Albert Einstein once defined insanity as doing the same thing over and over and expecting different results. It’s a trap many organisations have fallen into with their approach to cybersecurity. Fortunately (if you find the silver lining), there are plenty of cautionary tales from 2023 to learn from and use as a springboard to success next year. We’ve picked five key lessons business and IT leaders can learn from the past 12 months.
The past year has been one of further macroeconomic turmoil following two years of pandemic-era uncertainty. High-interest rates are turning the screw on many businesses as surging inflation dampens consumer demand for many products. Against this backdrop, it has been claimed that more organisations may fall under the ‘cybersecurity poverty line’, meaning they don’t have enough funds to build a mature security posture.
Exacerbating the challenge is the suspicion that CEOs are less inclined to use increasingly precious funds to support a (cyber) initiative) that isn’t going to boost the bottom line directly. Of course, this approach would be a false economy: failure to invest adequately in cyber and ensure those funds are appropriately spent would leave organisations in a potentially precarious position. Yes, it might save funds today, but at what cost? A serious breach tomorrow may lead to millions of pounds lost in sales, customer churn, regulatory fines, and service outages. From Travelex and Code Spaces to DigitNotar and YouBit, there are plenty of examples of cyber attacks which ultimately hastened the demise of a business.
The bottom line is this: organisations can improve security posture without spending a fortune. Managed service providers can help level the playing field for those with smaller budgets, as can migrating to modern, centralised, cloud-based infrastructure. There are also security capabilities built into many popular tools like Microsoft 365 that can help to reduce cyber risk without breaking the bank.
Insider threats are less prevalent than attacks by third parties. According to Verizon, the vast majority (83%) of breaches analysed in 2022-23 were external. But two specific cases in 2023 showed us how damaging they can be. The first occurred at the Police Service of Northern Ireland (PSNI). It led to an information leak on over 10,000 officers and staff working for the PSNI after a spreadsheet containing the information in a hidden ‘pivot table’ was posted to a Freedom of Information site. A month earlier, a laptop containing more sensitive PSNI info was stolen from a car in County Antrim. Dissident republicans still operating in the region are believed to have that information.
While these incidents resulted from negligence, an even more significant breach at the US Department of Defense was the work of a malicious insider. It emerged that Jack Teixeira, a 21-year-old member of the intelligence wing of the Massachusetts Air National Guard, had shared secret Pentagon and CIA documents with members of a private Discord server. The documents were then shared widely with others online, inflaming tensions between the US and its allies and potentially even giving Russia practical intelligence on Ukrainian army movements.
Organisations would do well to absorb the lessons of both cases and several others that happened this year. That means improving incident response and the training and vetting of staff. But also continually updating and reviewing security policies to mitigate malicious behaviour. This could mean segregating networks, restricting access on a least privilege basis, deploying behavioural analytics, and instituting a reporting system for whistleblowers.
Data breaches continue to pile up. UK government data from April revealed that 59% of medium and 69% of large firms had been hit by a data breach or cyber attack in the previous 12 months. In the US, 2023 was another record year for publicly reported breaches. That makes incident response more important than ever. As leaked Royal Mail chat logs highlighted, incident response isn’t just about contacting regulators, forensics, and patching affected systems. It could also mean negotiating with ransomware actors.
Most importantly, boards should realise by now that transparency is the best policy. That’s especially true if they’re listed in the US, where new SEC rules will mandate greater accountability and honesty. Reputation management is another under-valued but increasingly important part of best practice incident response. Given the potential impact on CEO career trajectories, it’s something that even those at the very top should be invested in.
The past year has seen plenty of turmoil among the C-suite. Burnout has long been a problem for cybersecurity professionals, and it appears to be driving a ‘Great Resignation’ among CISOs. It doesn’t help that senior professionals are also targeted personally in legal cases following serious breaches. Former Uber CSO Joe Sullivan received three years of probation after being convicted of obstruction of justice and hiding felony charges. More recently, SolarWinds CISO Tim Brown was personally named in SEC charges against the firm following a notorious 2020 breach by Russian agents.
What might the fallout be? According to experts that Assured Intelligence spoke to during the year, it could bring the CISO closer to the business by reminding boards just how vital a role managing business-cyber risk is. It could also lead to the emergence of a new market for legal support services from industry groups. CISOs keen to mitigate personal liability risks in the event of serious breach incidents should clarify their role and responsibilities, reporting lines and accountability with their employer.
The good news for many is that, even if they leave their current employer, demand is still high for experienced security leaders. That’s even after a year of cutbacks in the sector, impacting firms such as Secureworks, Dragos, Sophos and Okta. It can be seen as a period of recalibration following heavy investment by VC-backed firms during the pandemic. As high interest rates continue to weigh on business demand, some firms see revenues slump. As a result, we could see more virtual or fractional CISO roles in the coming year as security leaders pick up contract gigs from multiple clients.
Ransomware continues to be one of the most dangerous and persistent cyber threats around. From attacks on the Royal Mail and British Library to financial software company ION and countless healthcare organisations, ransomware groups have shown themselves once again to be both resourceful and utterly indifferent to the pleas of their victims. As long as organisations keep overlooking the basics and paying their extortionists once breached, criminal gangs will be prepared to launch attacks.
The question is: are governments and global initiatives doing enough? A Counter Ransomware Initiative (CRI) said that this year, it focused on disrupting attacker infrastructure, improving cybersecurity through information sharing, and fighting against ransomware actors with a shared backlist of crypto wallets. The No More Ransom initiative has also had some success disseminating decryption keys for certain ransomware strains. Yet, with the risk of arrest so low, there will always be a steady stream of threat actors prepared to give it a go.
That will put the pressure back on organisations to proactively improve resilience and response efforts. This will require improved education programmes, regular backups, prompt patching, network segmentation and other best practices. It’s no panacea. But it will make for a less risky 2024.