Wipro published a report which provides fresh insights on how AI will be leveraged as part of defender stratagems as more organizations lock horns with sophisticated cyberattacks and become more resilient.
Organizations need to tackle unknown attacks
There has been an increase in R&D with 49% of the worldwide cybersecurity related patents filed in the last four years being focussed on AI and ML application. Nearly half the organizations are expanding cognitive detection capabilities to tackle unknown attacks in their Security Operations Center (SOC).
The report also illustrates a paradigm shift towards cyber resilience amid the rise in global remote work. It considers the impact of COVID-19 pandemic on cybersecurity landscape around the globe and provides a path for organizations to adapt with this new normal.
The report saw a global participation of 194 organizations and 21 partner academic, institutional and technology organizations over four months of research.
Global macro trends in cybersecurity
- Nation state attacks target private sector: 86% of all nation-state attacks fall under espionage category, and 46% of them are targeted towards private companies.
- Evolving threat patterns have emerged in the consumer and retail sectors: 47% of suspicious social media profiles and domains were detected active in 2019 in these sectors.
Cyber trends sparked by the global pandemic
- Cyber hygiene proven difficult during remote work enablement: 70% of the organizations faced challenges in maintaining endpoint cyber hygiene and 57% in mitigating VPN and VDI risks.
- Emerging post-COVID cybersecurity priorities: 87% of the surveyed organizations are keen on implementing zero trust architecture and 87% are planning to scale up secure cloud migration.
Micro trends: An inside-out enterprise view
- Low confidence in cyber resilience: 59% of the organizations understand their cyber risks but only 23% of them are highly confident about preventing cyberattacks.
- Strong cybersecurity spend due to board oversight & regulations: 14% of organizations have a security budget of more than 12% of their overall IT budgets.
Micro trends: Best cyber practices to emulate
- Laying the foundation for a cognitive SOC: 49% of organizations are adding cognitive detection capabilities to their SOC to tackle unknown attacks.
- Concerns about OT infrastructure attacks increasing: 65% of organizations are performing log monitoring of Operation Technology (OT) and IoT devices as a control to mitigate increased OT Risks.
Meso trends: An overview on collaboration
- Fighting cyber-attacks demands stronger collaboration: 57% of organizations are willing to share only IoCs and 64% consider reputational risks to be a barrier to information sharing.
- Cyber-attack simulation exercises serve as a strong wakeup call: 60% participate in cyber simulation exercises coordinated by industry regulators, CERTs and third-party service providers and 79% organizations have dedicated cyber insurance policy in place.
Future of cybersecurity
- 5G security is the emerging area for patent filing: 7% of the worldwide patents filed in the cyber domain in the last four years have been related to 5G security.
Vertical insights by industry
- Banking, financial services & insurance: 70% of financial services enterprises said that new regulations are fuelling increase in security budgets, with 54% attributing higher budgets to board intervention.
- Communications: 71% of organizations consider cloud-hosting risk as a top risk.
- Consumer: 86% of consumer businesses said email phishing is a top risk and 75% enterprises said a bad cyber event will lead to damaged band reputation in the marketplace.
- Healthcare & life sciences: 83% of healthcare organizations have highlighted maintaining endpoint cyber hygiene as a challenge, 71% have highlighted that breaches reported by peers has led to increased security budget allocation.
- Energy, natural resources and utilities: 71% organizations reported that OT/IT Integration would bring new risks.
- Manufacturing: 58% said that they are not confident about preventing risks from supply chain providers.
Bhanumurthy B.M, President and Chief Operating Officer, Wipro said, “There is a significant shift in global trends like rapid innovation to mitigate evolving threats, strict data privacy regulations and rising concern about breaches.
“Security is ever changing and the report brings more focus, enablement, and accountability on executive management to stay updated. Our research not only focuses on what happened during the pandemic but also provides foresight toward future cyber strategies in a post-COVID world.”
CIOs and IT leaders who use composability to deal with continuing business disruption due to the COVID-19 pandemic and other factors will make their enterprises more resilient, more sustainable and make more meaningful contributions, according to Gartner.
Analysts said that composable business means architecting for resilience and accepting that disruptive change is the norm. It supports a business that exploits the disruptions digital technology brings by making things modular – mixing and matching business functions to orchestrate the proper outcomes.
It supports a business that senses – or discovers – when change needs to happen; and then uses autonomous business units to creatively respond.
For some enterprises digital strategies became real for the first time
According to the 2021 Gartner Board of Directors survey, 69% of corporate directors want to accelerate enterprise digital strategies and implementations to help deal with the ongoing disruption. For some enterprises that means that their digital strategies became real for the first time, and for others that means rapidly scaling digital investments.
“Composable business is a natural acceleration of the digital business that organizations live every day,” said Daryl Plummer, research VP, Chief of Research and Gartner Fellow. “It allows organizations to finally deliver the resilience and agility that these interesting times demand.”
Don Scheibenreif, research VP at Gartner, explained that composable business starts with three building blocks — composable thinking, which ensures creative thinking is never lost; composable business architecture, which ensure flexibility and resiliency; and composable technologies, which are the tools for today and tomorrow.
“The world today demands something different from us. Composing – flexible, fluid, continuous, even improvisational – is how we will move forward. That is why composable business is more important than ever,” said Mr. Scheibenreif.
“During the COVID-19 pandemic crisis, most CIOs leveraged their organizations existing digital investments, and some CIOs accelerated their digital strategies by investing in some of the three composable building blocks,” said Tina Nunno, research VP and Gartner Fellow.
“To ensure their organizations were resilient, many CIOs also applied at least one of the four critical principles of composability, gaining more speed through discovery, greater agility through modularity, better leadership through orchestration, and resilience through autonomy.”
Composable business resilience
Analysts said that these four principles can be viewed differently depending on which building block organizations are working with:
- In composable thinking, these are design principles. They guide an organization’s approach to conceptualizing what to compose, and when.
- In composable business architecture, they are structural capabilities, giving an organization the mechanisms to use in architecting its business.
- In composable technologies, they are product design goals driving the features of technology that support the notions of composability.
“In the end, organizations need the principles and the building blocks to intentionally make composability real,” said Mr. Plummer.
The building blocks of composability can be used to pivot quickly to a new opportunity, industry, customer base or revenue stream. For example, a large Chinese retailer used composability when the pandemic hit to help re-architect their business. They used composable thinking and chose to pivot to live streaming sales activities.
They embraced social marketing technology and successfully retained over 5,000 in-store sales and customer support staff to become live streaming hosts. The retailer suffered no layoffs and minimal revenue loss.
“Throughout 2020, CIOs and IT leaders maintained their composure and delivered tremendous value,” said Ms. Nunno. “The next step is to create a more composable business using the three building blocks and applying the four principles. With composability, organizations can achieve digital acceleration, greater resiliency and the ability to innovate through disruption.”
Government and financial service sectors globally are the most hack-resistant industries in 2020, according to Synack.
Government and financial services scored 15 percent and 11 percent higher, respectively, than all other industries in 2020. Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73 percent.
Throughout the year, both sectors faced unprecedented challenges due to the global pandemic, but still maintained a commitment to thorough and continuous security testing that lessened the risk from cyberattacks.
“It’s a tremendously tough time for all organizations amidst today’s uncertainties. Data breaches are the last thing they need right now. That’s why it’s more crucial than ever to quickly find and fix potentially devastating vulnerabilities before they cause irreparable harm,” said Jay Kaplan, CEO at Synack. “If security isn’t a priority, trust can evaporate in an instant.”
The government sector earned 61 — the highest rating
The chaos of 2020 added new hardship to many government bodies, but security hasn’t necessarily suffered as many agencies have become more innovative and agile. Their ability to quickly remediate vulnerabilities drove this year’s top ranking.
Financial services scored 59 amidst massive COVID-19 disruptions
Financial services adapted quickly through the pandemic to help employees adjust to their new remote work realities and ensure customers could continue doing business. Continuous security testing played a significant role in the sector’s ARS.
Healthcare and life sciences scored 56 despite pandemic challenges
The rush to deploy apps to help with the COVID-19 recovery led to serious cybersecurity challenges for healthcare and life sciences. Despite those issues, the sector had the third highest average score as research and manufacturing organizations stayed vigilant and continuously tested digital assets.
