The Changing Face of Cybersecurity Risks

Cybersecurity experts have their work cut out for them – with more people working from home and hackers getting savvier, more data is being stolen than ever before. According to Risk Based Security, 37 billion records were stolen in 2020, up 141% over the year before.

This year has already been eventful, with the same attackers behind last year’s SolarWinds hack reportedly getting into the emails of more than 3,000 people from 150 government and humanitarian organizations around the world, while ransomware attacks are up 102% globally year-over-year in the first half of 2021, according to Check Point Software Technologies.

What to do about these growing threats was a main topic of discussion at the BMO Cybersecurity Summit, which took place virtually on May 25. One panel, moderated by Charan Singh, Head of Security Architecture with BMO Financial Group, brought together a group of technologists to discuss the current threat landscape.

Panelists included:

• Kunal Anand, Chief Technology Officer, Imperva

• Rob McNutt, Chief Technology Officer, ForeScout Technologies

• Nayaki Nayyar, Chief Product Officer, Ivanti

Changing Data Security

One of the key topics of discussion centerd around data. Over the last few years, companies across the globe have been accumulating as much information as possible, with the thinking that whoever holds the most data has the upper hand, says McNutt. However, those with the most data can also have the biggest targets on their backs.

At the same time, a lot of these companies continue to collect data without having a good plan to protect it. “It’s kind of scary that we’ve come to this point in time where we’ve accumulated all of this and we’re (just) wrapping our heads around how do we make sure when the bad actor comes along, they don’t take that data and do something adverse with it?” says McNutt. “We see that happen over and over and over again – breaches used to be headline generating, now it’s becoming normal, expected behavior of the Internet and enterprise.”

Data, adds Anand, is everyone’s concern, whether you’re focused on network, application or endpoint security. “Everyone’s ultimately in the business of protecting an organization’s downstream,” he says, adding that attacks are increasing because there’s more they can do with data these days. “People are trying to get access to data because they can monetize it. Whether directly or indirectly, selling that information somewhere else, there’s a lot you can do.”

Naturally, data security has had to change as breaches have increased. In the past, data security was more centred around compliance, but it’s now becoming more proactive. Companies are doing a better job of showing and telling people what they’re collecting and where it resides. “Now we need to not just understand where that information is, but do a better job at protecting it,” says Anand.

Responding to Ransomware

Another major issue is the increasing frequency of ransomware, which is when a hacker breaks into a computer and holds it hostage in exchange for a fee.

Some recent attacks show just how serious these attacks can be. For instance, the Colonial Pipeline cyberattack that took place this past May forced the company to shutter its operations, which caused fuel shortages that drove the price of gas to its highest level in seven years. The company ended up sending the hackers nearly $5 million to get its operations back online.

These kinds of threats have been around for 30 years, says McNutt, and they’ll only get worse, in part because security technology hasn’t evolved. He sees a decoupling between internal networks and security. “If you think of LAN, as we know it today, it has one single job – to deliver packets quickly and without any kind of interference. So, the network is not designed to respond to this kind of thing,” he explains. “But the network is the place where you can contain or minimize the impact of these types of threats.

“If we keep on continuing as organizations to think we’re going to react and respond to these sorts of attacks by trusting the computer to self-police and protect the data, we’re always going to fall short,” he says.

Anand adds that the only way to address the growing ransomware threat is through the confluence of people, process and technology. “Technology can only go so far,” he explains. “Ultimately, you need the right processes. Are you actively backing up your data? Are you testing the integrity of the backups that you have? Are you training and testing people, making sure that they’re not plugging in random drives into their laptops?”

Work From Home

Employees working from home will also be a continuing challenge, despite workplaces now starting to slowly open back up. Most companies will likely implement a hybrid solution, where people spend a few days in the office and a few days at home. That poses a problem for security, as people may now be using devices and accessing networks from a variety of locations.

Nayyar says that companies must think about three critical areas, other than figuring out how to secure their data. One is around securing the devices staff are using, the second is around securing the user of those devices – “it’s those user credentials that are the weakest link in the entire security space,” she notes – and the last is about securing access.

To her last point, more companies are moving to what’s called zero trust access, where a user’s credentials must be verified multiple times rather than once at the start. “That’s really a mindset change at every layer,” says Nayyar about zero trust, explaining that this will be a key priority for organizations as they move into what she calls the post-COVID era. “How you embed that entire zero trust mindset culturally in the organization is going to be critical.”

Combatting Supply Chain Risk

Another critical issue is around software supply chain risk. Currently, many companies don’t know all of the components that make up the programs they’re using – it could be a combination of open source and commercial software, for instance – which then puts them at risk. All it takes is one security flaw to bring down a business. “We need to get more visibility into the overall chain,” says Anand. “Businesses need to do a good job at holding vendors accountable and vendors need to do a really good job at admitting when there is that problem.”

One solution is to create more stringent requirements around a software bill of materials (SBOM), which is a list of all the components used in a program’s creation. Anand wants more companies to ask for an SBOM and for more vendors to provide one. “I’m going to give you a bill of materials and you’re going to hold me accountable for it, and I’m going to attest that those are those things that make up all of the components inside the stack,” he says.

Another option is to bring IT purchasing back into the IT department, instead of letting everyone buy whatever software they want, which has become the norm, says McNutt. “It’s becoming increasingly hard to understand what your supply chain even looks like when you no longer have a single place in the organization that buys those hardware and software entities,” he says. “And as those things come onto that same network, it becomes more and more important for that network to be able to isolate and protect.”

Ultimately, with hackers getting more sophisticated, these issues are only going to become more important in the future. Companies cannot make security an afterthought, says Nayyar. Too many operations still ignore the basics or don’t make protection a company-wide effort. “We have to get back to basics, to patching – that’s something we can automate, but you have to make sure you have strong rigor and discipline in applying it,” she says. “We are just seeing the beginnings of these catastrophic highs that these cybersecurity threats are reaching. In the next few years, I think this will grow and get even bigger. This is something organizations must embed into their day-to-day operations and into their culture.”