CYBER - Cyber crime peaked astronomically in 2020. Learnings and predictions for 2021.
By Stephen Burke, Cyber Risk Aware CEO and Founder
via Iain Fraser - Cybersecurity Journalist
Nothing could have prepared us for 2020 - a year that demanded a swift and dramatic restructure of corporate operations in response to the Covid-19 pandemic.
Remote workforces were created overnight, even within industries who never had the experience of managing effective, remote working teams. With limited time and resources to prepare and support home working employees, a makeshift remote setup was thrust upon us. This, consequently, created an opportunity for massive cyber security breaches and a stream of cyber attacks, which can have a devastating impact on businesses when the cost of a data breach averaged between $184k and $715k for a medium-sized business in 2019. 2020 was an opportunistic year for cyber criminals, who took advantage of a time of uncertainty. In the UK, businesses experienced a 31% increase in cyber crime during the height of the pandemic, with phishing emails up by nearly 700%, preying on what should be a company’s greatest cyber defence asset; their employees.
As the new year starts, it’s important all businesses reflect on last year’s challenges overcome, mistakes made and to ask the questions: what have we learnt from this turbulent time? Are cyber attacks getting worse? Why isn’t simple scheduled training enough anymore? And will a more human-centric approach to cyber training make a difference? We also need to think about the new year and make cyber security predictions to stay ahead of relentless cyber criminals.
1. Cyber security risks increasing
We have seen the methods cyber criminals use evolve in sophistication as well as in volume, pushed even further during this pandemic period where staff are working in new ways, often separated from IT help. This increased level of sophistication makes cyber attacks much harder to identify and therefore far more threatening. While phishing, ransomware, malware and DDoS attacks were among the most common methods employed by cyber criminals in 2020, there was also a rise in new methods. This can be seen in attacks on popular collaboration tools like Zoom, Slack and Microsoft 365 and the massive Solarwinds attack; where 18,000 private and government users downloaded a tainted software update, causing the largest hack of the US federal government networks in years. Cyber criminals are always on the lookout for new opportunities and emerging trends, taking advantage of unpatched vulnerabilities before businesses have a chance to ensure staff are adequately trained and their networks are properly secured and protected.
2. Technology has its limits
In the Covid-19 era we have all learnt the importance of community and culture, this same lesson has been learnt in cyber security too. With an increased remote workforce, businesses are more vulnerable to cybercrime than ever before. Knowing that over 90% of data breaches are the result of human error, it is recognised how people’s actions are a huge part of the problem, so they must therefore be part of the solution - a business is only as strong as their staff and technology alone is not enough to protect a business.
William Hill, Lloyd’s Bank, Clear Channel and the NHS are examples of organisations that have changed their cyber security training to create the cybersecurity work culture that is vital to preventing cyber attacks, especially whilst staff work remotely. William Hill even received an award for its in-house training methods for staff. And Clear Channel who changed their training to a real time human-centric approach saw impactful results when focusing on their staff: “Cyber Risk Aware’s platform identified key human risks within our business, instilling positive behavioural changes in staff and helped to protect our network against cyber crime from the inside out.” said Ashish Shrestha - Director of Information Security for Clear Channel International.
3.Scheduled training alone doesn’t cut it anymore
Scheduled cyber security training sessions are often outdated, avoided by staff and forgotten by the time employees actually need the knowledge or are faced with a potential cyber attack. This renders them pointless and an ineffective use of both time and money. Training content must be digestible and easy to understand and delivered regularly to create actual behavioural change and allow staff to learn. Using world-leading Real Time functionality which enables a company to monitor risky behaviour on the network, from any location, on any device is vital for those with remote workforces. Short and regular training which immediately notifies staff when they make a risky cyber decision at that exact moment of need, alerting them and educating them as to why their actions are unsafe leaves a business protected from accidental employee actions that often lead to costly security incidents. Scheduled training and lectures are useful, but as they are training ahead of a problem companies can never anticipate happening, leads it to be ineffective when compared to point-in-time training in response to specific user actions.