ARS scores increase 23 percent from continuous testing
For organizations that regularly release updated code or deploy new apps, point-in-time security analysis will not pick up potentially catastrophic vulnerabilities. A continuous approach to testing helps ensure vulnerabilities are found and fixed quickly, resulting in a higher ARS metric.
Attackers shifted tactics in Q2 2020, with a 570% increase in bit-and-piece DDoS attacks compared to the same period last year, according to Nexusguard.
Perpetrators used bit-and-piece attacks to launch various amplification and elaborate UDP-based attacks to flood target networks with traffic.
Analysts witnessed attacks using much smaller sizes—more than 51% of bit-and-piece attacks were smaller than 30Mbps—to force communications service providers (CSPs) to subject entire networks of traffic to risk mitigation. This causes significant challenges for CSPs and typical threshold-based detection, which is unreliable for pinpointing the specific attacks to apply the correct mitigation.
Improvements in resources and technology will cause botnets to become more sophisticated, helping them increase resilience and evade detection efforts to gain command and control of target systems. The evolution of attacks means CSPs need to detect and identify smaller and more complex attack traffic patterns amongst large volumes of legitimate traffic.
Switching to deep learning-based predictive models recommended
Analysts recommend service providers switch to deep learning-based predictive models in order to quickly identify malicious patterns and surgically mitigate them before any lasting damage occurs.
“Cyber attackers have rewritten their battlefield playbooks and craftily optimized their resources so that they can sustain longer, more persistent attacks. Companies must look to deep learning in their approaches if they hope to match the sophistication and complexity needed to effectively stop these advanced threats.”
In the past, attackers have used bit-and-piece attacks with a single attack vector to launch new attacks based on that vector. There was a tendency to employ a blend of offensive measures in order to launch a wider range of attacks, intended to increase the level of difficulty for CSPs to detect and differentiate between malicious and legitimate traffic.
While COVID-19 has proven the healthcare industry’s overall resilience, it has also increased its cybersecurity risk with new and emerging threats.
The rapid adoption and onboarding of telehealth vendors led to a significantly increased digital footprint, attack surface, and cybersecurity risk for both provider and patient data, a new report released by SecurityScorecard and DarkOwl has shown.
Telehealth use is booming, and so is the associated cybersecurity risk
According to a brief from the U.S. Department of Health and Human Services, at the height of the pandemic, the number of telehealth primary care visits increased 350-fold from pre-pandemic levels.
Researchers focused the 2020 healthcare report on reviewing the 148 most-used telehealth vendors according to Becker’s Hospital Review. The report indicates that telehealth providers have experienced a nearly exponential increase in targeted attacks as popularity skyrocketed, including a 30% increase of cybersecurity findings per domain, notably:
- 117% increase in IP reputation security alerts
- Malware infections — as part of successful phishing attempts and other attack vectors — ultimately cause IP reputation finding issues
- 65% increase in patching cadence findings
- Patching cadence is the regularity of installing security patches and is often one of the primary security policies that protect data
- 56% increase in endpoint security findings
- Exploited vulnerabilities in endpoint security enable data theft
- 16% increase in application security findings
- Patients connect with telehealth providers using web-based applications including structured and unstructured data
- 42% increase in FTP issues
- FTP is an insecure network protocol that enables information to travel between a client and a server on a network
- 27% increase in RDP issues
- RDP is a protocol that allows for remote connections, which has seen increased usage since the widespread adoption of remote work
Evidence on the dark web
Additionally, DarkOwl’s research showed a noticeable increase in mentions of major healthcare and telehealth companies across the dark web since February 2020. There was evidence of prolific and emerging threat actors selling electronic patient healthcare data, malware toolkits that specifically target telehealth technologies, and strains of ransomware that are uniquely configured to take down healthcare IT infrastructure.
Over the past four years, SecurityScorecard has reported on the cybersecurity struggles the healthcare industry faces. In this year’s report, SecurityScorecard and DarkOwl looked at over one million organizations – over 30,000 in healthcare alone – from September 2019 to April 2020 and analyzed terabytes of information to assess risk across 10 factors.
The healthcare industry, despite new risks from telehealth vendors, slightly improved its security posture compared to 2019. The industry moved to 9th place out of 18 reviewed industries (up from 10th in 2019.) This is heartening, especially as the industry has been overwhelmed by an influx of patients, limited resources, rationing, and other challenges due to COVID-19.
“While telehealth is an integral part of maintaining social distancing and providing patient care, it has also increased healthcare providers’ digital footprint and attack surface, which we see with the increase of findings per telehealth domain, and in factors like endpoint security,” said Sam Kassoumeh, COO and co-founder of SecurityScorecard. “It’s an indicator that healthcare organizations should continue to keep a focus on cyber resilience.”
Mark Turnage, CEO of DarkOwl adds, “Since the onset of the pandemic, cybercriminals are entering the healthcare data selling space which ultimately leads to new risks facing healthcare organizations and their IT supply stream. Threat protection teams must remain one step ahead of potential attackers, especially during this critical time.”
There’s a massive amount of complexity plaguing today’s enterprise endpoint environments. The number of agents piling up on enterprise endpoint devices – up on average – is hindering IT and security’s ability to maintain foundational security hygiene practices, such as patching critical vulnerabilities, which may actually weaken endpoint security defenses, Absolute reveals.
Also, critical endpoint controls like encryption and antivirus agents, or VPNs, are prone to decay, leaving them unable to protect vulnerable devices, data, and users – with more than one in four enterprise devices found to have at least one of these controls missing or out of compliance.
Increasing security spend does not guarantee security
In addition to heightening risk exposure, the failure of critical endpoint controls to deliver their maximum intended value is also resulting in security investments and, ultimately, wasted endpoint security spend.
According to Gartner, “Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions. It is well-known to most executives that cybersecurity is falling short. There is a consistent drumbeat directed at CIOs and CISOs to address the limitations, and this has driven a number of behaviors and investments that will also fall short.”
“What has become clear with the insights uncovered in this year’s report is that simply increasing security spend annually is not guaranteed to make us more secure,” said Christy Wyatt, President and CEO of Absolute.
“It is time for enterprises to increase the rigor around measuring the effectiveness of the investments they’ve made. By incorporating resilience as a key metric for endpoint health, and ensuring they have the ability to view and measure Endpoint Resilience, enterprise leaders can maximize their return on security investments.”
The challenges of maintaining resilience
Without the ability to self-heal, critical controls suffer from fragility and lack of resiliency. Also, endpoint resilience is dependent not just on the health of single endpoint applications, but also combinations of apps.
The massive amount of complexity uncovered means that even the most well-functioning endpoint agents are at risk of collision or failure once deployed across today’s enterprise endpoint environments.
IT and security teams need intelligence into whether individual endpoint controls, as well as various combinations of controls, are functioning effectively and maintaining resilience in their own unique endpoint environment.
Single vendor application pairings not guaranteed to work seamlessly together
In applying the criteria for application resilience to same-vendor pairings of leading endpoint protection and encryption apps, widely varied average health and compliance rates among these pairings were found.
The net-net here is that sourcing multiple endpoint agents from a single vendor does not guarantee that those apps will not ultimately collide or decay when deployed alongside one another.
Progress in Windows 10 migration
Much progress was made in Windows 10 migration, but fragmentation and patching delays leave organizations potentially exposed. Our data showed that while more than 75 percent of endpoints had made the migration to Windows 10 (up from 54 percent last year), the average Windows 10 enterprise device was more than three months behind in applying the latest security patches – perhaps unsurprisingly, as the data also identified more than 400 Windows 10 build releases across enterprise devices.
This delay in patching is especially concerning in light of a recent study that shows 60 percent of data breaches are the result of a known vulnerability with a patch available, but not applied.
Relying on fragile controls and unpatched devices
Fragile controls and unpatched devices are being relied on to protect remote work environments. With the rise of remote work environments in the wake of the COVID-19 outbreak, as of May 2020, one in three enterprise devices is now being used heavily (more than 8 hours per day).
The data also shows a 176 percent increase in the number of enterprise devices with collaboration apps installed as of May 2020, versus pre-COVID-19. This means the average attack surface, and potential vulnerabilities, has expanded significantly across enterprises.
