by Andrew Howard | Aug 23, 2022 | Cybersecurity
Every year, the cybersecurity sector publishes articles on what we can expect to see in the course of the year. This article, published originally in InfoSec on August 8, 2022 by Ali Hadley looks at the predictions Kudelski Security CEO, Andrew Howard, made at the beginning of 2022 in a podcast with Infosec. As we move to the last quarter of the year, we ask how much has changed and what will carry over as the top cybersecurity trends for 2023.
New strains of COVID. Humanitarian crises. A staggering influx of cybercrime. 2022 has brought us a whirlwind of headline-making events, all of which impact the current and future state of cybersecurity.
Learn what to expect and how to navigate the world as an emerging cyber pro with predictions from Andrew Howard, the CEO of Kudelski Security and our recent Cyber Work Podcast guest.
Prediction #1: The security of encrypted data is at stake
For years, quantum computing has been a hot topic among cybersecurity professionals. As the technology gets increasingly sophisticated, concerns about the safety of encrypted data continue to grow. But Andrew says it’s not an immediate threat yet.
“Most cryptography today is based on hard math, typically around number factorization,” he explains. “A quantum computer, if large enough and in existence, can theoretically crack these factorial-based algorithms very quickly, such that all current encryption could be at risk.”
Though future forms may threaten anything encrypted with current algorithms, Andrew says this type of quantum computer doesn’t exist right now. It’s still theoretical.
Instead of trading out all of their cryptography, Andrew advises his clients to start thinking about their action plans. “The real concern is what’s going to happen to the data you’re creating today,” he says. For now, a general idea of how you’ll access and store your encrypted and decrypted data is a good place to start.
Learn what to expect and how to navigate the world as an emerging cyber pro with predictions from Andrew Howard, the CEO of Kudelski Security and our recent Cyber Work Podcast guest. Download our corporate brochure.
Prediction #2: Supply chain security jobs will grow in demand
While big enterprises are more secure than ever before, industries in the operational technology environment (e.g., vehicle manufacturers and other production plants) are paving the way for a new horizon in security.
Manufacturing is a long-established practice, but it has long been avoided from a cybersecurity perspective, partially because it’s disconnected from the internet and partially because making updates means significant uptime requirements, slowing the entire process.
Then came IoT.
Simply summarized as a network of connected devices, IoT is the technology that allows your phone and thermostat to talk to each other. Adopted to help streamline logistics, IoT has made supply chain operations more cost-effective and efficient but also more susceptible to cyberattacks.
Because manufacturers rely on third-party software to manage these devices, they can’t directly control their data or who can access it. Now, instead of stealing just one customer’s information, cybercriminals can directly target these software providers and gain access to thousands of customers’ data. And the risk only increases as more companies complete their digital transformations.
So, what does this mean for the future—and for you?
As the new frontier in product security, there will be growing opportunities for cybercriminals and cyber pros alike. While traditional IT knowledge will be essential, Andrew says, “There will be an equally large need [for talent] on the manufacturing side of the equation as well, because it’s not just your laptop anymore. It’s all your IoT devices, it’s your thermostats, and it’s also nuclear plants.” If you have an interest in both, “there’s opportunity,” Andrew says.
Prediction #3: Ransomware attacks will triple
It’s no secret that ransomware is a highly profitable technique used by cybercriminals. In 2021, these attacks affected 37% of all businesses, costing the world $20 billion in damages. As companies continue to grow and tactics evolve, that number will likely skyrocket to $265 billion by 2031.
Because it is the “money-making tool of choice,” Andrew reminds his clients that ransomware isn’t going anywhere, any time soon. If anything, attacks will only get more sophisticated and consequently more difficult to identify and prevent.
“One of our predictions for the start of 2022 is that ransomware will double, if not triple,” Andrew says. “For the time being, this is the threat of choice. If companies haven’t gotten their act together around this topic, it is time to get your act together.”
Because ransomware requires human error to wreak havoc (i.e., opening a malicious link in an email), employee education is the best way to prevent an attack. But, the groundwork doesn’t stop there. While awareness can keep threats from infiltrating your organization, Andrew recommends a holistic approach to prevent major damage.
“There’s no silver bullet,” Andrew stresses. “It’s going to require backup solutions. We would recommend an incident response retainer with a firm that can respond,” he says. “There are some straightforward things that can be done to limit your risks, like deploying some kind of endpoint technology tool. But it’s not one thing.”
Prediction #4: Remote work will get riskier
While securing remote systems was the #1 priority at the start of the pandemic, Andrew says employee trust is now “the most pervasive issue.”
“Lots of companies have employees that they’ve never seen in person, employees that might have a more transactional relationship with their employer,” Andrew explains. “I think this is where cybersecurity issues are being generated.”
