What are the three main cybersecurity threats you’re facing in 2021?30 July 2021
Since the beginning of the pandemic in 2020, the FBI has noted a fourfold increase in cybersecurity complaints.
It’s no surprise. COVID-19 and the resulting shift to remote work have had enormous implications for the world of cybersecurity. For most, it has meant super-accelerated or unplanned cloud migrations and the very swift procurement of IT products and services. Many companies were forced to rush through security measures to keep vital business operations running. There’s no doubt, working from home has created new levels of vulnerability and risk.
Now, those responsible for managing cybersecurity are assessing how their people respond to the security infrastructures adopted during the sudden shift to remote working. For example, many home workers use personal devices to do their jobs (even though they may well have been asked not to). Are these devices secure? Is business data vulnerable when the fail-safes on an office device are not there?
Cyber threats have become more sophisticated and intense amid the increasing levels of remote work and dependence on digital devices.
These are the three main cybersecurity threats that businesses face in 2021.
1. Business email compromise
Business email compromise (BEC) attacks use real or impersonated business email accounts to mislead employees and defraud businesses. These attacks have risen since last year and are set to grow more.
In December 2020, Keeper reported that uncertainty caused by COVID-19, Brexit, and the move to remote working had led to 70% of UK finance companies experiencing BEC attacks in the preceding year. In May 2021 GreatHorn compiled The 2021 Business Email Compromise Report with data based on an online survey of 270 IT and Cybersecurity professionals in the US.
The report highlights trends, issues, and gaps in fighting BEC attacks and related email threats:
- 71% of respondents stated that spoof email accounts or websites were a problem
- 69% cited spear phishing in which specific people or roles in an organisation are targeted
- 24% mentioned malware, specifically emails containing malicious files or other content
The only way to navigate these security challenges is by training staff. It’s vital to create a programme that informs and educates on all of your company’s security needs while of course, reinforcing the positive behaviours that your people are currently demonstrating.
It is important to discuss the language typically used in spoof emails so people can more easily spot potential scammers. You can stage cyber drills to show how sophisticated these scams can be.
Cybersecurity can be complex, but our experience shows that issues can often be as simple as a staff member struggling with installing antivirus software on their personal device. With straightforward steps, security can be enhanced.
Many ransomware gangs have shifted their focus to Managed Service Providers (MSPs), – platforms serving multiple clients at once. If a hacker gains access to an MSP, it has the possibility of reaching multiple end-user clients. Typically, MSPs are hacked via poorly secured remote access tools. This can be due to faulty infrastructure as well as lack of user understanding.
Market intelligence identifies ransomware as an increasing threat to businesses worldwide:
- Malicious emails are up 600% due to COVID-19. (ABC News, 2021)
- In 2021, the most prominent ransomware pay-out was made by an insurance company at $40 million, setting a world record. (Business Insider, 2021)
- About 1 in 6,000 emails contain suspicious URLs, including ransomware. (Fortinet, 2020)
- The most common tactics hackers use to carry out ransomware attacks are email phishing campaigns, or by targeting Remote Desktop Protocol and software vulnerabilities. (Cybersecurity & Infrastructure Security Agency, 2021)
As a person responsible for cybersecurity in your company, how can you deal with this?
New remote, or partially remote setups have created new challenges that demand a holistic approach from organisations to truly secure growing cloud networks and to implement and maintain robust remote working best practices in security.
Fundamentally, the principle of least privilege must be enforced both between peers and companywide. It’s essential to educate staff to only share documents and information with verified parties.
Further skills training for staff is necessary, encouraging them to:
- Regularly backup all files securely
- Limit access to shared/network drives, turning off file sharing when not necessary
- Utilise secure authentication strategies, for example, through password security workshops
Phishing and social engineering attacks are arguably the most prevalent and dangerous types of cybercrime that organisations worldwide are currently facing. Google Safe Browsing recent data shows that there are now nearly 75 times as many phishing sites as malware sites on the internet. This number is on the rise daily as more and more attackers exploit vulnerabilities.
Recent research from Verizon has shown how these attacks can infiltrate a company:
- 96% of phishing attacks are distributed by email
- 3% arrive through a website
- 1% appear via phone or SMS communications and malicious documents
According to a study by APWG, the biggest category of phishing is targeted towards webmail and Software-as-a-Service users. These types of attacks make up 34.7% of phishing attempts.
And according to the results of Terranova Security’s 2020 Gone Phishing Tournament, almost 20% of all employees are likely to click on phishing email links. Of those, a worryingly high 67.5% then enter their credentials on a phishing website. This means 13.5% of employees are likely to submit their passwords on a fraudulent phishing page.
So, what subject lines should you tell your people to avoid?
In 2020, the most common subject lines of phishing emails were as follows:
- Changes to your health benefits
- Twitter: Security alert: new or unusual Twitter login
- Amazon: Action Required | Your Amazon Prime Membership has been declined
- Zoom: Scheduled Meeting Error
- Google Pay: Payment sent
- Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
- RingCentral is coming!
These subject lines show that criminals attempt to capitalise on three areas of perceived ‘weakness’:
- Fear – surrounding the pandemic by targeting users’ health concerns or a user’s innate fear of a non-payment or ‘official’ sounding notice
- The rapid-shift to remote working – most organisations worldwide have had to quickly shift to a remote way of working, using new and unfamiliar cloud technologies
- National lockdowns and boredom with people turning to digital entertainment and virtual communication platforms to stay in touch with colleagues and loved ones
Education on this is vital, and for CISOs it can seem overwhelming. But often there are people within your organisation you can lean on to assist with this process.
For example, internal comms teams can help you in talking to the staff body as a whole. Marketing teams may be able to assist in the best way to reach your audience often across multiple channels, geographies, languages and knowledge levels.
Help your people
Cybersecurity is a persistent and growing threat, and for CISOs it can sometimes seem like a losing battle to stay ahead. However, with smart staff training, tactical decision-making and the ability to constantly adapt, security risks can be significantly reduced so that your business continues to function successfully.
Please feel free to contact us for more information on integrated, practical staff awareness and training programmes to combat these main cybersecurity threats, and many others.