Businesses are enhancing levels of spending and activity to minimize their vulnerability to cyber incidents and breaches, according to Hiscox.
The annual Hiscox Cyber Readiness Report 2020, which gauges businesses’ preparedness to combat cyber incidents and breaches, surveyed 5,569 professionals from the US, UK, Belgium, France, Germany, the Netherlands, Spain and Ireland who are responsible for their company’s cyber security, between December 24, 2019, and February 3, 2020.
Key findings specific to the more than 1,000 US professionals surveyed include:
A leader in cyber spending: The US shared the top spot for cyber spending, alongside Ireland. US businesses increased their average cybersecurity spending within their IT budgets by 61% to $2.4 million.
More financial damage caused by fewer attacks: A battle has emerged between cyber criminals and businesses. In the US, only 41% of respondents reported that their organization experienced at least one cyber incident or breach compared to 53% last year, though the median cost of all cyber incidents in the US rose from $10,000 last year to $50,000 this year. Therefore, cyber criminals have been doing more damage in fewer, albeit more sophisticated, attacks.
Businesses are taking action: Meanwhile, businesses are building up their defenses. While 39% of US organizations reported they did not take action after a security incident last year, this figure fell dramatically to 3% in this year’s report. Actions taken include regularly evaluating and discussing security and privacy, increasing spending on employee training and cultural change and creating additional security and audit requirements.
Cyber readiness has improved, but potential blind spots remain: The number of ranked cyber experts more than doubled to 24% this year, while cyber novices fell to 58% compared to 73% last year. Despite this positive trend in cyber readiness, 48% of all respondents agreed their organization remains at risk of having a cyber incident.
Reputational impacts have increased: Fifteen percent of respondents that experienced a cyber incident or breach reported bad publicity or impact on their brand or reputation as a result, compared to 3% last year. Businesses also experienced greater difficulty in attracting new customers following an incident or breach, with 17% reporting challenges compared to 3% saying the same the year prior.
US businesses are more likely to pay a ransom: Alongside France, the US led the way with businesses most likely to pay a cyber ransom, with 18% of those US companies who suffered a ransomware infection reporting it had been paid.
Small businesses remain vulnerable to risk: 32% of US small businesses, those with under 250 employees, experienced at least one cyber incident or breach in the past year. Of these, 21% of small businesses purchased or enhanced their cyber insurance policy for protection against threats.
Mitigating the risk: Sixty-four percent of US businesses said they had cyber insurance coverage, while 16% said they were planning to purchase coverage in the next twelve months. Additionally, 54% of respondents with cyber insurance reported they planned to use “employee training” that’s offered by their insurance providers in addition to their cyber policy.
“The financial threat cyber attacks pose to a company’s bottom line is a risk that’s here to stay, and one that grows, learns and adapts to the ever-changing world around us. Businesses are all vulnerable at their weakest moments, and a holistic cyber strategy can help identify those weaknesses before being forced into a real-time stress test,” said Meghan Hannes, Cyber Product Head for Hiscox in the US. “Businesses have been pushed into an unforgiving new world in 2020, and cyber criminals won’t offer any form of relief. COVID-19 has created new, lucrative opportunities for cyber attacks, and businesses must evolve their cyber strategies to remain shielded.”
With 89% of small businesses moving to a remote workforce, there remains a significant gap between the perceived importance of cybersecurity protections for businesses with fewer than 10 employees and those with more than 10 employees.
The smaller the business, the smaller the focus on cybersecurity, according to a survey of 400 small business owners, conducted by the Cyber Readiness Institute.
Larger companies are more concerned
A remote workforce during Covid-19 increased the cybersecurity concerns of just 31% of small business owners with fewer than 10 employees, while 41% of those at companies with more than 10 employees were more apprehensive of possible cyber attacks. The lower concern levels for micro-businesses has also equated to much smaller investments in cybersecurity.
Only 45% of small business owners with fewer than 10 employees have increased time, money or human capital investments as it relates to cybersecurity. Meanwhile, 80% of companies with more than 10 employees have invested more resources in cybersecurity since stay-at-home orders began.
“For malicious actors looking for vulnerable targets, small businesses remain a primary target, particularly during the Covid-19 pandemic,” said Kiersten Todt, executive director of The Cyber Readiness Institute.
“Small businesses can make themselves resilient against common attacks, such as phishing, by focusing on employee education and awareness and creating a culture of cyber readiness within the organization.”
When it comes to training, more than half of small business owners with more than 10 employees have upped the ante with increased cyber education over the past two months. Yet, just 22% of those with fewer than 10 employees have provided more cyber training and only 37% have updated cyber policies.
- 49% of small businesses will still maintain at least a partial remote workforce after Covid-19 restrictions are lifted.
- 62% of small business owners support tax incentives or federal grants for cybersecurity investments.
- Password management and phishing attacks are the top two concerns for nearly half of all small business owners.
- 35% of small businesses with fewer than 10 employees do not have an incident response policy.
- More than 42% of businesses have provided additional password training or policies over the past two months.
- 30% of small businesses have used new free cybersecurity tools since work-at-home orders began.
- 25% of small business owners anticipate hiring new cybersecurity staff or consultants over the next six months.
The vast majority of SMBs both expect the unexpected and feel that they’re ready for disaster – though they may not be, Infrascale reveals.
Ninety-two percent of SMB executives said they believe their businesses are prepared to recover from a disaster. However, as previously reported, more than a fifth of SMB leaders said they don’t have a data backup or disaster recovery solution in place.
The research also indicates that 16% of SMB executives admitted they do not know their own Recovery Time Objectives (RTOs), although 24% expect to recover their data in less than 10 minutes after a disaster and 29% expect to do so in under one hour following a disaster. An RTO is the time between the start of recovery to the point at which all of an organization’s infrastructure and services are available.
Survey results also highlight that there’s no common understanding of disaster recovery and that expectations around disaster recovery solution results and recovery times differ by industry. There is also sector variation in why businesses that feel unprepared for disaster remain unprepared.
“The latest results from our survey are quite surprising, as they suggest that most SMBs think they are prepared to recover their data and be back up and running after a disaster. Yet more than one in five of those same respondents said they do not have a disaster recovery or backup solution in place,” said Russell P. Reeder, CEO of Infrascale.
“That data suggests that there are either varying definitions of what it means to be able to recover from a disaster or, quite simply, a lack of understanding of what it truly means to be able to recover from a disaster. Make no mistake, if a business does not have a disaster recovery solution in place, or at the very least a solution to back up its data, there is no way it can get the data back from a data loss event.”
The research is based on a survey of more than 500 C-level executives at SMBs. CEOs represented 87% of the group. Almost all of the remainder was split between CIOs and CTOs.
A gap between expectation and reality
While 84% of the total SMB survey group said they are aware of their organizations’ RTO, the rest revealed that they are not. More business-to-consumer (B2C) company leaders are in the dark about their organizations’ RTOs than business-to-business (B2B) C-level executives. 22% admitted they do not know their RTOs, while 10% of B2B leaders said they lack such knowledge.
Of those who were able to state their RTOs, 9% said they have an RTO of one minute or less. 30% said they have an RTO of under an hour. And 17% said they have an RTO of one day. But expectations are clearly not the reality in this scenario without redundancy, automation, and a substantial budget to pay for it.
The research also analyzed RTO from an industry vertical perspective. It found that 26% of telecommunications leaders said their RTO was 10 minutes. This was the No. 1 answer for this sector.
Meanwhile, the top answer of executives in the accounting/finance/banking and retail/e-commerce sectors said their RTO was under an hour, with this answer getting 36% and 29% of the votes, respectively. The No. 1 answer for healthcare, garnering a 35% share from this sector, was an RTO of one day.
“Having a low RTO can be achieved one of two ways: you either have redundant, highly automated infrastructure or an expensive disaster recovery solution. If you’re willing to trade just a little amount of time for cost, you can achieve a reasonable RTO with an affordable disaster recovery solution,” said Reeder.
“Every industry uses technology differently to achieve their business goals, which in turn will have a different requirement around the redundancy and availability of their systems. While it may be possible to have an RTO of less than one minute if you implement redundant systems, those costs usually outweigh the benefits.”
When business leaders were asked how long they expect it will take to recover their data after a disaster, 24% of the total group and a 33% of telecommunications executives said under 10 minutes. Thirty-eight percent of the accounting/finance/banking group and 31% of retail/e-commerce leaders said under one hour.
