Awareness of the operational, reputational and legal impact of a cyber-attack and data breach has grown in recent years. However, as shown by the recent crippling attack on the Royal Mail, rarely a week goes by without news of a major business, national infrastructure organisation, public body or charitable organisation coming under attack.
Motivated by money, notoriety or geopolitical reasons, cybercriminals continue to develop and deploy new and sophisticated attacks with ease from anywhere in the world, aimed at any type of organisation, with little fear of the consequences.
Positively, 82% of UK boards rated ‘cyber’ as a ‘very high’ priority in 2022, an increase from 77% in 2021. However, there is still a significant journey ahead for many to exercise their governance responsibilities more effectively to manage and mitigate the danger posed.
In this article we will look at some of the key cyber threats and trends that organisations need to be alert to in 2023.
Ransomware is a type of malware (malicious software), deployed once a criminal has access to your network, often following a successful phishing campaign. It unlawfully locks or encrypts your files, holding the business to ‘ransom’ to decrypt them and restore operations.
Ransomware attacks continue to be a common tactic used by threat actors. The percentage of attacks increased by over 48% from 2021 to 2022 with the cost of a successful ransomware attack averaging an eye-watering $4.54 million in 2022.
The effectiveness of ransomware to elicit payments has created an industry of cybercriminals and organised crime groups who provide their services to others to deploy in attacks. Ransomware-as-a-service (RaaS) kits are readily available on the dark web and are cheap and easy to deploy. This makes the likelihood of a ransomware attack against your organisation simpler, and more likely, than ever before. RaaS, and more broadly speaking, Cybercrime-as-as-Service (CaaS), now allows those threat actors without the technical ability to deliver increasingly sophisticated attacks at an alarming rate.
More recently we’ve seen a growth in the prevalence of the ‘the triple extortion’ tactic used by cybercriminals when deploying ransomware attacks, first seen in 2019/20 against the Finnish physiotherapy provider, Vastaamo.
Instead of just encrypting an organisation’s files to elicit a payment, threat actors are more often ramping up the pressure by also exfiltrating that data with the threat of leaking it publicly. This is particularly worrying for organisations as it could contain valuable IP or even customer’s personally identifiable information (PII) which could be further used to defraud customers, creating more reputational and legal implications. In addition to this, they are then following through with a third level of extortion by threatening to make details of the incident public via social media channels, dark web forums or even contacting journalists. Dedicated Denial of Service (DDoS) attacks have also been deployed at this point. DDoS attacks cripple external systems by bombarding them with requests, thus generating more external awareness of the incident, further impact on operations and increasing reputational scrutiny.
It’s important to understand that artificial intelligence (AI) can be used positively in the fight against cybercrime, helping us improve cyber security and raise defences against cybercriminals. However, as with any technology, threat actors can find ways to use it to their advantage, and AI is no different. Cybercriminals have been using it in a number of ways and this will no doubt continue as its power and potential is further unlocked. Examples are below.
By now, most individuals will have a basic awareness of phishing, a common social engineering tactic used by cybercriminals that attempts to trick individuals into revealing sensitive information or clicking on links to download malware. As awareness has grown around the key methods used, cybercriminals have adapted to make their attempts far more sophisticated, targeting key individuals (known as spear phishing or whaling) to gain a bigger payoff.
Phishing campaigns will continue to grow in sophistication, appearing more legitimate than ever before. Therefore, it is important that individuals are aware of what to look out for and your technology is set up to catch campaigns wherever possible before any damage can be done.
A threat actor can gain access to your infrastructure in a number of ways. They may exploit new vulnerabilities in your systems, attack systems that are no longer supported or target your people with social engineering tactics. More recently there has been growth in supply chain attacks via an organisation’s third-party suppliers.
For example, a cybercriminal can target a supplier or sub-contractor of a company that has less robust security measures, and then use that entry point to access the larger organisations in the supply chain.
It will be particularly important in 2023 for organisations to take steps to secure their supply chains to prevent these kinds of attacks. The attack against SolarWinds in 2020 is counted as one of the biggest cyber breaches of the 21st Century.
Cyber insurance has grown in prevalence and importance over the last few years as a way to mitigate the financial risk from a successful cyber incident. For example, it can help with regards to losses seen from business interruption, data recovery, legal liability, incident response or even extortion costs (although we would never suggest you pay a ransom demand, if possible).
However, such insurance has been said to fuel the ‘ransomware pandemic’ we are now facing as organisations have fallen back to insurance to cover costs associated with a ransomware payment, thus tempting and perpetuating further ransomware attacks.
Therefore, it is not uncommon for cyber insurance premiums to have doubled in the last year and we expect this trend to continue into 2023. Although insurance is an important piece of the cyber puzzle for many businesses, it cannot be seen as a substitute for good cybersecurity practices. Organisations must take steps to implement robust security measures across their full eco-system, including their supply chain. As we have discussed, the impact of a successful cyber-attack is not just financial.
Cybercrime is everywhere and impacts everyone. No type of business or sector is immune, and it is not a case of ‘if’ you will be attacked, but ‘when’. Organisations need to take a proactive approach to cyber security or face dire consequences when the inevitable happens.
Cyber security cannot be seen as a solely technical issue and be left to a company’s IT function to manage. Leadership must fully understand their governance responsibilities if they are to effectively manage the entirety of this significant risk.
Nevertheless, there are a number of relatively cost-effective measures that organisations can, and should, do to increase their resilience. Below is a short, and by no means exhaustive list, of key areas to address.
Please contact Tim Robinson if you would like to discuss this topic further. We work with many organisations to help them understand their cyber position, build resilience and respond in the event of an incident.
Top 10 scams to look out for this festive period
Cybercrime Governance and Data Law in the Pensions Sector
Helping your clients navigate the new normal
‘Log4J’ vulnerability exposes thousands of organisations to risk of immediate cyber attack