As work shifts out of the office and into our homes, it’s getting harder to keep track of employees, which creates a slew of issues ranging from lack of trust to burnout. These new challenges create friction and a lack of transparency, which can increase the risk of data breaches, whether intentional or caused by an innocent mistake.
Regardless of motive, the isolated work environment isn’t changing any time soon, so Andrew stresses the importance of prevention and vigilance.
In addition to reviewing admin permissions to ensure that only the right people have rights to your infrastructure, you can also implement an insider threat program.
Designed to help detect and deter opportunistic attacks, these programs gather data on security processes and protocols and on users who may have privileged access to your organization.
Advice for up-and-coming professionals
As cybersecurity continues to evolve, employers are looking for sharp, proactive problem-solvers to help them work faster, better and smarter. That’s why programming will become a highly sought-after skill in the years to come. “The security leaders of tomorrow are software developers today,” says Andrew.
While companies make their great migrations to the cloud, they need a cyber pro who knows how to analyze data and automate security processes. If you focus on any one additional skill before applying for jobs, Andrew suggests studying scripting tools such as Pearl and Python.
To learn more about the future of cybersecurity, listen to the Cyber Work Podcast, Predictions for cybersecurity in 2022, with Andrew Howard.
by Andrew Howard | Jan 13, 2022 | Cybersecurity
Last month Andrew Howard was interviewed by Infosec’s Chris Sienko, on the top risk and cybersecurity trends for 2022. The podcast can be accessed here.
Think there’s nothing new under the sun? With cybersecurity trends, you wouldn’t be far off the truth. Every year opinion leaders outline the main cybersecurity trends to watch and often enough, the only substantial difference in content is the publication date.
That said, nothing stays the same–what is an emerging trend eventually becomes a widely accepted norm. What are “cybersecurity trends you need to know about” become “cybersecurity trends you need to take action on.”
In this podcast, Kudelski Security CEO Andrew Howard, discusses six of the biggest cybersecurity trends in 2022. He outlines how the theme or practice in question has evolved, what the current state of play is, and what reflection or action security leaders need to take.
Cybersecurity trends in ransomware, trends in WFH as well as quantum computing and the top cybersecurity skills to develop in order to become a cybersecurity professional are all covered. The interview breaks down largely as follows:
0:00 – Andrew Howard’s own experience of getting into cybersecurity
4:00 – How has cloud security evolved? Persistence of hybrid approaches
8:20 – The next cybersecurity innovation and quantum computing; regulation and the challenge of securing sensitive data using current algorithms in the future.
10:54 – The state of ransomware, the tool of choice for nefarious actors to monetizing threats, and practical ways to address the challenges
12:57 – Cybersecurity supply chain issues and the risks of third-party service providers
16:18 – Cybersecurity, the hybrid work environment, and employee-employer trust deficit (access control and insider threats)
18:42 – The year of cyber insurance and exclusion of ransomware from coverage
20:35 – Department of Defense directive to close security gaps in the government networks and systems
22:15 – The magic wand: Three things Andrew Howard would change in cybersecurity – resolve the security protocols in the Internet earlier, fix authentication behind email, overreliance on security awareness and training
28:10 – Advice to 2022 cybersecurity students; top skills to get a great cybersecurity career: problem solving skills, data analytics skills, scripting automation programming skills
29:37 – Kudelski Security
30:58 – Blockchain security in 2022
31:57 – Learn more about Kudelski Security
You can listen to The Cyber Work Podcast, Predictions for cybersecurity in 2022, here.
by Andrew Howard | Jan 3, 2022 | Ransomware
Over the past year, security companies have witnessed the massive impact that ransomware attacks like SolarWinds and Kaseya have had on businesses. As businesses play catch up to the tactics used by hackers to deploy malware, even more sophisticated approaches are unleashed. As we prepare for 2022, ransomware is one thing it’s safe to say is here to stay. Here’s what companies need to consider as they evaluate their cyber hygiene and prepare for 2022:
Expect Ransomware Attacks to Double, if Not Triple
Next year will likely bring double, if not triple, the number of ransomware incidents we saw in 2021. Hackers have seen success from ransom payments – and the number of companies willing to pay is growing. At the micro level, companies know they lack the resources to reclaim their systems on their own in a timely manner, which leaves them with little to no choice in terms of opening up their wallets to attackers. But if we consider the macro level, paying ransomware exacerbates and accelerates the problem by incentivizing and equipping more numerous, skillful attacks. A growing number of companies are paying; at Kudelski Security we see more and more clients who are paying. Until the incentive structure at the micro level vs. macro level align, we will remain in this ransomware conundrum.