Disaster recovery has a range of definitions and industry vertical viewpoints
The one thing that everyone can agree on is that disaster recovery is needed in multiple scenarios. Fifty-eight percent of the total survey group said disaster recovery means recovering data after data loss and 55% said it involves recovery from a malware attack. 54% said disaster recovery provides the ability to become operational quickly after a disaster.
“The fact that 58% of the survey group said disaster recovery means getting data back after a loss, yet one in five say they don’t have a solution in place to do this, and most SMBs still believe they are prepared to recover for a disaster does not add up,” said Reeder.
“It highlights the need for SMBs to do detailed assessments on their true disaster recovery readiness or face the very real risk of being totally unprepared in the unfortunate but ever-present event of a disaster.”
The telecommunications sector survey group most commonly described disaster recovery as recovering data after data loss, with 59% of these respondents voicing this opinion. The healthcare (68%) and retail/e-commerce (66%) groups indicated that they see disaster recovery primarily as the ability to become operational quickly after a disaster.
Meanwhile, 56% of SMBs in the accounting/finance/banking sector defined disaster recovery as the ability to recover from a natural disaster like a hurricane or tornado.
74% of retail/e-commerce and 73% of healthcare industry executives said their top expectation of a disaster recovery solution is to minimize the time until their business is fully operational following a disaster.
Sixty-four percent of accounting/finance/banking sector leaders said zero data loss is their top expectation of a disaster recovery solution. Telecommunications leaders indicated their top expectation of a disaster recovery solution is to deliver cost savings related to on-call IT technicians, with 63% providing that answer.
“Every business is unique. But one thing all organizations and sectors have in common is the need to eliminate downtime and data loss,” said Reeder.
“Whether a business is dealing with a server crash or a site-wide disaster, unplanned downtime comes with serious consequences. Businesses can dramatically reduce downtime, quickly recover from ransomware attacks, and avoid paying ransoms by employing disaster recovery as a service.
“SMBs also can get ahead of an anticipated disaster such as a hurricane by failing over to their disaster recovery solution before the disaster is expected to hit, completely mitigating any downtime.”
Different industry sectors provide different reasons for their lack of preparedness
Most SMBs expressed the belief that they are prepared to recover from disaster, but 8% admitted they do not feel they are ready to bounce back from one. Of this latter group, 39% said they don’t have the budget to prepare to recover from a disaster.
Thirty-seven percent said they are unprepared because they have limited time to research solutions. 32% said they are not prepared because they lack the right resources. 27% said they don’t have the technology in place to recover from a disaster.
Healthcare (67%) and business-to-consumer entities (48%) both said the top reason their organizations are not prepared to recover from a disaster is that they have limited time to research solutions. 50% of the SMBs in the accounting/finance/banking group said their businesses are not prepared because their IT teams are stretched.
The top answers from the business-to-business survey group regarding lack of preparedness to recover from a disaster were that they don’t have the right resources or the budget. Both answers garnered 31% of the vote from business-to-business organizations.
“This survey data highlights how important it is for businesses to understand and address their disaster recovery risks before it’s too late,” said Reeder.
Most SMBs have faced micro-disasters in the past year
Yet for any differences among industry sectors, one thing all SMBs seem to have in common is suffering from malware infections, corrupted hard drives, and/or other micro-disasters. 51% of the survey group said they had faced such events within the past year.
B2B entities were more likely than B2C organizations to have been subjected to such scenarios. While 41% of B2C organizations have experienced a micro-disaster in the past year, 59% of B2B entities admitted they have had to face such a situation.
22% of the total survey group said they have experienced a micro-disaster more than once within the past year. 24% of B2B organizations said they have had such repeat experiences, while micro-disasters have hit 20% of B2Cs in the past year.
The pandemic has irrevocably changed the way businesses everywhere operate, crystallizing the link between a robust IT infrastructure and business continuity. According to a survey of IT professionals from Insight Enterprises, only 24% of businesses were able to adapt to the new environment with no downtime, while 56% said 2 or fewer weeks of downtime.
The report further reveals that 46% of IT professionals felt extremely or very prepared to pivot to the new business landscape.
Consequently, businesses could be more proactive about involving IT in contingency planning: 40% of survey respondents reported having to develop or refine business resiliency plans in response to the pandemic.
“COVID-19 has delivered a crash course in agility for organizations of all stripes,” said Mike Gaumond, senior vice president and general manager, Connected Workforce at Insight.
“The pandemic accelerated the long-brewing shift from an on-site to dispersed workforce and forced companies to reckon with their technology shortfalls. The businesses that have adapted successfully are the ones that kept an eye on the horizon.”
You cannot enable remote work without managing it, as well
About half (49%) of survey respondents said their IT priorities were very impacted by the pandemic. When asked to share their top priorities before and after the pandemic, although equipping remote workers has been an essential initiative, managing that infrastructure grew in importance more than other priorities for IT professionals.
However, no IT initiative took precedence over security – half of respondents cited improving data and network security and recovery as a top 3 priority both before and after COVID-19.
Technology will be central to employee safety today and tomorrow
Just as technology – and the professionals charged with managing it – has been essential to helping employees stay connected and productive during extended stay-at-home orders, it also will play a critical role in bringing employees back into the workplace.
According to the survey, IT departments are very focused on investing in technologies that will help protect employee health:
- 58% plan to invest in smart personal hygiene devices, such as connected hand sanitizer stations
- 36% plan to invest in contactless sensors
- 35% plan to invest in infrared thermometers
- 25% plan to invest in thermal cameras
In addition, one-third said they are considering an Internet of Things ecosystem that allows them to aggregate and analyze all of the inputs they gather from these devices.
In today’s new normal, 79% expect IT to take on a greater role within their organization than prior to the pandemic. 65% believe their company is now “very” or “extremely prepared” to handle a situation similar to COVID-19 from an IT perspective. Yet 65% cited business continuity planning or the ability to work remotely as their biggest lesson learned from the impact of COVID-19.
“Now that the initial shock has passed, enterprises are starting to think about how to re-establish a sense of routine. Are the changes they made a few months ago right for their organization moving forward, or do they need to re-evaluate how to shore up new vulnerabilities, improve efficiencies and reduce expenses in the long run?” said Matt Jackson, VP, Digital Innovation at Insight.
“Making continued investments in ‘what’s next’ – from AI to virtual workspaces – has only taken on heightened importance in this new world of digital engagement.”
Fifteen years ago, there was a revolution in personal music players. The market had slowly evolved from the Walkman to the Discman, when a bolt of innovation brought the MP3 player. Finally, the solution to having all of one’s music anywhere was solved with a single device, not a device plus a bag full of whatever physical media was popular at that time.
History clearly shows that the iPod and a few of its competitors were very successful in driving revenue and taking market share away from the legacy Personal Music Players. History also shows that the reign of these devices was short-lived. Just a decade after the release of MP3 players, they were almost entirely replaced by personal music player technology on a smart phone. Why did this happen?
The world slowly realized that the way MP3 players solved the problem of my music anywhere, carried a cost that significantly reduced the value of the solution. You had to carry a phone and an iPod, keep them both charged, and, in many cases, both synced with your PC.
Today, stand-alone PMPs are purely niche devices for specific use cases while everyone else plays music through their phones. The smartphone is the perfect platform to consolidate the “music anywhere” capability with the messaging, mapping and gaming anywhere that those platforms provide. This allows you to carry, charge and sync only one device and manage one set of configuration settings.
Having spent the last decade in the identity governance market, I believe a similar sea of change is about to happen. Identity governance solutions require the following set of capabilities:
1. Lifecycle management
Organizations need to provide some set of automation that follows a knowledge worker (employee, contractor, partner, etc.) from the time they start their association with the company until they end their relationship. This automation should be responsible for giving each knowledge worker access to the core set of applications they need to do their jobs, from their first role throughout many possible promotions and role changes over the years.
This capability is critical as it provides the organization the speed and agility they need to ensure everyone can spend their time working, as opposed to dealing with the IT team. Additionally, at every step in the lifecycle, permissions that were relevant for the last job role that no longer are needed should be removed to maintain a least-privilege security stance. This process typically concludes at the end of a long employment journey, which conceivably included many role changes, where it is critical to ensure that the departing team member no longer has access to ANY company resource.
