with vendors and IT teams to discover as much information about the inner make up of those systems & services and use it to populate Asset & Configuration Management Databases so that it can be used by your risk and response teams.
A collision course: cost and cyber security
Increasing regulations across different industries is one of many factors impacting business costs. Regulation can introduce significant scope for improvement and innovation, but it takes skill to navigate these cul-de-sacs and opportunities. This can slow down innovation as everyone pauses to interpret the application of new rules and work out what is allowed. Instead, the short-term focus should be on maximising the value of existing cyber security investments and resetting expectations across the business – so everyone understands that it is important to collectively ‘hunker down’ for a short period while everything is properly understood.
Start with simple cyber hygiene
Basic cyber security processes and habits are vital. Cyber hygiene is the easiest way to raise the bar to entry for hackers. If you are part of a cyber security team, you need to know what your assets are and the systems and services that support them. It is vital to have an inventory, Configuration Management Database and asset management system. It’s also important to patch systems and services as quickly as you can, prioritising based on your context rather than something like raw CVE scores out of a tool. Most importantly:
- Apply knowledge of your environment
- Educate your users about security – particularly how to spot increasingly realistic / complex phishing attacks
- Be honest – if IT or security is not a core part of your business, outsource it to an expert
Is automation the future of cyber security?
Artificial Intelligence (AI), Machine Learning (ML) and automation are becoming the go-to solution for all sorts of IT & cyber security problems. These capabilities are enabling innovative solutions to thorny problems. Automation alone can improve threat detection, speed-up incident response time, and reduce errors across an organisation’s cyber defences. However, organisations should be aware that bad actors can use these capabilities as a tool themselves or abuse yours to create the effect they want to achieve. AI & ML are even used in software development to solve more complex programming problems, so regardless of where you are leveraging this capability, it’s increasingly important to understand as much about what the automation is doing so the business can manage the risks accordingly. The rewards can be significant though, with an automated response, threats like malware, phishing, and endpoint vulnerabilities can be detected and addressed immediately, without the need for audits or other processes. As threats often appear simultaneously, automation can also take away difficulties around prioritising security responses and as an AI learns it becomes more effective at keeping your network and data safe.
Looking forward to 2023
Ensuring organisations are resilient against cyber-attacks and protecting data accordingly has become one of the most important challenges facing senior management. By putting the right cyber defences in place now, your organisation will be in a stronger position to avoid or respond to any cyberbreaches in 2023 and beyond.
Here at CGI, we understand security from all angles - technology, business, and compliance. Our specialists build cyber security into businesses to drive agility, efficiency, and competitive advantage. We are one of the largest cyber security practices in the UK, helping clients manage complex security challenges with a business-focussed approach and protecting what is most valuable to them.