The latest insights on cyber security threats and mitigation strategies

Protect your business with the latest insights on cyber security threats and mitigation strategies with Tecala’s Cyber Security Report. Read this article to get back on-top of cyber security and stay there!

The latest insights on cyber security threats and mitigation strategies

In this article we cover:

  • More billions invested into cyber
  • Set adrift in a sea of attacks
  • Threats may be exponentially larger than they appear
  • Bringing everyone up-to-speed
  • Threat mitigation strategies
  • The Tecala Way

Content Summary

Introduction
Billions more invested into cyber
Set adrift in a sea of attacks
Threats may be exponentially larger than they appear
Bringing everyone up-to-speed
Threat mitigation strategies

Businesses and practitioners alike need a ‘pick-me-up’ – a confidence booster to get back on top of security risks and challenges, and to stay there. Let the Tecala Cyber Security Report be your stimulus for change.

Today, more of us than ever before acknowledge the risks of a Cyber Security breach. It has carved out a permanent place in the risk disclosures of our annual reports, while initiatives, investments and incidents are described at length in our sustainability reports. In addition, nine in ten Cyber Security executives present directly to the board, the majority at least quarterly.

And yet, despite this visibility, confidence is down.

With good reason, Cyber Security is not a domain for complacency. The level of inevitability around an attack – not a case of if but when – that has seeped into the narrative in recent years, is not exactly confidence-building.

However, with appropriate awareness and the right support, you can regain the confidence to understand and anticipate threat actors’ next moves.

This Cyber Security Report, curated by Tecala’s Manager of Cyber Security, Murray Mills, is a valuable resource to refresh the internal conversation about security and instil fresh confidence in your defensive posture and actions.

In the article we cover:

  • Billions more invested into cyber
  • Set adrift in a sea of attacks
  • How threats may be exponentially larger than they appear
  • Bringing everyone up-to-speed
  • Threat mitigation strategies
  • The Tecala Way

Introduction

Today, more of us than ever before acknowledge the risk of a Cyber Security Breach.

It’s carved out a permanent place in the risk disclosures of our annual reports, while initiatives, investments and incidents are described at length in our sustainability reports. In addition, nine in ten(1) Cyber Security executives present directly to the board, the majority at least quarterly.

And yet, despite this visibility, confidence is down.

Only 9% of boards(2) are extremely confident “that the Cyber Security risks and mitigation measures presented to them can protect the organisation from major cyber attacks,” down from 20% of boards last year.

That may be because security leaders themselves lack confidence(2), particularly in their ability to understand and anticipate new strategies used by attackers.

Security is clearly not a domain to be over-confident about. The level of inevitability around an attack–not a case of if but when–that has seeped into the narrative in recent years is not exactly confidence building.

As practitioners and organisations, we need to find new ways to overcome this: to connect with strategies, tools, techniques and methodologies that can lower the level of risk we face from a Cyber Security standpoint.

With appropriate awareness and the right support, you can regain the confidence to understand and anticipate threat actors’ next moves.

And if we all work to uplift our skills and capabilities, then more of us can get to a position of being confident that we’ve done–or are doing–everything within our power to keep our people, data, IT environments and physical assets secure and safe.

We hope you find our first Cyber Security Report a valuable resource to refresh the internal conversation about security and instil fresh confidence in your defensive posture and actions. – Murray Mills, Manager of Cyber Security

Billions more invested into cyber

Edgy comedians often say they don’t know where the line is until they cross it. The same can be said for threat actors. Attacks on health or aged care providers during Covid provoked disgust but apparently didn’t cross a line.

That all changed when an oil pipeline was ransomwared. Authorities became involved; infrastructure takedowns ensued; and attackers, sensing their mistake, laid low and waited for some of the heat to pass.

The pipeline incident also provoked governments and ‘big tech’ companies like Google and Microsoft to commit tens of billions of dollars(3) more to Cyber Security. Those billions are being put towards a roadmap of security activities, from Cyber Security awareness and technical skills training, to improving the security capabilities of cloud services and products relied on by businesses worldwide.

