Cyber-attacks: how can companies limit the risks in a global environment of growing security threats?
March 2023 by Julien Soriano, Responsable de la sécurité des systèmes d’information chez Box
Julien Soriano, Chief Information Security Officer at Box, reviews the tools and actions that must be put in place to secure work environments and to enable all employees to participate in the fight against cyber-attacks in 2023.
He answers the following questions: Outsourcing of projects, teleworking, increased access points, innovation, new cyber-attack techniques: how can companies arm themselves against potential threats? How can CTOs and CIOs achieve a secure and easy-to-use work environment for all employees, while meeting their growth objectives?
In 2022, 9 out of 10 businesses were targeted by cybercriminals¹. Faced with the increase in attacks, governments are taking concrete action: releasing budgets, strengthening international cooperation, new regulations. Companies are aware of the importance of strengthening the security of their environment. Especially in a context of work hybridization which favours the risks of attacks: 79% of companies acknowledge that teleworking has had a negative impact on their security systems, as the risks can come from employees or external partners². Paradoxically, they have only planned a 10% budget increase this year for this purpose³.
Tip 1: Protection against social engineering and insider threats – A layered approach
With the current waves of layoffs at many technology companies, insider threats could increase exponentially this year. They can create a flood of disgruntled employees who could potentially harm the business of their former employers. Former employees who had access to sensitive data and/or critical environmental knowledge could potentially cause irreversible damage.
Social engineering and insider threats are well identified malicious acts, however, there is no silver bullet to protect organisations from these attacks. However, security strategies need to be built into the architecture and design principles of an organisation (rather than an afterthought) and composed of various complementary defence mechanisms, from people to technology tools. For example:
– Implementing a robust MFA method and exploiting FIDO 2.0 with hardware keys to reduce exposure to ’MFA fatigue’ exploitation.
– Implementing a comprehensive trust policy for devices with extended security tools for end-user devices to complement the MFA method.
– Consider RBAC (Role-Based Access Control) & CBAC (Contextual-Based Access Control) as part of your authorization mechanisms. Assign roles and privileges based on employee’s roles, access needs (privileges, system...) and ensure a proper mapping between the employee roles and responsibilities and the need and adequacy of their access to critical data to perform their job.
– Include and refine behavioural detection mechanisms to report and investigate suspicious or unusual activity, e.g. the same user logging in to multiple sessions from different locations or systems.
– Build a tailored training awareness programme for employees, specifically based on their role and the data they have access to - and then test their awareness with engaging and rewarding methods to enable them to learn from their mistakes.
– Develop least privilege access and zero trust models in an organisation’s security architecture, assigning the least necessary access and permissions to perform specific tasks.
Tip 2: Scaling to the current threat landscape : Rely on Automation and Artificial Intelligence
Companies should not rely solely on humans and manual processes when it comes to security: Artificial Intelligence has advanced enormously in recent years. AI both analyses a staggering amount of signals, which would be impossible for a human to handle, and can identify unknown threats or malicious activities to prevent their spread in near real time. In this way, the defence not only keeps pace, but can also be proactively preventive to reduce the risk of attacks.
Many tools can anticipate upcoming threats: when which types of attacks are most likely, or which employees and teams are most likely to be at risk. In addition, they can automate manual controls and recurring processes such as security policies, taking the pressure off already busy teams.
Tip 3: Risk exposure is a part of your daily routine Prepare for emergencies with "Red Team".
Security experts need to raise awareness among their staff. The best way to do this is to simulate real threats. This is done by using so-called "Red Teams", who act like real cyber criminals. In doing so, they have to reveal themselves as late as possible to keep up appearances. Red Teams not only test the security awareness of employees, but also help the security teams themselves to detect, react to and contain a potential crisis without exposing organisations to real threats.
But even without Red Teams, regular tabletop exercises across various organizations should be conducted to learn about how teams will react during a breach and leverage them to enhance your incident response procedures and build readiness and reflexes within your organization when those criticial situations arise. social engineering simulations ( phishing...).
The current global economic and political situation has not made the work of cybersecurity teams in 2022 any easier. And to be quite realistic: the situation is unlikely to ease this year. This makes it even more important for businesses of all sizes and sectors to be proactive and use the Industry standards frameworks (NIST, AAA, FIDO 2.0 etc...), as well as Red Teams and AI-based tools to help identify threats early. However, security tools and methods are always evolving and sometimes overlapping. The important thing here is to develop business plans and technology processes that will enable companies to best implement security strategies, layered and complementary defense mechanisms, all while raising awareness of the importance of security within organisations, demonstrating that it is the heart of the business and vital to its continued existence. Security should never be an afterthought and should be a priority for all employees - ultimately, security can only be successful if it is a catalyst for moving businesses forward.
¹ Dell Technologies Survey: Global Data Protection Index 2022
² Kaspersky IT Security Economics Report
³ Verizon Report 2022