The pandemic has accelerated our digital transformation and made organizations a lot more vulnerable to cyberattacks. The World Economic Forum cites cyberattacks as one of the top risks facing the world today, along with extreme weather, natural disasters, and biodiversity loss. In an IMD webinar, more than third of participants said their organization had experienced a cyber attack in the past two years.
I have identified six trends – artificial intelligence, blockchain, third-party risk, cloudification, cyber criminal supply chains and the war in Ukraine – that will shape cybersecurity in the near future. These trends, spanning technology, organizational processes and societal changes, will pose both opportunities and risks when it comes to cybersecurity.
1. Artificial Intelligence
In the world of cybersecurity, AI is a double-edged sword.
On the one hand, there has been a proliferation of new AI tools that can raise our cyber defenses by detecting fraud, malware and other intruders in a company network. Financial institutions have deployed machine learning to aid fraud detection by analyzing user habits and locations, so they can catch out of the ordinary things. For example, If the AI starts seeing unusual data flows that don’t fit within an organization’s overall traffic patterns or sees users accessing systems to which they don’t usually have access, the software can raise a red flag.
Digital payment company PayPal has managed to reduce its fraud rate to less than 1% using a sophisticated deep learning system that analyzes transactions in real time. And ISFM, a European autonomous shuttle company, uses an AI-based behavior profiling and access control to guard the electronic control systems of its autonomous vehicles against hacking.
On the other hand, hackers are exploiting AI to breach organizations. Former US President Barack Obama famously raised the concern that AI could hack America’s nuclear weapons.
Cybercriminals are using AI to conceal malicious codes in benign applications, while machines are now capable of generating emails that mimic the writing style of an employee to launch phishing attacks.
We asked participants in the webinar whether their organizations were using AI and machine learning for cybersecurity, and just 22% of respondents said that these tools were used for security purposes. While there has been a lot of attention on how AI can add value to organizations, using the technology to improve security could be an equally valuable addition for many companies.
As we rely more and more on data, we need to make sure that we can trust the information and that malicious actors have not tampered with it. Blockchain provides an effective tool to protect the confidentiality, integrity, and availability of data. By design, blockchain is an encrypted, shared immutable ledger that is stored across different systems and creates an irreversible timeline of data. The fact that the data is available through different nodes means that there is no single point of failure, because if one computer system fails, there is a copy elsewhere.
But the drive by some companies to jump on the craze for cryptocurrencies means that some organizations put out badly designed and tested code that compromises security and places too much reliance on infrastructure.
Ronin Network, a platform powering the popular mobile game Axie Infinity, loosened its security features to cope with an influx of new players. But then it forgot to retighten its security. Hackers took advantage of the left-open backdoor to steal $615 million.
Ask yourself: are you protecting your AI or machine-learning powered products or services? Do you have the monitoring, detection and intervention capabilities for malicious tampering of your AI? Next to the technical capabilities, do you also have the necessary legal, ethical and process infrastructure to govern AI security?
3. Third party risk
Alongside technological trends, there are also risks within your organization and supply chain. Hackers targeting your company will increasingly go after your weak and small-scale suppliers, breach them and then use their credentials to infiltrate your digital systems. A 2021 Cyberthreat Defense Report by the Cyberedge Group found third-party risk management was the least secure area of IT security.
U.S. retailer Target was breached through their air conditioning maintenance company. A hack on U.S. technology firm Kaseya, which makes software used to remotely manage a company’s IT networks and devices, flooded hundreds of its customers with ransomware.
To increase their protection levels, companies should consider asking vendors about their technical prevention measures and how data is protected on servers as well as in transit. It is also worth asking whether your vendor has implemented multi-factor authentication? Are employees and contractors required to attend security training? What due diligence is performed on contractors and vendors before and after the contract stage? And is there a formal incident management program in place?
More and more organizations are moving business critical information to the cloud as companies gain trust in the external suppliers. The dominant providers, including Amazon Web Services, Google Compute Platform and Microsoft Azure, are investing in their capabilities and providing remote support, making it more affordable and practical for many firms to migrate their services to a public cloud. Yet this doesn’t mean it is without risk.
In March 2021, Arts-and-crafts retailer Hobby Loft left 138 gigabytes of sensitive information open to the public internet because of a cloud misconfiguration in its Amazon Web Services (AWS) cloud database.
Other blind spots include misunderstanding on the part of end users about shared responsibility models. For example, even organizations that use software-as-a-service will still be responsible for user access and data.
To minimize the risk, companies should invest in encryption capabilities, access management, logging practices, audits, and strong security policies.
5. The rise of cybercriminal supply chains
The biggest threat facing organizations in coming times, according to participants of the IMD webinar, is the rise of the cybercriminal supply chain. This is partly due to the fact that it is invisible and something we have little control over.
While we may imagine a hacker to be an 18-year-old working from his parents’ basement, the reality is that cybercriminals today are highly professionalized and operate in a value chain.
The perpetrators are the masterminds who pay developers to create malware. Distributors will then sell these applications to whoever wants to breach a certain organization, while cybercriminals will use stolen data of unsuspecting users to make money in cybercriminal activities online. Some hackers will also sit on data for several months and then sell it to affiliates for further exploitation. It takes on average 200 days for an organization to become aware of an attack, according to IBM.
As an organization, we need to focus on improving our response capability. Reputational damage is not caused by being hacked, but rather from how well we respond to cyberattacks.
Ask yourself: are you aware of the threat landscape, your weaknesses and how to respond?
Many organizations do not invest enough in their threat intelligence. Yet it is clear that certain types of attack are more common in certain geographies and industries. A significant proportion of attacks also happen because of unpatched vulnerabilities. Leaders should decide long before they are breached, how they will respond to a cyberattack and whether they will pay up.
6. The war in Ukraine
Russia has for a while now been one of the leading active countries in cyber capabilities. According to a report by Microsoft, Russia has conducted hundreds of cyber operations against Ukraine throughout its invasion, and believes cyber risks will continue to escalate as the conflict grinds on.
While it remains difficult to attribute attacks, companies should keep the conflict’s online front in mind and think about how they will prepare if and when it spills beyond Ukraine’s digital borders.
Digital activists have also claimed to have unleashed a wave of hacking attacks on government websites and leaked more than 900,000 emails from Russian state media to anti-secrecy activists abroad.
Organizations need to alert and educate users about the increased cyber risks, make sure systems, network devices and apps are updated with the latest security, secure remote access accounts and devices and make and verify backups.
Key questions to ask your Chief Information Security Officer
Given the increasingly risky and evolving threat landscape, here are five questions to ask your company’s CISO:
- How is digital transformation changing our cyber threat landscape?
- How have we changed our cyber risk appetite along with digital transformation?
- How do we evaluate the risks of cloud and the 3rd parties?
- How do we obtain assurance that the cyber controls are in place and performed?
- Is security a part of your business discussions with partners?
- Do you do security assessments when investing in new technology & applications?
- How do we train our people and enhance our processes to take account of the new reality that comes with transformation and remote work?
- Is cybersecurity part of your business continuity planning?
- Do you know how to respond in case of a cybersecurity incident?
- Have you worked on an incident response plan?
- Do you frequently update and exercise it?