Happy Cybersecurity Month! An odd greeting perhaps, but in many parts of the world, October means 31 days of tips and advice on issues of IT and data security.
For much of October – and for every other month of the year – it’s the cybercriminals who have reason to be cheerful. Cybercrime is bad for businesses but big business for hackers.
Big business
Estimating just how big is challenging. Many crimes go unreported and data is usually collated by government bodies and cybersecurity companies, meaning little cross-sharing of information. To provide a rough idea: one estimate suggests cybercrime costs will reach a staggering $10.5 trillion by 2025.
No business is immune, and, as we’re increasingly sharing more of our data with more businesses, no individual is immune either. Think back to 2016, for instance, and you might recall the announcement from Yahoo that it (and its users) had suffered a data breach. The more Yahoo – and later, the FBI – looked into the incident, the greater the scale of the infiltration they exposed. They concluded that, due to breaches dating back to 2013, all three billion of Yahoo’s users had had their accounts compromised.
It's important to remember that bigger doesn’t necessarily mean better for cybercriminals. According to a 2021 report by the UK government, 37% and 38% of micro and small businesses, respectively, identified security breaches during the 12 months previously. That was then; what about now?
The cybersecurity landscape
In the UK, according to the most recent government findings, not a lot has changed. In fact, in terms of the proportion of firms identifying cyber attacks, nothing has changed; 39% of businesses of all sizes reported an incident during both 2021 and 2022. Look back over the past five years and the changes in figures are not hugely dramatic, though it is interesting to note the 2020 spike, when 46% of businesses reported incidents vs 32% in 2019.
The reason for this can be attributed in part to the massive shift to home working brought about by the pandemic. During this period many employees used personal devices, many of which lacked the robust cybersecurity defences of their corporate counterparts. Many also had to set up new accounts, create new passwords and so on; all of which increase the size of the cyber threat landscape.
Many employees and businesses will have learnt from these mistakes and are more attuned to phishing emails and the importance of strong passwords. However, cybersecurity is like an arms race: no sooner do businesses and IT users increase their defences, than the hackers come up with new, more sophisticated methods of attack! This is reflected in business’ budget forecasts too: analyst firm McKinsey predicts that 85% of small and midsize enterprises intend to increase IT security spending until 2023. Looking ahead to 2023 and beyond, what are the risks that we need to be aware of?
Hackers armed with (Artificial) Intelligence
Artificial intelligence and machine learning are delivering significant benefits to many businesses (including automation, which we discuss in this blog). Unsurprisingly, they’re also bringing benefits to cybercriminals. AI techniques can be used to increase the number and velocity of attacks, for instance. McKinsey points to AI and ML being used to automate and send ‘contextualized phishing emails that hijacked other email threats – some linked to COVID-19 communications.’
Another – somewhat scarier – exploitation of AI is in the use of deep fakes. In 2019, the Wall Street Journal reported that AI-based software was used to impersonate the voice of a CEO in the UK to demand a fraudulent transfer of €220,000. Since then, the technology has grown more sophisticated, to the extent that you only have to search the term on YouTube to find a huge number of realistic videos, seemingly depicting celebrities and politicians.
It’s not only celebrities, politicians and CEOs that are in the cybercriminal’s hit list. Consider how using AI can be used to ‘deep fake’ an individual’s voice, helping criminals access personal accounts via phone banking.
Cybersecurity takes to the cloud
Deep fake scams make for attention-grabbing headlines and while they do pose a threat, a more likely risk for a business to be aware of is the potential vulnerability of the cloud. According to IBM, nearly half of all data breaches happen in the cloud. It estimates the average cost of a data breach in organisations with private and public clouds at $4.24 million and $5.02 million, respectively.
Organisations can still rely on cloud services to reduce costs, scale business, optimise workflows, and drive efficiencies. However, it’s worth acknowledging the vulnerabilities of this environment and ensuring that security is factored into any cloud migration. Points of weakness to consider include the cloud migration process (including incompatible legacy frameworks and hardware), insecure interfaces, the increase in the number of potential entry points, internal threats due to human error and external threats like DDoS attacks.
Taking action
Looking back on previous attacks and looking forward to future threats seems to provide scant reason for businesses to ‘celebrate’ Cybersecurity Month. While ‘no business is immune’, there are actions every business can take to reduce risk. The UK government has a number of tools to support firms, for instance, including Cyber Essentials, for small businesses and a Board Toolkit for large. The EU’s Cybersecurity Month website also includes a number of resources.
October is a great month to take stock of your IT defences and to consider what actions to take, software to invest in, knowledge to arm yourself with, or cybersecurity talent to bring on board. Yet this will only prove robust if your action is long-term, ‘always-on’ and up to date. It may be costly, it might seem boring, but it’ll be a reason to feel happier about your cybersecurity for months – and years – to come!