Ransomware is now far beyond a security concern; companies are finding themselves in ethical dilemmas surrounding whether or not they can – or should – pay a ransom. The reality is this: the organization cannot identify who they pay to remove the malware from their systems. Eventually, some company is going to be linked to paying a terrorist, which will refocus the debate on regulation.
Supply Chain Disruptions are Far from Over
Between the proven case that more companies than ever are paying ransomware and the slew of supply chain compromises we can expect to still see well into 2022, a vicious cycle is brewing.
The supply chain has been plastered all over the news the last few months in terms of delayed shipping and worries about out-of-stock items ahead of the holiday season. Beyond these inconveniences, the supply chain – including critical infrastructure like oil pipelines – faces the dangers of ransomware attacks due to the chain-like reaction that it has on companies and their partners. In these breaches, far more companies are impacted than the first to be hit or the even the overall intended victim. These more sophisticated attackers can target multiple companies at a time, disrupting each one’s system as they move through the partner companies along the chain.
Moving forward, we can expect to see more and more companies within a supply chain fall victim to ransomware attacks. We’re also likely to see attackers go after managed security providers and law firms, which enables them to attack the hundreds of clients they’re serving at the same time.
Learn about Kudelski Security’s incident response services here.
The Top Ransomware Targets
Cybersecurity, and the tools that are associated with it, are often perceived as extremely expensive. Small and medium sized businesses are massively exposed to ransomware given their lack of protection and how underserved they are by the security community.
Medical ecosystems will also continue to be a top target. The medical industry drives deeper pressure surrounding the amount of time a company must deliberate on paying the ransom or attempting to remedy the situation on their own. Concerns about physical safety will drive more healthcare organizations to make ransomware payments, which in turn, will drive more attacks.
Further, attacks are unlikely to carried out on actual medical systems or devices but will continue to be straightforward, IT-focused attacks. In general, attackers will continue to target billing systems, patient records and ERPs because attacking the enterprise systems is sufficient to accomplish their objectives. If a hospital’s billing and/or patient system is down, it effectively shuts down the hospital, making IT systems in healthcare a primary target for the foreseeable future.
How to Mitigate Ransomware Attacks
Over the next year, with so much increased incentive for ransomware attacks, now is the time for companies to equip themselves with the proper tools and training to set their employees, customers and company partners up for success. Rather than focusing solely on their ransomware backup strategy, companies should use their resources to evaluate their cyber hygiene and endpoint detection and response strategies. It is crucial to fixate on the root causes, not just the symptoms of the overall problem.
This article was originally featured in VMblog.
by Andrew Howard | Mar 9, 2021 | CISO, Cybersecurity
The security industry has faced a variety of challenges throughout 2020. The pandemic put pressure on security and IT operations and shone a spotlight on underlying issues many organizations were facing in terms of their digital transformation and security posture. If that wasn’t enough, the threat landscape also shifted and is now more volatile than ever.
As security leaders prepare to handle what lies ahead in 2021 and beyond, there are three key trends they should pay special attention to: the increase in adoption of policy-based security models, new ransomware threats and greater utilization of artificial intelligence.
Adoption of policy-based security models
The prospect of moving an onsite workforce to a remote setting had a huge impact on many organizations, as they realized they weren’t ready for such a dramatic shift. Moving to remote work due to COVID-19 exacerbated the shortcomings of the traditional enterprise perimeter security model. This led to more organizations choosing policy-based security models, such as Zero Trust, to ensure the protection of their employees while remote work continues to be a norm.
As remote work becomes more normalized – beyond the pandemic -, rather than equating trust to a corporate network location, a Zero Trust model analyzes information about the user, data, applications and devices to contextualize security risks and dynamically adapt access rights. Successful adoption will depend on organizations fully integrating various tools within their environment, from authentication systems and network security appliances to endpoint detection and response.
Increase in data breaches and ransomware attacks
Attackers are constantly changing their methods, resulting in new and evolving risks. It is important for companies to be prepared and aware of new threats to stay ahead of them and protect their data from any potential compromise.
Looking ahead, companies should expect to see an increase in ransomware, with bad actors increasingly threatening to expose encrypted files if they refuse to pay a ransom.Organizations have begun to do a good job in building, testing and operationalizing their office backup strategies to mitigate the risk of ransomware. Unfortunately, most of these organizations have failed to mitigate the actual risks, if data has been compromised before – whether directly from the company or through third parties – threat actors will still be able to gain a foothold into the company’s assets. The focus moving forward should fall into ensuring they have robust backup and data recovery strategies that can help address the systemic weaknesses attackers are exploiting.
We’re also going to see a considerable increase in the use of illicit Auth 2.0 grants to compromise accounts. In general, organizations have created better phishing awareness programs, increased multifactor authentication, and created rules to detect anomalous logons; however, attackers have shifted to trick users into Illicit Oauth 2.0 grants. To prepare, companies should limit which applications can request OAuth 2.0 grants from end users or disallow specific OAuth 2.0 scopes from ever being granted.