What you should take from this is that Cyber Security is not a static, one-time investment. Security is an ongoing, recurring issue that needs to be addressed over the lifetime of your business, just as it is being treated today by some of the largest and most well-resourced technology companies in the world.

The threat landscape is constantly changing and evolving. As new threats and risks arise, you need to be able to continually address and mitigate them.

Managed security services and a Strategic Security Roadmap of actions can keep your business on top of threats and risks as they appear on a rolling basis.

In summary:

  • Security requires a consistent strategy of actions and investments
  • Even the biggest, most well-resourced companies are not immune

Set adrift in a sea of attacks

For organisations in the Microsoft ecosystem–and let’s face it, that’s most of us–the past months have not been pretty.

A parade of vulnerabilities has left many of the software products we rely on exposed, and kept security teams busy, even more so than usual.

With the industry leaders more prone to attack than ever, it begs the question – what risks are mid-market organisations vulnerable to, and without enterprise expertise or budget to support?

Let’s examine a brief selection.

PrintNightmare was mistakenly disclosed in June by a group of researchers that confused a patched bug in the part of Windows that manages print jobs for one they had similarly–but separately–found. The two bugs turned out to be different, and so an unknown bug–and instructions on how to exploit it–were live on the internet. Several patches later, the issue still isn’t fully resolved.

Microsoft’s Exchange Server has also had multiple critical flaws. After four zero-days that could be used to steal data from email servers and accounts were patched in March, three more vulnerabilities were uncovered in August called ProxyShell, that could be used to impersonate a user and to remotely create messages from their inbox.

Then, in late August, researchers found a vulnerability in Microsoft’s Azure Cosmos DB service that could be used to remotely take over the data store or gain access to other customer’s instances. We review the implications of these vulnerabilities and how businesses must reconsider their security measures overleaf…

…Time costs money

The aformentioned examples are just a small selection of the dozens of threats to emerge in recent months. Threat actors are actively targeting the software applications used by businesses, and these flaws are being used by others to break into corporate networks, encrypt or steal data, and extract ransoms.

Some vulnerabilities are patched quickly. Others take months to be patched or may not be patchable at all, in which case the best that can be done is to apply ‘mitigations’ –implementing security frameworks or sets of controls, making configuration changes or training users –to lower the overall risk or threat.

It’s critical that businesses are able to look holistically across their environment and determine where they may be vulnerable to active threats. Without an adequate Cyber Security program, training and tools, your ability to identify, let alone reduce the risk around you is constrained.

In summary:

  • More critical vulnerabilities in core business applications are being found ‘in the wild’
  • Security teams are being asked to apply more patches more frequently, often ‘out-of-band’ (read: immediately) to address an imminent threat
  • Good, timely information and visibility is required to stay abreast of the situation

Threats may be exponentially larger than they appear

Intelligence-sharing is a common theme in the security community.

Unlike in other sectors where there may be a tendency to guard any and all knowledge as a form of intellectual property, security practitioners aren’t in competition with one another.

Instead, we have a common goal to secure our environments as well as a common enemy, and the best way to understand that enemy –the threat they pose and we collectively face –is to have as much information about their activities in front of us as possible, so we can make informed decisions.

So it’s disappointing to see some Australian organisations undermining this collective effort by sitting on threat information instead of reporting encounters to the relevant authorities.

This trend is highlighted(4) in the January to June 2021 data breach statistics compiled by the Office of the Australian Information Commissioner (OAIC) where reported incidents fell by 16%, partly because organisations didn’t disclose when they had ransomware infections.

While organisations may be keen to avoid brand, sentiment or financial damage, hiding an attack is inadvisable: one, because customers deserve transparency, and two, because knowing what malware is circulating can act as an early warning to others…

…Breakdown the walls

The tell-tale signs of malware–snippets of code, termed ‘indicators of compromise’–may be enough for others to avoid an infection or to detect and act against a live attack. When organisations fail to report these signs so they can be published, everybody loses.