2021 predictions see cyber security risks escalating
While 2020 may have highlighted the security challenges of remote working, 2021 will see businesses face further heightened security risks as Covid19 and the vaccine take us into the new year.
Covid to cause further cyber risk
The global pandemic and lockdowns have changed the lives of us all, both at home and the way we work. It is unlikely we will see a sudden mass return to the office and these changes reversed in the start of 2021, even with the Covid-19 vaccine people will not be working as they did before for some time. However, later in the year when people do start returning to the office and re-joining the corporate network they will be doing so with insecure hardware that has been used for remote working for months. These devices may store confidential data and could have been used by other household members. The risk of these devices having insecure software installed or have visited insecure websites over the past 10 months is undeniably high. This could cause mass unsecure device attacks as they re-join corporate networks and allow hackers access to the 17 million files employees averagely have access to.
Additionally, as our ticket back to normal pre pandemic life, the Covid19 vaccine, becomes more readily available this year, we are likely to see an increase in related cyber crime hacking. This could be similar to what we saw with PPE in 2020, where governments were scammed into ordering millions of pounds worth of non-existent PPE, but this time with the COVID-19 vaccination ordering and rollout. Businesses must question if they are prepared for this? As phishing scams become increasingly sophisticated will they and their employees be able to identify a phishing scam when it comes in? It is imperative all employees are trained and educated in real time, to spot the latest phishing scam before it’s too late, as one click on the wrong email can bring entire corporate networks to their knees.
Cutting costs in a smart way
It's been a tough year for businesses financially and cuts unfortunately may take place. Companies will be looking to leverage the spending they have already made to ensure they are in both a mature business and cyber security position. To do this they need a platform that can deliver training to staff in real time at their exact moment of need, in response to employees actions. Businesses should leverage their existing tech by using a platform that requires less admin staff to manage and is capable of integrating with existing technology and working flexibly on any device, in any location to cause actual behaviour change in staff through training.
Copycat attacks to rise
As technology evolves so do cyber criminals, who latch on to newsworthy events for new opportunities to infiltrate a business, with many businesses having to change their business practises to survive the pandemic, there is more online trading and therefore more opportunity for cybercrime than ever. Copycat attacks are also common, so there is a chance we will see cyber criminals copying recent successful cyber attacks such as the recent SolarWinds attack, where Malware provided remote access into an organization’s networks allowing information to be stolen, undetected for months, affecting up to 33,000 of SolarWinds Orion customers. Additionally, we are likely to see copycat attacks continue with Ransomware. There was a 40% Increase in Ransomware Attacks in Q3 2020 it is likely that this will continue to rise in 2021 along with the continued sophistication of phishing and vishing to target new companies and untrained individuals.
This last year has provided endless challenges and struggles, but an equal amount of lessons can be learnt and put to use in 2021, although little good has come from the pandemic, perhaps this is the push that was required to make industries embrace remote working. With the rise of the cloud, an increase of global businesses and soaring office rental costs in capital cities remote working was ultimately inevitable. And the pandemic has pushed us to achieve these future goals much earlier than initially thought possible. As a result the much needed conversation of cyber security has been brought forwards and companies like Cyber Risk Aware have now been recognised by Gartner, written about in Forbes and, most importantly, have empowered employees to feel cyber secure and confident in their online actions. It is only by creating this workplace confidence and cyber culture that businesses can have the vital best practices in place, continually educating staff to ensure the business and networks are protected from the inside out.
About Stephen Burke
Stephen has been working at the sharp end of cyber security since 2009 and is a regular speaker on the subject internationally as well as on UK television and radio.
Stephen was formerly VP, Chief Information Security Officer (CISO) and Cyber Insurance Underwriting Adviser at RenaissanceRe. He founded Cyber Risk Aware in 2016 having consistently found that cyber criminals were targeting people not systems. Stephen firmly believes that staff are the greatest security asset in a company and are not the weakest link like so many others would make you believe. An effective information security program must include a human centric approach otherwise it will fail.