There’s no better way to understand the biggest threats to enterprise cybersecurity than spending a few days at Infosecurity Europe. The region’s largest cybersecurity conference and trade show, held each June in London, invites CISOs and industry luminaries from across the globe to share their insight. Worryingly, the consensus at this year’s event was that the bad guys are pulling ahead, while network defenders struggle to manage an ever-expanding attack surface. The big picture is this: enterprise data has never been more exposed to external attacks. It should provide yet another reason to double down on data-centric security as a core priority.
But organizations don’t have to be caught in this “cyber storm” if they put more of their effort into protecting what matters most: their data.
This year’s keynotes provided a fascinating insight into the threat landscape. Among the key trends discussed and debated at the show were:
Cybercrime is undergoing a renaissance: Noted security researcher, Keren Elazari, urged security teams to take a leaf out of the hackers’ book, as cyber-criminals continue to innovate at speed. She cited ransomware-as-a-service (RaaS), and highly automated campaigns that deliver phishing, credential stuffing and scanning/exploitation capabilities as helping to give malicious actors the upper hand. It’s only a matter of time before they also adopt AI technologies like ChatGPT to generate malicious code with little effort, she warned.
Training is key to overcoming the insider threat: Experts argued that managing human-shaped risk is essential to driving successful digital transformation. Gemserv head of data privacy, Camilla Winlo, pointed out that many organizations still don’t provide enough hands-on training for end users, which can expose them to cyber risk if they make mistakes like spilling credentials, or deliberately find insecure workarounds. Organizations should “remember the people” by including them in the design of products at the outset, experts said. This will help to reduce cyber-related risk and training costs.
Workers are too susceptible to phishing: A third of employees in the UK and Ireland click on suspicious links or engage in fraudulent actions, according to new research released at the show. As above, it highlights the risks associated with staff members if not properly trained. With credentials stolen from employees, threat actors can easily bypass perimeter defenses to traverse networks and reach sensitive corporate data. Verizon’s latest Data Breach Investigations Report (DBIR) has a similar message. It found the “human element” was present in three-quarters (74%) of breaches over the past year, due to use of stolen credentials, social engineering tactics and other factors.
Asset visibility gaps can give hackers the upper hand: Another piece of new research announced this week found that a lack of IT insight into IoT devices could provide attackers with a useful way to enter corporate networks. A third of UK NHS Trusts admitted to having no method of tracking IoT devices and 10% said they use manual processes or spreadsheets to do so. Some 15% said they don’t track connected medical devices (IoMT) at all. Separately at the show, Forrester revealed that the share of organizations experiencing attackers “trying to leverage IoT devices to get into the business” increased from 41% to 54% during Q1 2023.
APIs are expanding the attack surface: Finally, there was a note of caution about API security. Misconfiguration and gaps in protection are leaving many APIs wide open, providing a readymade pathway into enterprise data, warned one CEO at the show. As digital transformation projects continue to drive the creation and use of APIs, more attention will need to be focused on securing them and the data behind them.
All of which can seem like network defenders have already lost the battle against rampant cybercrime. However, the ongoing struggle against cyber-adversaries doesn’t need to be this one-sided. In fact, there’s plenty organizations can do to enhance their resilience to cyber risk. It starts with improving security awareness training, and following other best practice cyber hygiene steps like multi-factor authentication and network monitoring. But a priority should be data-centric security.
In practice, this means finding and classifying data wherever it resides in the enterprise, including in cloud stores, and applying strong protection to it—such as tokenization. This must be a continuous process that applies to data throughout its lifecyle. By protecting data in this way, organizations have a robust bulwark against cyber risk, even if threat actors manage to bypass other defenses.