Utilization of Artificial Intelligence
We will see an increased utilization of AI particularly within the IoT and OT industries, given the technology’s ability to help automate many tasks to reduce costs and improve productivity. However, as security leaders decide to adopt AI, they will need to prioritize the integrity of the data and make sure basic cyber hygiene protocols are in place.
Utilizing AI without the basics – from asset and patch management to user awareness – will only exacerbate the number of breaches we will see, as simpler exploits will be able to leverage any weak spots.
Looking ahead to 2021 and beyond, organizations need to be prepared to secure their resources no matter where they are accessed from. Leaders will need to make sure they add security-based policies to their business continuity plans as well as understand all the threats’ shifts and how to adopt new technologies to mitigate potential risks.
This blog was originally featured in VMblog.com
by Andrew Howard | Jan 3, 2020 | IoT
The Internet of Things (IoT) is fast turning into an intrinsic part of the digital transformation for industries such as utilities, transportation or manufacturing. The market is expected to reach a value of $922.62 billion by 2025, becoming one of the biggest catalysts for new emerging technologies.
Although Industrial IoT (IIoT) adoption offers benefits ranging from automating and optimizing the business to eliminating manual processes and improving overall efficiencies, security continues to be an afterthought, one that creates risk that industrial organizations are ill-equipped to manage.
The Trickle-Down Effect
The lack of mature security frameworks and the breadth of security considerations are big barriers for the improvement of IoT security. Today, there is no common approach to cybersecurity in IoT, which leaves the door open for device manufacturers to take their own approach, resulting in undeveloped or underdeveloped standards to guide adoption of IoT security measures and best practices.
In many cases, manufacturers designing IIoT devices are challenged to integrate effective security controls into the product design, which results in devices having little to no encryption for securing data at rest or in transit. Because security is not built into the device at the onset, users struggle with securing them after they have been implemented, constantly leaving the door open to potential cyber-attacks, which could lead to operational downtime, loss of customer data and even end-user safety hazards.
This challenge becomes compounded as users come up against other complicating factors, such as:
- Complexity of the ecosystem – an IIoT ecosystem is an amalgamation of diverse, dynamic, independent, and legacy devices that intertwine communication protocols, interfaces, and people. Such complexity hampers the ability of IT security professionals to even start with the most basic cyber hygiene, such as changing default passwords, keeping an inventory of hardware and software components on the company network or patching applications regularly.
- Intricate monitoring and management – the more complex an environment, the more likely it is that IT administrators lack visibility, access, and control over one or more of its components. Moreover, the deployment of IoT devices on legacy infrastructures and non-IP based devices also exacerbates the IT administrators’ inability to monitor and control these devices.
- Lack of IoT security awareness and knowledge – the lack of understanding of connected devices and architecture security pose a significant challenge. Most organizations don’t have a full understanding of the risk and exposures they face to protect their devices or the real impact (both positive and negative) those devices have on their security posture.
Thinking of security as an afterthought is one of the most common mistakes when building or adding new connections. IIoT can be effectively disruptive if done properly when done poorly it creates unnecessary risks.
Industrial IoT Security – Partnering for IIoT Security Success
Many organizations don’t have the skills needed to maintain, let alone build their IIoT security architecture. For that same reason, they should consider partnering with specialists when moving into this space.
Managed security service providers (MSSPs) are adapting offerings to address the needs of complex IIoT environments. As IIoT devices have different application requirements, deployment conditions and networking needs than traditional enterprise environments, MSSPs are investing in specialized capabilities to understand how to configure devices for at-scale operations and to ensure that best practices are followed for both preventative and real-time maintenance.
Businesses considering partnering with an MSSP should take into account the expertise, resources, and services their potential partner will bring to the table. They need to look for a provider that will deliver leading-edge security features such as threat intelligence and monitoring, data correlation and device management and support, while also understanding the differences between monitoring traditional networks with these unique technologies. Leadership will also need to revisit policies and procedures on risk management through an IIoT lens and use audits and assessments as enablers for the application of relevant security controls.
The influx of IoT devices has opened up new entry points into enterprise networks that cybercriminals can exploit. Whether it is in a new connection or an extension of a legacy architecture, cybersecurity must be at the core of the IIoT implementation. Organizations will need to take a defense-in-depth approach to cybersecurity if they are to be better prepared to face the threats targeting IIoT. This starts by identifying the challenges their implementations present, from the increased complexity to awareness and management. The point behind IIoT is to create a seamless connection between people, devices, and networks and drive efficiencies on an industrial scale. If this is to be achieved, cybersecurity is the one guest that cannot be late to the party.
This article was originally featured in IoT For All.