If you have an interest in securing your organisation and its assets, the OAIC report is a wake-up call. Threats in the report may be exponentially larger than they appear. Whole categories of threats may even be missing.

What threats are we not learning about or across because they’re not being reported?

What are we not focusing on or underinvesting in from a security perspective because we’re simply not aware of the possible risk?

The answers to these questions underline the importance of a holistic security strategy that takes into account the current environment and all of its risks.

In summary:

  • Share what you know –don’t sit on crucial information
  • Increase vigilance levels given the current situation of under-reporting of attacks
  • Ensure a well-focused and strategic security environment is maintained to reduce the threat landscape

Bringing everyone up-to-speed

User awareness and vigilance has always been a critical element to the effectiveness of a Cyber Security strategy. It is often said that Cyber Security is everyone’s problem, and the statistics show this is still the case.

The OAIC found 57% of cyber incidents are caused by either phishing or password compromises, proving the end user is the biggest threat vector that bad actors will seek to take advantage of.

Countering this threat requires education–in the form of Cyber Security awareness and training. This is not just the problem of users but also of the businesses they work for. A government-run survey(5) last year found one in five Australian small-to-medium businesses–of up to 199 employees–did not know the term ‘phishing’, and didn’t know where to begin to fix their security knowledge and implementation gaps.

In our experience, security awareness training is often haphazard or ineffective. It may be embedded in a user acceptance policy, unengaging, or conducted at a point-in-time without regular reinforcement. It may or may not even be mandatory

This will not raise security awareness nor lead to an appropriate, measured reduction of risk.

Businesses need to offer the right kind of education to employees at onboarding and then at least quarterly, make completion of it mandatory, and regularly run tests to check that the training sticks. This may involve running phishing simulations, where any tricked users are directed to a training course refresher. Tecala through our partnerships has a library of hundreds of Cyber Security awareness training courses, allowing our customers to report on and monitor how people perform and comply with internal security training requirements that we help oversee.

None of this needs to be overly intensive. Instead it’s about making people aware of a concept and its risks, and then confident enough to report anything suspicious that they come across.

In summary:

  • Prioritise Cyber Security awareness training for your people
  • Train and test your people regularly to reinforce awareness and build confidence

57% Percentage of incidents caused by phising or password compromises

1 in 5 Unaware of term ‘phishing’

Hundreds No. of Tecala libraries of Cyber Security awareness training courses

Threat mitigation strategies

In addition to acting at the frontline where your people may be fooled by an attacker, businesses should also look to adopt other threat mitigation strategies for a rounded approach to Cyber Security.

Two primary frameworks–the Australian government-created ‘Essential Eight’ and the Centre for Internet Controls (CIS) 18–stand out as ways for a business to understand the security risks in their business environment, and how that impacts their overall risk exposure. Businesses need only pick one framework to work with.

Both frameworks ask subjects to achieve uniform compliance across a set of controls they target. Those controls cover areas such as patching, application settings, administrative privileges, authentication and backups.

The extent to which your business pursues maturity in these areas comes down to a weighting of the risk and reward of going down a particular path.

There will be ‘low hanging fruit’–controls that are not overly difficult or costly to enable, where the reward of doing so far outweighs any risks.

Likewise, there will be recommended actions that come with a much higher price tag. The question will be whether that investment really mitigates your risk to a level that would justify the spend. It may not.

The path you take will depend on your priorities and the outcomes you’re hoping to achieve. A well-defined Strategic Security Roadmap is essential to understanding what actions you should take and when you should take them.

In summary:

  • Use controls to mitigate risk
  • Aim to constantly improve your maturity in line with industry standard frameworks
  • Focus on alignment on best outcomes and most significant impact on reducing risks