2. Self-service access request
Automated lifecycle management is critical but even the most organized enterprises can’t predict all of the applications and data a particular colleague will need. Projects come and go, oftentimes staffed with matrixed teams, making it hard to completely define every application an employee will need for all their duties. This is where self-service access request comes in. This capability enables all knowledge workers to simply request access to an application when the need arises through an online portal.
These requests are then evaluated against compliance and security policies, then routed directly to the application owner or employee manager for approval. If approved, these new application permissions are automatically fulfilled without the IT group needing to be involved outside of defining the key policies and workflows. This approach allows the business to manage day-to-day decisions over business data access, which is critical to ensuring speed and competitiveness.
3. Automated access certification
The Sarbanes-Oxley of 2002 act made a huge impact on organizations of all types. It was followed by a continuously growing set of additionally regulations, such as HIPAA and GDPR, which all focused on the need for documented and provable controls on all manner of systems and data. Access to applications and the data inside them was a key control metric in all of these regulations.
Access certification is the process meant to arm internal teams with the data they need to prove compliance to these external regulations, or in some cases just internal policies. Access certification requires that on a regular basis (usually every quarter) application owners review the users and permissions that have been assigned within the applications they are responsible for.
During this process, each combination of user, application and permission must be certified, or attested. In cases where a user is believed to have more permissions than they need to do their jobs, these entitlements are flagged for removal. Organizations used to perform these functions with spreadsheets and email (some still do sadly), but today this functionality typically automated through Identity Governance and Administration (IGA) solutions.
4. Auditing and analytics
The average number of applications for an enterprise organization with more than 5000 employees is now more than 400. Assuming each application has only two types of permissions (which is not reality) this gives organizations more than 4 million possible entitlements that are changing all the time and need to be kept track of.
The main value proposition IGA solutions can provide is to consolidate and present this ever-changing data in a way that makes sense to mere mortals. At its core, this provides the value of visibility, but the value explodes during preparation for an audit. What used to take months of manual work, now takes days of preparing for that team of auditors. Modern IGA systems now also frame this information with signals from other silos (GRC, Incident Response, SEIM) to make the data even more usable to audit and risk teams.
These four capabilities sound simple on the page but in practice can be very difficult to implement. This is one of the reasons people have been making stand-alone IGA solutions for more than 15 years now. This is a complicated problem that the market has met with complicated solutions.
And after 15 years, we still see that most IGA programs are categorized as “at risk,” meaning there is a gap between the value expected at program start vs. current reality. I firmly believe we are about to see a revolt against big, heavy solutions to this problem. This revolt will not be just because people are tired of projects that are 3 years behind and 200 percent over budget. People are also starting to see similarities in this problem set to the other IT challenges their organizations have been solving.
In the case of IGA, a high-level view of the solutions show that the main needs of an effective solution include:
- Connectivity to key IT systems
- Consolidation and presentation of data from multiple systems
- Strong workflow-based automation
- Interfaces that all stakeholders can use
Coincidentally, these same building blocks are also key to many of the IaaS and PaaS solutions that have become so popular over the past decade. The very reasons organizations invest in platforms such as AWS, Azure, ServiceNow and others is to provide a foundation for all IT workloads to take advantage of. These platforms are the smartphones of enterprise IT, allowing for applications to be created that take advantage of these key design blocks, and are easier to integrate with the rest of the critical IT systems.
Frustrated IGA program owners are ready to ditch the stand-alone solutions (MP3 players) and take advantage of what these platforms can offer by using IGA solutions that are built directly into these key platforms. We have already proven that the current path of making bigger and more powerful siloed solutions results only in vendor growth and doesn’t solve the problem. As these new solutions gain adoption, we will see benefits beyond just reduced complexity and friction.
Just like when we started listening to music on our phones, we immediately saw the obvious benefits. But over time, the market found new benefits that they had not even dreamed about when this phase began. Without the move from PMPs to phones we would not be able to “share” music via social media and messaging, nor do I believe streaming music would have taken off without the phones built in connectivity.
Building IAG solutions on top of key IT platforms will open the door for many similar valuable integrations. As more people leverage Human Resources, Incident Response and GRC on these platforms there will be many integrations that can ONLY be done by IGA solutions that live natively on that same platform.
Greenbone Networks revealed the findings of a research assessing critical infrastructure providers’ ability to operate during or in the wake of a cyberattack.
The cyber resilience of critical infrastructures
The research investigated the cyber resilience of organizations operating in the energy, finance, health, telecommunications, transport and water industries, located in the world’s five largest economies: UK, US, Germany, France and Japan. Of the 370 companies surveyed, only 36 percent had achieved a high level of cyber resilience.
To benchmark the cyber resilience of these critical infrastructures, the researchers assessed a number of criteria. These included their ability to manage a major cyberattack, their ability to mitigate the impact of an attack, whether they had the necessary skills to recover after an incident, as well as their best practices, policies and corporate culture.
Infrastructure providers in the US were the most likely to score highly, with 50 percent of companies considered highly resilient. In Europe, the figure was lower at 36 percent. In Japan, is was just 22 percent.
There were also marked differences between industry sectors, with highly-regulated organizations, such as finance and telecoms, most likely to be cyber resilient (both at 46 percent). Transport providers were the least likely to be considered highly resilient (22 percent), while energy providers (32 percent), health providers (34 percent) and water utilities (36 percent) were all close to the average.
Characteristics of a highly-resilient infrastructure provider
They are able to identify critical business processes, related assets and their vulnerabilities: Highly-resilient organizations thoroughly analyse their critical business processes and know which digital assets underpin these processes. They continuously check for vulnerabilities, taking appropriate measures to mitigate or close them.
They deploy cybersecurity architectures that are tailored to their business processes: This focus places them in a strong position to mitigate damage caused by an attack.
They have well-established and well-communicated best practices: The highest performing organizations have well-defined policies and best practices. For example, in 95 percent of highly-resilient organizations, the person responsible for managing a digital asset is also responsible for securing it. This level of expertise and responsibility allows organizations to close gaps and repair damage quickly.
They are more likely to seek third-party support: These companies are more likely to engage with specialist providers, not only to manage security technologies, but also to obtain advice.
For example, they might employ consultants to help develop a security strategy for the company, select suitable technology, implement managed security services, establish metrics for success or calculate the business case for a security project.
They place greater importance on the ability to respond to cyber incidents and mitigate the impact on critical business processes: The ability to prevent cyber incidents is of secondary importance to highly-resilient organizations as they recognize attacks are inevitable.
They are more likely to focus on procedures that lessen the impact of an attack or accelerate their ability to bounce back after an incident.
They prepare for attacks through simulation: They simulate various what-if scenarios in training sessions and also involve stakeholders outside the IT department. They also apply the same cybersecurity rules to all digital assets.
“Cyberattacks are inevitable so being able to firstly withstand them and then recover from them is vital. Nowhere is this more important than in the critical infrastructure industries where any loss or reduction in service could be devastating both socially and economically, so it’s a concern than only just over a third of providers are what we consider to be highly-resilient,” said Dirk Schrader, cyber resilience architect at Greenbone Networks.
“Being cyber resilient involves much more than having enough IT security budget or deploying the right technologies. We hope that – by highlight the key characteristics of highly-resilient organizations – this research will provide a blueprint for others.”
As most of the UK’s cybersecurity workforce now sits at home isolated while carrying out an already pressurised job, there is every possibility that this could be affecting their mental health.
In light of Mental Health Awareness Week, and as the discussion around employee wellbeing becomes louder and louder amidst the COVID-19 pandemic, we spoke with five cybersecurity experts to get their thoughts on how organisations can minimise the negative mental and physical impacts on newly-remote employees.
Remote but not alone: the power of communication
“In the current global situation, focusing on mental health is more important than ever,” says Agata Nowakowska, AVP at Skillsoft. “Now is the time to raise the profile of workplace wellbeing – even though our understanding of the physical workplace has shifted dramatically. Employers need to take workplace wellbeing virtual – meeting the needs of all employees, wherever they are and whatever environment they are in. Even if this is just regular check-ins – whether by phone or video call – everything you do as an employer makes a difference.
