You don’t have to look far to find news of a major data breach these days. It appears cyber security is a term sitting front and centre on many minds while malicious attacks continue to damage companies and corporations.
A cyber-attack is when an individual or an organisation deliberately and maliciously attempts to breach the information system of another individual or organisation. While there is usually an economic goal, some recent attacks show destruction of data as a goal.
Have you ever heard of Sohanad, SnakeKeylogger, Formbook, AgentTesla or Trickbot?
Or perhaps Enraged Duck or Pinchy Spider rings a bell?
Surprisingly, these are not the characters of comic books or Marvel movies, but the names of common malware and cyber-attacks. MIT Technology Review reported that 2021 was the worst year for cyber and malware attacks in New Zealand history with the number of attacks reported doubling from 2020.
These attacks have cost businesses dearly, more than just monetary profits, but data loss and recovery which can cost businesses millions, not to mention the loss of trust and negative impact on a company’s reputation.
There are several contributors to the increasing number of cyber-attacks, with the most notable one being the increasing trend in hybrid work.
With the easing of Covid restrictions, many employees are finding themselves in the position of having to choose between working remotely or splitting their time between the office and home.
Given organisations adopted this way of working on the fly (and continue to do so, two years on) it has opened an extraordinary new attack surface, comprised of distributed mobile devices and not always adequately secured connections.
As Andrew Gogarty, Secon chief security evangelist says “This work-life shift means that businesses need to continue to be vigilant and address the multiple vulnerabilities that still linger.”
How much risk can you stomach?
Organisations need to be asking themselves how much risk they are prepared to stomach. For example, as organisations become increasingly reliant on digital technologies, is the risk they face increasing or simply changing in nature? Just how aware are businesses of the risk landscape that exists?
Should a greater proportion of IT budgets be allocated to security? How much? What implications does the growing use of cloud platforms have for an organisation’s risk profile? Does your organisation understand it’s cyber risk score and what that entails?
The high-profile attacks of NZ Post and Kiwi Bank in 2021, where both became the target of malicious DDos attacks, highlighted that even large organisations make mistakes. It’s clear that a strong, proactive stance on cybersecurity is crucial for any organisation.
The complexity of this topic leaves many feeling confused and overwhelmed. Across all industries, the methods by which data is breached, triggering a significant security incident, are often similar – if not the same.
Understanding the most common cyber security mistakes, and the potential financial and reputational loss to your business enable your business to implement improved security measures.
These range from things as granular as out-of-date software to large-scale struggles like a lack of support from leadership teams.
There seem to be ongoing common errors that organisations are making that leaves them exposed. The following is a sampling of the most common issues facing information security professionals and the organisations they serve:
- Small organisations don’t recognise that their assets and data are still attractive to cyber criminals
- Working from home or other places means one misuse of VPN credentials can result in an attacker gaining access to all devices throughout an organisation.
- Security is approached as an IT issue and not a business issue – lack of cyber security training and awareness among employees
- Organisations do not understand their network and the importance of updates and patching
- Relying solely on antivirus – these are not sufficient to prevent advanced persistent attacks
The list goes on, but what we do know is that 2022 will be another eventful year full of vulnerability exploits, account takeover attacks, phishing, and ransomware.
Therefore, 2022 should be seen as an opportunity to go back and review the pivot-related changes of the last two years to see how visibility and control can be maintained to reduce your business risk from cyberattacks.