The 10 Biggest Cybersecurity Risks Businesses Face In 2021
From cloud misconfigurations and unsegmented networks to extorting ransomware victims and taking advantage of their cyberinsurance policies, here are the most significant risks organizations face.
Risky Business
Cybersecurity risk is determined by the likelihood of exposure, critical asset or sensitive information loss, or reputational harm stemming from a cyberattack or breach within an organization’s network. Cybersecurity risk is typically determined by examining the threat actor, type of vulnerability and the consequences associated with network disruption.
Vulnerabilities are weaknesses, flaws or errors that can be exploited by attackers through social engineering attacks, DDoS attacks and advanced persistent threats (APTs) to gain unauthorized access. Depending on the attack, the direct and indirect consequences may impact an organization’s finances, operations, reputation and regulatory compliance status.
As part of Cybersecurity Week 2021, CRN spoke with 10 vendors about the biggest risks businesses face since the onset of the COVID-19 pandemic. From cloud misconfigurations and unsegmented networks for remote workers to extorting ransomware victims and taking advantage of their cyberinsurance policies and supply chain relationships, here are the most significant risks organizations face.
Cloud Misconfigurations
Businesses have rapidly adopted Microsoft Teams and Office 365 recently without setting strict data collaboration policies, which has led to sensitive data getting shared broadly with outside third parties, said Matt Radolec, head of Varonis’ Incident Response team. Companies have less visibility and control over SaaS apps and IaaS and are mistakenly trusting the cloud service provider to deliver security.
Turning on an Amazon S3 (Simple Storage Service) bucket is as easy as flipping a light switch, meaning that businesses must implement a continuous monitoring methodology for their cloud apps, Radolec said. A single employee turning on one S3 bucket in the cloud could expose all of a company’s customer data to everyone in the world, according to Radolec.
Permissions are often configured differently for cloud services like Box as compared with storage arrays, with the settings adopted for a privileged administrator account in Box flowing all the way down to rank-and-file employees by default, Radolec said. Solution providers can help their customers build data protection programs and methodologies that apply best configuration practices to the cloud, he said.
Keyword Searches During Ransomware Attacks
Ransomware actors historically conducted “smash and grab” operations, where they would take everything they could from the victim, lock their files and demand Bitcoin to restore access, said David Dufour, Webroot’s senior vice president of cybersecurity and engineering. But adversaries have increasingly turned to keyword searching and other reverse- engineering techniques to obtain crown jewels.
One of the first things threat actors will search for is the victim’s cyberinsurance policy to determine how large of a ransom they should ask for, according to Dufour. From there, Dufour said hackers will look to get their hands on records that are protected by regulations like HIPAA so that they can demand a larger ransom from the victims.
Adversaries have automated the process of scanning devices, servers and other areas of the victim’s environment for documents that contain certain keywords, according to Dufour. Files that contain data with the requested keyword are dumped into bins that can be manually inspected, analyzed and—if valuable—encrypted, Dufour said.
Lack Of Segmentation For Remote Workers
The rapid shift to remote work at the onset of COVID-19 disrupted business’ network architecture by making things inside the network far more open than intended, which resulted in nonprivileged users having access to core databases, said Jonathan Couch, ThreatQuotient’s senior vice president of strategy and corporate development. The open architecture created more operational and financial risk for businesses, he said.
To save money, Couch said organizations introduced a single VPN access point into their network rather than grouping internal systems by function as they did prior to COVID-19. The lack of internal boundaries meant that all employees now had access to the company’s human resources and financial data rather than just employees working in those departments, according to Couch.
Organizations should closely examine their access and segmentation policies to keep remote employees confined to their particular area of work rather than giving them broad access across the company’s network, according to Couch. Implementing a zero trust architecture can dramatically improve the security of highly distributed workforces, Couch said.
Cloud Infrastructure And SaaS
The user has become a more important attack vector than the device since COVID-19, meaning that businesses must think about risk in the context of both identity and device rather than just the device, said Tim Erlin, Tripwire’s vice president of strategy. Companies must examine the risk associated with each connection request, considering the sensitivity of the resource they’re looking to access, he said.
Most organizations are now securing cloud workloads, but cloud infrastructure, configurations and SaaS continue to remain a blind spot for a majority of businesses, according to Erlin. Companies don’t understand the risks associated with misconfigured cloud or SaaS accounts, and lack the resources, expertise and tools to properly secure cloud infrastructure, Erlin said.
More attackers are leveraging containers and cloud misconfigurations in their exploits due to the lack of cybersecurity instrumentation available for defenders, according to Erlin. In response, businesses are moving away from control-specific measurements around vulnerabilities and malware incidents toward a more comprehensive risk measurement capability that’s meaningful for the whole organization.
Targeting Family Members Of Executives
A lot of the malware that used to be found on office networks has shifted to residential networks since employees are working from home during COVID-19, said BitSight Chief Technology Officer Stephen Boyer. The combination of residential networks and many employees working on personal machines during the pandemic has made things much easier for adversaries since there’s less protection in place.