“Employee wellbeing should be a strategic priority for organisations, particularly given the uncertainty we’re all facing. Being supportive and lending a hand when employees need it will not just nurture their mental health, but the fundamental health of your organisation as a whole.”
Rob Shaw, Managing Director, EMEA, Fluent Commerce, adds: “Statistics reveal that 1 in 6 of us will have experienced a mental health problem in the past week alone. The importance, therefore, of ensuring discussions about an illness that will affect so many of us, remains in the spotlight cannot be underestimated. We all have our part to play.
“As an employer there are many things we can do to look after our team’s mental wellbeing. First and foremost is creating a culture where employees can talk openly about how they’re feeling without fear of repercussion. From online resources, having dedicated chat platforms where employees can share concerns, to having a qualified staff Mental Health First Aider, the range of things an employer can do to support employee’s health is vast.”
Protect employees by protecting valuable data
“With the COVID-19 pandemic causing devastation across the world, businesses in every industry are quickly having to adapt to a new working style,” says Krishna Subramanian, COO at Komprise. “Some technologies are getting more attention than others at the moment, such as video conferencing tools like Zoom, but there are other technologies that can make a huge impact on employee wellbeing too. With so many employees connecting from home, keeping data safe and secure at all times is a much bigger concern, so generating a cyber resilient safe copy of your business data in a separate location that is not subject to attacks is very important.
She continues, “implementing data management solutions that can help you create what is essentially an “air-gap” cyber resiliency solution to protect your data will give peace-of-mind to your employees, and help them focus on the job at hand.”
“A data breach can happen at any moment, demanding the attention and expertise of cybersecurity professionals,” adds Samantha Humphries, Security Strategist at Exabeam. “It’s an ‘always on’ profession, and there is an unspoken expectation for security teams to work excessive hours, but this leaves many with the inability to ‘switch off’ when they leave the office. Even the most hardened security professional cannot outrun this in the long term; it will inevitably take a toll on their health and personal lives… and this was before lockdown.
“Current events have introduced a whole new level of unprecedented pressure. We have seen the number of data breaches, compromised video-conferencing and COVID-19 related phishing scams soar. In addition, working from home for many individuals also means balancing parenting and home-schooling with their professional responsibilities. In any job, it would be easy to feel overwhelmed by the situation. For our friends in security, it’s a formidable task.”
Promote and honest and open employee culture, both from home and the office
“Encourage employees to take the tough decisions for an easy life when it comes to managing sometimes unrealistic workloads,” says Rob Mellor, VP & GM EMEA, WhereScape. “Honesty also applies to our mental wellbeing that keeps us happy and focused. If appropriate, it can be useful to know about issues that affect performance at work, so managers must make it clear that they’re available to talk.
“As long as organisations continue to make progress in promoting mental fitness, no matter how slow that improvement might be, they are making the move in the right direction. During Mental Health Awareness Week I would like to encourage organisations to share tips and technology that have enabled their progress through social media, websites, Slack groups and other channels.”
Sam Humphries concludes: “I would like to remind our valued security teams that they are not alone. Check in with one another, engage positively with the rest of your organisation and listen to one another. A simple phone call and an understanding tone goes a long way. For those relying on the cybersecurity team – make them feel valued and supported. Particularly for us Brits who tend to ‘suffer in silence’ – stress and isolation doesn’t have to be a battle fought alone. Honest and transparent communication will help provide more certainty in these uncertain times. We all have a role to play in this – make sure you stay connected and kind.”
With the help of things like Mental Health Awareness Week, the conversation around mental health in the workplace is one that is growing momentum each year. This week is a good reminder for employers to help relieve workplace stressors and to prioritise their one number asset, their people.
64 percent of workers in the U.S. say their quality of work has improved amid the disruptive impact of COVID-19, according to KPMG.
They also reported better collaboration (70 percent) and that their team has effectively adapted to working together (82 percent) during this time.
“There is a mutual resiliency and commitment between organizations and their employees that’s resulting in improved connectivity and productivity,” according to Paul Lipinski, KPMG‘s Human Capital Advisory leader.
“During times of uncertainty, like now, it is more important than ever to make sure employees not only understand their role and responsibilities, but also that they feel recognized and appreciated for what they do.”
Quality of work has improved: Embracing new tools
Fifty-nine percent of American workers indicated that they had adequate resources to do their job remotely, and they also reported that their team is effectively using technology to communicate (87 percent).
American workers also indicated that they have concerns about the future. Sixty-three percent are concerned about reduced pay, and more than half are concerned about job loss (57 percent) and the future of their industry (56 percent). Forty-four percent expressed concern about technology replacing their job.
“Employees have demonstrated a welcome willingness to embrace new tools and work arrangements,” Lipinski added. “As technologies such as artificial intelligence continue to reshape the world of work, and employers inevitably shift their focus from resilience to recovery, it will be incumbent upon them to ensure employees’ skillsets keep pace and that their workforce has the learning ecosystem and flexibility needed to adapt to the change ahead.
Investing in quality relationships with employees
Companies that invest in quality relationships with their employees and effectively communicate their value will witness better collaboration and productivity among their workforce than those that do not.
Of the 75 percent of respondents who indicated their companies made them feel valued, 60 percent reported an improved level of productivity (versus 37 percent who did not). Respondents who felt valued also indicated better team collaboration (75 percent) versus those who did not (55 percent).
“Organizations should focus on maintaining and improving their employees’ experience to keep them engaged and motivated as new workplace realities are accommodated,” said Lipinski. “When employers emphasize employee value, the more likely those employees will be collaborative and productive in a volatile environment.”
Preventing burnout in leadership ranks
Overwhelmingly, 96 percent of upper-level management reported their commitment to their companies, along with 87 percent of middle-management.
However, those in management roles reported having a harder time adapting in comparison to non-management respondents, indicating that their job is more demanding now (67 percent versus 50 percent), work/life balance is more difficult (63 percent versus 47 percent), and work is overwhelming (55 percent versus 39 percent).
“To address and prevent burnout in leadership ranks, organizations should reestablish expectations and resourcing for top-level leaders, making sure they have everything they need to do their jobs and manage their emotional and psychological challenges,” Lipinski indicated. “They should also take note of critical roles and ensure a succession plan is in place.”
Built into virtually every hardware device, firmware is lower-level software that is programmed to ensure that hardware functions properly.
As software security has been significantly hardened over the past two decades, hackers have responded by moving down the stack to focus on firmware entry points. Firmware offers a target that basic security controls can’t access or scan as easily as software, while allowing them to persist and continue leveraging many of their tried and true attack techniques.
The industry has reacted to this shift in attackers’ focus by making advancements in firmware security solutions and best practices over the past decade. That said, many organizations are still suffering from firmware security blind spots that prevent them from adequately protecting systems and data.
This can be caused by a variety of factors, from simple platform misconfigurations or reluctance about installing new updates to a general lack of awareness about the imperative need for firmware security.
In short, many don’t know what firmware security hazards exist today. To help readers stay more informed, here are three firmware security blind spots every organization should consider addressing to improve its overall security stance:
1. Firmware security awareness
The security of firmware running on the devices we use every day has been a novel focus point for researchers across the security community. With multiple components running a variety of different firmware, it might be overwhelming to know where to start. A good first step is recognizing firmware as an asset in your organization’s threat model and establishing the security objectives towards confidentiality, integrity, and availability (CIA). Here are some examples of how CIA applies to firmware security:
- Confidentiality: There may be secrets in firmware that require protection. The BIOS password, for instance, might grant attackers authentication bypass if they were able to access firmware contents.
- Integrity: This means ensuring the firmware running on a system is the firmware intended to be running and hasn’t been corrupted or modified. Features such as secure boot and hardware roots of trust support the measurement and verification of the firmware you’re running.
- Availability: In most cases, ensuring devices have access to their firmware in order to operate normally is the top priority for an organization as far as firmware is concerned. A potential breach of this security objective would come in the form of a permanent denial of service (PDoS) attack, which would require manual re-flashing of system components (a sometimes costly and cumbersome solution).
The first step toward firmware security is awareness of its importance as an asset to an organization’s threat model, along with the definition of CIA objectives.
