“A fully security-aware workforce would be is the key to resolving the privacy and security challenges enterprises are facing today,” says Andy Green, CISO, Gemserv, in an exclusive interview with ITSecurityWire.
ITSW Bureau: What are the evolving trends in cyber-attacks, particularly Ransomware?
Andy Green: The most evident change in the threat landscape has been the prevalence of cyber threats that have embraced COVID-19 related social engineering. Our clients have been bombarded with threats that are targeting concern about the pandemic.
With regards to ransomware, enterprise leaders are witnessing an evolution in tactics. The malicious groups sending these threats have broadened their capability to extort ransoms from their victims by not only restricting access to data (via encryption or locking users out of the file system) but also exfiltrating the data and then threatening to release it. This would impact the organization’s reputation and potentially that of their staff, clients and partners. In addition, cybercriminals are increasingly threatening to auction off the stolen data to other criminal groups, forcing the hand of the victims.
Lately, the organization’s being affected by ransomware attacks within their supply chain, often with smaller, less well-prepared companies are falling victim. This impacts the operation of the clients, as the supply chain is disrupted.
Lastly, the threat actors conducting ransomware attacks are evolving too. Ransomware as a service (RaaS) has developed and is being adopted by relatively unskilled threat groups, promising a rich revenue stream to these new entrants. This trend is set to continue the proliferation of attacks.
ITSW Bureau: What, according to you, is missing in today’s enterprises’ cybersecurity practices to mitigate the impact of ransomware attacks?
Andy Green: In order to mitigate the likelihood and impact of a ransomware attack, it’s essential that enterprises recognize that effective security is the combination of people-centric, process and technical controls. The variety of these three control areas ensures a robust defense and resilience against ransomware attacks.
User-centric attacks are the most common attack path exploited by ransomware and therefore, employees are the key to defense. Providing effective practical, regular and engaging training using innovative techniques will gain traction with various teams across an enterprise. Techniques such as gamification and ethical phishing will develop a culture of high-security awareness.
Robust incident management processes are vital in reducing the impact of a ransomware attack on the organization. Response processes should be well-documented and thoroughly tested – tabletop exercises. Also, enterprises must regularly perform scenario-based testing, followed by evaluations of lessons learned and modification of incident and business continuity plans if required.
Effective incident management will ensure the organization minimizes the impact following a ransomware attack and ensures affected systems can be isolated to prevent onward infection and greater damage to the business.
Technical controls provide the third layer of security to assure the business that its assets are adequately protected. Implementing a secure email gateway (SEG) reduces the risk of malicious emails entering the organization’s boundary and reaching end users. Another critical area is effective vulnerability management, for example, ensuring the organization carries out regular patching not only on operating systems but for all applications to reduce the risk of malware exploiting unpatched or vulnerable software and/or strategies.
Finally, comprehensive backups must be in place and tested. As enterprises move towards more cloud-based architectures, they are merely relying on the data redundancy built into many cloud services, typically providing 30 days of data replicated across data centers.
Enterprises should opt for a different architecture, physically separate their backup solution, which must be regularly tested. They must deploy anti-malware solutions to prevent ransomware from infecting the replicated data.
ITSW Bureau: What will be your wish list of tools and solutions that will help to resolve the privacy and security challenges that enterprises are facing today?
Andy Green: A fully security-aware workforce is the key to resolving the privacy and security challenges enterprises are facing today.
The vast majority of security incidents and events originate from user behaviors and having security empowered and aware staff is far more powerful than any toolset. It is well- known truism within the cybersecurity community that the lion’s share of security breaches is initiated by human interaction.
If trained, engaged, and empowered, humans will prove to be the greatest line of defense. If enterprises adjust the behaviors of its customer base, it will not only reduce accidental compromise but will instill a security-aware culture to minimize risk across the whole organization.
Once the security culture has been established within the organization – assuming that the enterprise has already embedded foundational cyber hygiene controls – then the choice of new technology and solutions that resolve privacy and security challenges would go to zero-trust architecture and/or software-based segmentation.
Correctly deployed and thoroughly tested, these solutions prevent lateral movement within the infrastructure and significantly reduce the attack surface, thus neutralizing the impact of any successful attack.
As we migrate towards architectures that connect Information Technology (IT) and Operational Technology (OT) as well as the deployment of large numbers of Internet of Things (IoT), the importance of preventing lateral movement and ensuring separation becomes even more pertinent. These technologies, coupled with the basic cyber hygiene controls and a fully security-aware workforce – appropriately trained- is what I believe to be the most effective wish list to combat the cyber threat facing organizations today.
ITSW Bureau: Given the tight financial reins that most enterprises are facing today, how do enterprises make budgets for cybersecurity?
Andy Green: Enterprises can use two approaches to secure or increase the budgets available for cybersecurity.
The first is to create a detailed roadmap for the security strategy, tightly aligned with the risks facing the organization and the business objectives. By linking security initiatives to clearly defined value – whether a measurable reduction in risk or through moving the business forward towards its stated aims – the executives can clearly see the benefit in investing in cybersecurity and are motivated to support the initiatives.
Secondly, the cyber function should seek an alliance with other business departments that can fund or contribute to cybersecurity initiatives. In this way, multiple budget pots can be used to finance security controls. An excellent example of this is the cyber function partnering with the finance function to combat financial fraud resulting from Business Email Compromise (BEC) phishing attacks.
The impact of the fraud sits with the finance teams as they are the target of the attack, and thereby, have a vested interest in mitigating the risk. Other common examples that are well worth developing are partnerships with the HR function and training and development.
Recently recognized as ‘Cloud Security Influencer of the Year’ by the 2020 Cyber Security Awards, Andy has worked for the past two decades solving the cybersecurity challenges of many of the UK’s leading organizations. He advises senior stakeholders at public and private sector organizations on effective strategies to reduce the risk and impact of cyber-related incidents. Andy was a lead technical advisor for the RESILIA Cyber Resilience Best Practice, which forms part of the ITIL family. Andy is a member of Chatham House and a Fellow of the British Computer Society.