The changing landscape of cyber threats means that the reliance on awareness, training and detection methods alone have proven inadequate, says Chad Thunberg.
The introduction of phishing-as-a-service and other sophisticated toolkits that target weaker forms of two-factor authentication (2FA) is changing the cyber landscape, with more security teams now prioritising phishing-resistant multi-factor authentication (MFA). Below are four tips for businesses to stay secure.
1. Be ready for an increase in low-effort tactics from hackers.
The path of least resistance for most attackers becomes obtaining the credentials necessary to access the environment.
Phishing kits, dark web marketplaces, and insiders have substantially lowered the bar for attackers to get this information while the adoption of countermeasures, like phishing-resistant MFA, has lagged behind.
In some cases, this becomes as simple as an employee who was willing to sell their credentials in dark corners of the web.
The disclosure of credentials due to phishing, social engineering attacks, or a disgruntled employee should not be enough to lead to a wholesale compromise of an environment. Yet, we saw this quite a bit in 2022. It’s nothing less than irresponsible to assume we can operate in a zero-accidents environment; it’s just not realistic.
A recent Yubico survey found that 59 percent of employees still rely on usernames and passwords as their primary method to authenticate into accounts. Additionally, nearly 54 percent of employees admit to writing down or sharing a password. These trends simply do not set up businesses for success.
2. Expect increasing attacks targeting critical infrastructure and the public sector.
Attacks on critical infrastructure, healthcare and education systems continue to rise. The impact of downtime or loss of availability in these environments leads to a scaled impact on a broad set of the population.
This has, and will, continue to lead to large and timely ransom payouts. We know from history that the willingness to pay a ransom often leads to additional interest within, and from threat groups with links to, organised crime.
With the increase in IoT monitoring devices at power stations and the general adoption of connected sensors at industrial sites, the number of attack vectors has also greatly increased.
The 2021 cyberattack in the US on the Colonial Pipeline showed that password compromises can impact both IT and OT systems and that disruptions to these systems have far-reaching implications; not only for the company but also shareholders and customers.
3. Zero-trust architecture is essential but pressure on vendors will be required.
Companies have moved some of their business-critical Internet-facing applications to Zero Trust Architecture (ZTA) over the last few years, but a large contingent of back-office applications and services either require a migration strategy or ZTA support that simply isn’t there yet.
Therefore the cybersecurity industry needs to encourage technology vendors to incentivise the adoption of the protocols and technologies that enable ZTA.
4. Standardising compliance is important
Compliance continues to be a hot topic but for the wrong reasons.
Security organisations are inundated with a divergent set of bespoke questionnaires and risk assessment portals from customers and their insurance companies.
The questions are sometimes out of touch with modern environments or are focused on a control type instead of an objective.
This is leading many CISOs to look for better strategies on how to instil trust and confidence in practices while drastically reducing workloads.
The changing landscape of cyber threats means that the reliance on awareness, training and detection methods alone have proven inadequate.
Whilst there are other options to help protect organisations from threats, adopting modern MFA solutions is one solution to help mitigate some of the issues we face.
Chad Thunberg is the chief information security officer at Yubico, responsible for the company’s security, risk management, and compliance programs. Yubico is a leading provider of hardware authentication security keys.