2. Firmware updates
The increase in low-level security research has led to an equivalent increase in findings and fixes provided by vendors, contributing to the gradual improvement of platform resilience. Vendors often work with researchers through their bug bounty programs, their in-house research teams, and with researchers presenting their work in conferences around the world, in order to conduct coordinated disclosure of firmware security vulnerabilities. The industry has come a long way enabling collaboration, enabling processes and accelerating response times towards a common goal: improving the overall health and resilience of computer systems.
The firmware update process can be complex and time consuming, and involves a variety of parties: researchers, device manufacturers, OEM’s, etc. For example, once UEFI’s EDK II source code has been updated with a new fix, vendors must adopt it and push the changes out to end customers. Vendors issue firmware updates for a variety of reasons, but some of the most important patches are designed explicitly to address newly discovered security vulnerabilities.
Regular firmware updates are vital to a strong security posture, but many organizations are hesitant to introduce new patches due to a range of factors. Whether it’s concerns over the potential time or cost involved, or fear of platform bricking potential, there are a variety of reasons why updates are left uninstalled. Delaying or forgoing available fixes, however, increases the amount of time your organization may be at risk.
A good example of this is WannaCry. Although Microsoft had previously released updates to address the exploit, the WannaCry ransomware wreaked havoc on hundreds of thousands of unpatched computers throughout the spring of 2017, affecting hundreds of countries and causing billions of dollars in damages. While this outbreak wasn’t the result of a firmware vulnerability specifically, it offers a stark illustration of what can happen when organizations choose not to apply patches for known threats.
Installing firmware updates regularly is arguably one of the most simple and powerful steps you can take toward better security today. Without them, your organization will be at greater risk of sustaining a security incident, unaware of fixes for known vulnerabilities.
If you’re concerned that installing firmware updates might inadvertently break your organization’s systems, consider conducting field tests on a small batch of systems before rolling them out company-wide and remember to always have a backup of the current image of your platform to revert back to as a precautionary measure. Be sure to establish a firmware update cadence that works for your organization in order to keep your systems up to date with current firmware protections at minimal risk.
3. Platform misconfigurations
Another issue that can cause firmware security risks is platform misconfigurations. Once powered on, a platform follows a complex set of steps to properly configure the computer for runtime operations. There are many time- and sequence-based elements and expectations for how firmware and hardware interact during this process, and security assumptions can be broken if the platform isn’t set up properly.
Disabled security features such as secure boot, VT-d, port protections (like Thunderbolt), execution prevention, and more are examples of potentially costly platform misconfigurations. All sorts of firmware security risks can arise if an engineer forgets a key configuration step or fails to properly configure one of the hundreds of bits involved.
Most platform misconfigurations are difficult to detect without automated security validation tools because different generations of platforms may have registers defined differently, there are a long list of things to check for, and there might be dependencies between the settings. It can quickly become cumbersome to keep track of proper platform configurations in a cumulative way.
Fortunately, tools like the Intel-led, open-source Chipsec project can scan for configuration anomalies within your platform and evaluate security-sensitive bits within your firmware to identify misconfigurations automatically. As a truly cumulative, open-source tool, Chipsec is updated regularly with the most recent threat insights so organizations everywhere can benefit from an ever-growing body of industry research. Chipsec also has the ability to automatically detect the platform being run in order to set register definitions. On top of scanning, it also offers several firmware security tools including fuzzing, manual testing, and forensic analysis.
Although there are a few solutions with the capability to inspect a systems’ configuration, running a Chipsec scan is a free and quick way to ensure a particular system’s settings are set to recommended values.
Your organization runs on numerous hardware devices, each with its own collection of firmware. As attackers continue to set their sights further down the stack in 2020 and beyond, firmware security will be an important focus for every organization. Ensure your organization properly prioritizes defenses for this growing threat vector, install firmware updates regularly, commit to continuously detect potential platform misconfigurations, and enable available security features and their respective policies in order to harden firmware resiliency towards confidentiality, integrity and availability.
89% of IT professionals believe their company could be doing more to defend against cyberattacks, with 64% admitting they are not sure what AI/ML means – despite increased adoption at a global scale, Webroot reveals.
The report, which reveals how global IT professionals perceive and utilize these advancing technologies in business, also found that the UK has the highest use of AI/machine learning in its current cyber security tools when compared with USA, Japan, New Zealand and Australia.
The importance of leveraging AI and ML tools
With the UK currently in lockdown to tackle the spread of coronavirus, thousands more people are staying at home to work. This means it’s never been more important for employers to leverage AI and ML tools to maintain cyber resilience.
And, with the average duration of a phishing attack dropping from days to roughly 30 minutes, it’s clear from the results of the report that businesses need to do more to ensure staff are properly educated on how to use the cybersecurity tools at their disposal effectively.
Matt Aldridge, Principal Solutions Architect, Webroot, said: “It’s clear from these findings that there is still a lot of confusion around artificial intelligence and machine learning, especially in terms of these technologies’ in business cybersecurity, and there is skepticism across all geographies with respect to how much benefit AI/ML brings.
“It’s crucial that businesses improve their understanding in order to realize maximum value. By vetting and partnering with cybersecurity vendors who have long-standing experience using and developing AI/ML, and who can provide expert guidance, we expect businesses will be more likely to achieve the highest levels of cyber resilience and effectively maximize the capabilities of the human analysts on their teams.”
The Internet Security Alliance (ISA) and the European Confederation of Directors’ Associations (ecoDa) released Cyber-Risk Oversight 2020, a handbook on cyber-risk management for corporate boards of directors in Europe.
Improving cybersecurity and risk management
“A cyberattack is not what a Board of Directors wants to face in the midst of the Corona crisis. Our handbook will help prevent such a scenario”, said Béatrice Richez-Baum, Director General at ecoDa.
“The COVID-19 virus is a catalyst for expanded digital transformation. We are already seeing substantial adaptation by organizations who are being forced to operate in an increasingly on-line fashion,” said ISA President Larry Clinton.
“As enterprises move ever more quickly to adopt online mechanisms, it is easy to forget that these needed innovations also can create increased cyber risk. This handbook provides a roadmap for organization’s leaders to follow and increase the resiliency of their systems in this new environment.”
Cyber-Risk Oversight 2020: The features
The new handbook, is co-branded by ISA, AIG and ecoDa, will be based on the Cyber Risk Handbooks ISA has previously developed for the US National Association of Corporate Directors.
“The increased risks of cyber-attacks are a reality that companies have to cope with. Business resilience depends on the capacity of board members to embed cybersecurity in all aspects of their strategy.”, said Béatrice Richez-Baum.
The process to develop the version of the Cyber Risk Handbook for Europe included multiple workshops and webinars with European corporate directors which led to making several adaptations to the unique cultural, legal, and business differences in Europe.
“The prescriptions found in these handbooks have been tested in global surveys and found to significantly improve cybersecurity budgeting and enhance cyber risk management by better connecting business goals with cyber security and creating a culture of security,” said Clinton.
“Working with the ecoDa community and AIG has enabled us to adapt the principles and toolkit in these handbooks to the unique European cultures and perspectives. While this handbook is uniquely European, it is also consistent with the global trend toward understanding cybersecurity as more than just an IT issue but as an enterprise-wide risk management issue,” said Clinton.
The handbook is built around five core principles enlightened by a practical toolkit. The substance is summarized in a short and straight-forward version that helps the reader to navigate among the essential elements.
Stay-at-home orders for more than 40 states have forced millions of businesses to establish remote workforces that rely solely on internet-enabled applications and products to conduct business.
The overnight move to a “virtual workplace” has increased cybersecurity concerns for small business owners, but many still have not implemented remote working policies to address cybersecurity threats, according to a survey by the Cyber Readiness Institute (CRI).
Economic uncertainty preventing cybersecurity investments
Conducted from March 25-27, the survey of 412 small business owners found that half of all business owners are concerned that remote working will lead to more cyberattacks. Yet, nearly 40% feel that economic uncertainty will prevent them from making necessary cybersecurity investments.
This is particularly concerning for companies with fewer than 20 employees as the survey showed they were distinctly unprepared for remote working. Only 22% provided additional cybersecurity training prior to enabling remote working and just 33% provided “any cybersecurity training.”
“Now, more than ever cybersecurity affects the ‘business’ of nearly every company, not just in the U.S. but internationally,” said Kiersten Todt, managing director of CRI.
