On 31.12.2020, the last day of the unfortunate year that was - I read about a Pune-based MNC that was duped off €56,000 or over Rs 50 lakh by way of a ‘man-in-the-middle’ cyber attack.
In this case, the fraudsters created a fake email address resembling that of the German company to which the amount was being transferred and convinced the MNC (multinational corporation) that the bank account details had been changed owing to a technical glitch. Naively, the MNC went ahead with the transaction without verification...This is just one of the many incidents that plagued the ‘phygital’ world.
What are the lessons we, as business leaders, enterprise owners and policymakers can carry forward to 2021? The previous year was one of the public health crises and political awakenings, economic meltdowns and cyber-warfare. With the internet playing a central role in everything, from governments and micro-businesses to healthcare, supply chain and transportation, securing it will be at the very centre of everyone’s focus.
One might consider that threat actors might spare an event such as a global pandemic, but alas. Bitdefender found that 4 in 10 emails mentioning coronavirus were fraud, phishing, or malware. 50% of organisations were"completely unprepared" to face a scenario in which they had to migrate their entire workforce.
Such overnight changes made to policies and configurations opened up new attack vectors that threat actors could (and did) exploit. Considering just the last quarter of 2020, there has been a 30% rise in IoT (Internet of Things) malware attacks - 32.4 billion! As countries raced to find a cure and develop vaccines for COVID-19, three nation-state actors (Strontium, Zinc and Cerium) targeting at least seven prominent companies involved in research for Covid-19 were detected by Microsoft.
While Strontium used password spray and brute force login attempts to steal login credentials, Zinc resorted to spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives.
Why is it that the recurrent theme of multiple attacks falls back to social engineering? Perhaps because it is natural for adversaries to seek and use the path of least resistance, and it is our fault that we, as consumers, make for easy targets. None of these attacks was elaborately planned or showed perfect execution. Instead, they relied on us and our imperfections.
They used employees in organisations both large and small, and the inadequate cyber-aware (human) systems to roll out the red carpet for them to infiltrate our systems and wreak havoc.
Enterprises, employees and consumers have till date remained siloed and have functioned as such, especially when it came to cybersecurity. The year 2021 will be a period when every digital entity can coalesce to form one coherent unit. It has to be the year for people-centric cybersecurity, not only because of all that has transpired the previous year but also to secure the Internet in the long run as a free, safe and secure environment for one-and-all. With Covid-19 changing the way the world functions, cybercriminals have found newer avenues to cripple people and therefore, businesses and governments. Despite playing a role in the majority of breaches (up to 90%), the human aspect accounts for less than 10% of the IT cybersecurity budget in organisations. The one thing that will make the biggest difference is how enterprises secure the human element.
This grassroots revolution of re-calibrating people’s cyber consciousness will begin with its quantification. People - their cyber awareness, devices and security, history of lapses and leaked credentials available on the dark web will all be summed to denote a person’s Cyber Quotient.
With customised and directed cyber- awareness content in the format best suited for each person supplemented with settings for device configurations to enhance micro-security, and adding these details to other available data including but not limited to their background verification, employment status, employment history, employers will be able to quantify their employees’ cyber-consciousness. All of these signals, along with organisation-level policies covering backup of data, IAM, PIM/PAM, DLP, UEBA, third-party onboarding and others will collectively determine their ‘People’ breach score which essentially represents how likely they will be of being breached due to an accidental or pre-planned attack by an insider. They will be able to obtain a significantly accurate peek into the mind of their employee.
People will be central to cybersecurity. The entire world will shift from a pyramid-shaped cyber defence that is reactive to a more spherical model which will be proactive, with people forming the outermost and first line of defence. Artificial Intelligence is already embedded deep within cybersecurity and to re-engineer cyber consciousness, we will have to depend on it to calculate and yield results quickly, efficiently and continuously.
As one of the greatest learnings from Buddha: “You think you have time” and if there’s any lesson 2020 has taught us, it is that normalcy can change with the blink of an eye. It is better to prepare the one aspect we can control - ourselves and those around us.
Rahul Tyagi is the co-founder of Lucideus. The views in this article are his own.