The ability to defend and respond to adversaries on a home network is close to zero, which Boyer said has given threat actors free rein to go after the family members of executives. Machines in a home network tend to be trusted and not behind a firewall, meaning that an adversary can easily connect to local services and move laterally by breaching the email account of an executive’s spouse, Boyer said.
This allows the threat actor to carry out certain types of attacks that are possible to execute from within the home network but not using a remote internet connection, according to Boyer. The lack of intrusion detection on home networks has resulted in a big increase in the frequency and success of attacks, with a 450 percent jump in businesses reporting ransomware claims to cyberinsurance providers, Boyer said.
Third-Party Service Providers
From videoconferencing to whiteboard products to file sharing, companies are using more technology products to facilitate remote work and close the gaps that didn’t exist when employees were together in person, according to Greg Pollock, UpGuard’s vice president of product. A natural part of digital transformation is having more technology vendors and consuming more third-party software, he said.
But every new technology vendor in an organization’s supply chain introduces additional risk to the business, Pollock said. It has become increasingly common for a breach at a single company like SolarWinds, Accellion or Kaseya to impact tens, hundreds or even thousands of other companies or government entities around the world, according to Pollock.
The breach of a supplier will likely result in more than just the loss of availability of whatever service they provide and could result in the loss of confidentiality around sensitive information that was shared with them, Pollock said. Ransomware gangs are trying to more pointedly incentivize victims to pay by making attacks more damaging to their customers and business partners, according to Pollock.
Lack Of External Vulnerability Scanning
Organizations need to do an honest self-assessment of every vulnerability, risk and opening in their environment that adversaries could leverage as part of a cyberattack, said Nick Biasini, head of outreach for Cisco Talos. From drive-by downloads and buying access into networks to actively exploiting systems, adversaries employ a wide variety of techniques to take advantage of unknown victim systems.
Organizations should do vulnerability scanning from outside and inside their environment to get a better sense of what visibility an adversary would have when starting an attack as well as if they’re able to breach the victim’s systems, Biasini said. Companies should identify the key servers or pieces of technology they need to safeguard and address any weaknesses by put compensating controls in place.
Organizations should start by dealing with vulnerabilities inside their own systems, according to Biasini. And as their security posture matures, businesses should begin setting up their servers externally and doing external scans to get a better sense of what the organization looks like to a threat actor on the outside, Biasini said.
Holding Data Hostage
The most powerful asset any organization has is customer data or internal corporate or IP data, meaning that business risk is typically concentrated around data, said Michael Maggio, Reciprocity’s executive vice president of product. Adversaries have become more focused on holding a victim’s data hostage rather than trying to sell it to someone else since the former provides a faster return on investment.
Defenders should start by understanding what data could potentially be exposed and identity where there might be violations or regulations or standards such as HIPAA, PCI or SOC 2, Maggio said. From there, Maggio said businesses should examine what controls they have in place to protect their crown jewels as well as the financial cost associated with something like the theft of customer data records.
Businesses should assess their cyber-risk profile by looking at what business assets and processes are exposed to the outside world, according to Maggio. From there, Maggio said organizations should look for security software, tools or methodologies that control access to that data such as firewalls or encryption to better protect the data.
Targeting Of Companies With Cyberinsurance
Smaller businesses that weren’t attractive ransomware targets historically might be more appealing today due to the increased adoption of cyberinsurance among SMBs, according to Rob Cataldo, managing director of Kaspersky North America. Cybercriminals do reconnaissance looking specifically for the presence of a cyberinsurance policy in a target’s environment before deciding to attack, he said.
Organizations with cyberinsurance are seen as more likely to pay a ransom if the threat actor attempts to extort them since the amount of the ransom is often less than the projected cost of restoring without a decryption key, Cataldo said. SMBs need to invest in putting together a risk mitigation strategy that outlines how the business plans to prevent, detect, mitigate and accept certain risks, Cataldo said.
As cyberinsurance moves beyond large enterprises and pushes downmarket into the SMB space, Cataldo said it’ll be interesting to see which regulations or requirements cyberinsurance providers start to institute as part of the underwriting process. Cyberinsurance providers have good reason to avoid taking on ultra-risky clients since they’re far more likely to end up filing expensive claims, Cataldo said.
Extorting Ransomware Victims
Ransomware has become less about locking consumers out of devices and more about extorting them by threatening to release or leak their sensitive personal data, said Darren Shou, NortonLifeLock’s chief technology officer. Threat actors threaten to attack people’s identity and reputation by releasing emails, private conversations or sensitive selfies they’ve taken to friends, co-workers or their employer, he said.
Adversaries historically threatened to lock down files when carrying out ransomware attacks, but Shou said consumers have become increasingly capable of restoring those files using online backups. As privacy becomes more top of mind for consumers, extorting customers by threatening to publicly release or disseminate their personal information has become more effective, according to Shou.
The flow of payments the industry has seen around extortion and ransomware attacks is really a function of how much users value their reputation, Shou said. There has been a 35 percent increase in ransomware attacks from late 2020 to early 2021, while the share of illicit funds gotten by ransomware operators has grown by more than 300 percent on a year-over-year basis, according to Shou.