“These are extremely challenging times for companies, especially small businesses, as revenue and resources are as unpredictable as they have ever been. However, cybersecurity investments aren’t always tied to dollars and cents.
“Several free tools, that focus on human behavior, offer important guidance on helping small businesses become more cyber ready. The best way to prevent the spread of COVID-19 is by doing the basics like washing your hands. Similarly, the cyber hygiene basics will go a long way in keeping small businesses resilient in this time of increased threats.”
Lack of employee training
Social distancing and quarantine orders have altered how business owners manage employees and interact with customers. It has made the reliance on secure communications and operations more important than ever. Yet, only 46% of business owners provide any training to help workers be cyber secure when working from home. The numbers dwindled down to 33% when looking at companies with fewer than 20 employees.
Good cyber hygiene practices that focus on using secure passwords, ensuring that all operating systems are up to date, understanding tricks used by bad actors, and prohibiting the use of USB memory sticks can go a long way in preventing cyber-attacks.
Additional findings from the survey include:
- Only 40% of small businesses have implemented a remote work policy focused on cybersecurity as a result of coronavirus (only 25% of those with less than 20 employees)
- 59% of small business owners said that some employees would be using personal devices when working from home
- 55% believe that federal and state governments should provide products and funding for cybersecurity
- 51% said they provided their employees with technologies to improve cybersecurity for remote workers (only 34% for companies under 20 employees)
With the spread of the coronavirus (COVID-19), CIOs should focus on three short-term actions to increase their organizations’ resilience against disruptions and prepare for rebound and growth, according to Gartner.
“With such a dynamic situation like COVID-19, it has the potential to be as disruptive, or more, to an organization’s continuity of operations as a cyber intrusion or natural disaster,” said Sandy Shen, senior research director at Gartner.
“When traditional channels and operations are impacted by the outbreak, the value of digital channels, products and operations becomes immediately obvious. This is a wake-up call to organizations that focus on daily operational needs at the expense of investing in digital business and long-term resilience.”
CIOs are recommended to focus on three short-term actions to provide support to customers and employees and ensure continuity of operations.
Source digital collaboration tools with security controls and network support
Various quarantine measures and travel restrictions undertaken by organizations, cities and countries have caused uncertainties and disruptions as business operations are either suspended or run in limited capacity.
In organizations where remote working capabilities have not yet been established, CIOs need to work out interim solutions in the short term, including identifying use case requirements such as instant messaging for general communication, file sharing/meeting solutions, and access to enterprise applications such as enterprise resource planning (ERP) and customer relationship management (CRM), while reviewing all security arrangements to ensure secure access to applications and data.
Organizations also need to deal with staffing shortages to maintain basic operations. CIOs can work with business leaders to conduct workforce planning to assess risks and address staffing gaps, such as identifying mission-critical service areas.
CIOs can see how digital technologies such as AI can be used to automate tasks, for example, candidate screening and customer service.
Engage customers and partners through digital channels, maintain sales activities
Many organizations already engage customers over digital platforms, such as branded sites and apps, online marketplaces and social media. But offline face-to-face engagement still plays a big role.
Workplace collaboration, video conferencing and livestreaming solutions can serve various customer engagement and selling scenarios. Organizations should also enable customers to use self-service via online, mobile, social, kiosk and interactive voice response (IVR) channels.
“The value of digital channels becomes obvious as market demand shrinks and as people rely more on online platforms for daily supplies. Organizations can leverage digital channels, such as online marketplaces and social platforms, to compensate for some of the demand loss.” said Ms. Shen.
“They can set up official pages/accounts and integrate commerce capabilities to enable online selling. They should also quickly adapt products to make them suited for selling through digital channels.”
Establish a single source of truth for employees
Confusing data from unverified sources — or the sheer lack of data — can lead to ill-informed decisions being made, escalating employee anxiety and making organizations underprepared for returning to normal operations. Such anxiety can be somewhat relieved if organizations can leverage data to support better decision making and communicate progress more efficiently to employees.
“Organizations can offer curated content, drawn from internal and external sources, to provide actionable guidance to employees. These sources include local governments, healthcare authorities and international organizations, such as the World Health Organization (WHO). HR and corporate communications leaders may be involved to vet the content and interpret the company’s policies,” said Ms. Shen.
“Organizations should set up a site, app or hotline to share this information on a regular basis. Employees can also use these platforms to notify the company about their health conditions and seek emergency support and care services.”
Cybersecurity has emerged as the top focus of upstream oil and gas companies’ digital investments, according to a report from Accenture.
The report is based on a global survey of 255 industry professionals, including C-suite executives, functional leaders and engineers.
Increased investments in cybersecurity
When respondents were asked which digital technologies their organizations are investing in today, cybersecurity was cited more than any other, by 61% of respondents – five times higher than the 12% who made that claim in 2017. The report suggests that the focus on cyber resilience is increasing sharply as oil companies seek to protect their assets and reputations.
Cybersecurity was also cited by more respondents (16%) than any other digital solutions when asked which were driving the greatest impact in terms of business performance, up from 9% in 2017.
With their increased investments in cybersecurity today, only 5% of respondents see increased vulnerability to cyberattacks as the biggest risk from a lack of investment in digital – less than one-third the number (18%) who made this claim in 2017. This might explain why only 35% of respondents plan to invest in cybersecurity over the next three to five years.
“As oil companies’ operations come under increasing threat, cyber resilience becomes more important to stakeholders, consumers and government,” said Rich Holsman, a managing director at Accenture who leads the digital practice in the company’s Resources operating group.
“Managing attacks isn’t just a matter of protecting reputation, share price and operations, but it’s part of a greater responsibility for national services and security.
“Upstream businesses must continue to invest thoughtfully and substantially in cybersecurity measures, as they often underestimate their exposure to such attacks, which are also increasing in technical complexity.”
Cloud technologies: The second-biggest focus for digital investment
The survey identified cloud technologies as the second-biggest focus for digital investment, cited by 53% of companies. In fact, 15% of respondents identified cloud technologies as the digital solutions driving the greatest business performance impact.
The report suggests that oil and gas companies are still investing heavily in cloud technologies because they are a foundation for their digital transformational journeys and for greater operational security.
Additionally, the percentage of respondents who cited artificial intelligence (AI) as driving the greatest business performance impact more than doubled from 2017, from 4% to 9%.
As such, when asked what digital technologies they plan to invest in over the next three to five years, the greatest number (51%) cited AI / machine learning – up from 30% in 2017 – followed by big data / analytics (50%), the internet of things (43%) and mobile / wearable technologies (38%).
47% of respondents cited a loss of competitive advantage as the biggest risk of a lack of investment in digital, with 42% citing cost reduction as the most significant business challenge that digital can help address.
Broadly however, the rate of digital investment by upstream companies has remained almost the same over the last few years. For instance, the number of executives who said their companies plan to invest more or significantly more in digital technologies over the next three to five years – 72% – was relatively unchanged from the number of who responded similarly to the same question in the 2017 survey (71%).
Scaling digital technologies is key to generating value from digital investments
The report reveals that upstream oil and gas companies are finding it hard to scale digital initiatives. Only 9% of respondents reported that their department or division had been able to scale at least half of the digital proofs of concept (POCs) they’ve developed over the last two years.
Further, only 20% of respondents said that they were able to scale more than 20% of their POCs past this pilot stage.
The report also notes that while upstream companies need to scale digital technologies to release trapped value – i.e., to generate added value from their digital investments – significant barriers remain to doing so.
For instance, 34% of respondents said they see the lack of a clear strategy and business case as the biggest barrier, up from 26% in 2017.
Further, only 15% of respondents said they are seeing more than $50 million in additional value from their digital investments, and only one in 20 (5%) said that digital is adding at least $100 million in value to their upstream business, a drop from 12% only two years ago.
“Although upstream companies continue to increase their digital investments, they’re not translating those investments optimally into tangible value – in fact, their ability to generate value from digital seems to be declining,” Holsman said.
“These companies face organizational bottlenecks and are finding it hard to scale these technologies, impeding core business transformation and the release of capital.
“Realigning digital investments and building the right operating model and digital capabilities is needed for oil companies to become agile and able to scale to value. This will require not only more support from leadership, but also a much broader ecosystem of partnerships as well.”