Data security – how to keep pace in the cyber arms race

Threat actors are becoming increasingly diverse, cooperative and sophisticated. Keeping them at bay demands a focus on ‘security hygiene’, systematic risk analysis and information-sharing
People walking at Shibuya Crossing, Tokyo

Fuelled by human intrigue and technological experimentation, cybercrime has become a global industry, turning over an estimated $1.5tn (£1.24tn) last year.

The adoption of advanced technology by civil society has always been mirrored by those seeking to use it for unlawful purposes. As internet usage proliferated in the noughties, cybercrime started to become a lucrative business and an item on boardroom agendas, but a new kind of threat has emerged in recent years.

High-profile incidents – including the WannaCry ransomware attack that froze NHS systems; the Stuxnet worm that damaged Iran’s nuclear programme; and serious data breaches at Target, Yahoo and Equifax – have shown that cybercrime has become a full-time enterprise for activists and state-backed actors as well as felons.

Some of these entities are collaborating and trading tools and services anonymously on the dark web. It all points to a growing professionalism of cybercrime, where groups are structured like enterprises and have been known to advertise jobs, offering up to $20,000 a month for highly skilled practitioners.

“There has almost been a democratisation of threat actors,” notes Jonathan Jaffe, CISO at US-based insurer Lemonade. “You have a variety of simplified services, requiring fewer skills and making the field more accessible to threat actors. Out of that, you get interesting, complex, organised institutions.”

New attacks show growing criminal sophistication

Such democratisation has also given cybercriminals the chance to increase the scale and efficiency of their attacks. Security researchers have found early experimentation with conversational AI tools such as ChatGPT for phishing scams, the use of cloud platforms to automate attacks and the adoption of bitcoin for untraceable financing.

You need to engage the hearts and minds of your board, and you don’t make that happen by quoting stats

The use of ransomware grew faster in 2022 than it had in the preceding five years combined, according to Verizon’s Data Breach Investigations Report. It’s no wonder when the business model – infiltrate a firm’s network, encrypt all the data and extort payment to unlock it – continues to prove successful.

Newer lines of business have been burgeoning too. Under the cybercrime-as-a-service (CaaS) model, malware developers, hackers and others market what they can do online, for instance, with ‘access-as-a-service’ offerings selling entry into corporate networks that have already been compromised. 

Such a high level of criminal sophistication is proving a headache for both businesses and governments. Taking down the complex infrastructure that supported the Hive ransomware required the combined efforts of law enforcement agencies in 13 countries, for instance.

The problem has led some key institutions, such as the World Economic Forum, to suggest that the cyber defences of many businesses, governments and individuals are being rendered obsolete at an alarming rate.

Christopher Adjei-Ampofo, CIO and CISO at digital trading platform Uphold, has witnessed such sophistication at close quarters. Criminals recently spoofed his firm’s hiring process, writing job adverts, conducting online interviews and sending employment contracts, thereby fooling prospective recruits into thinking that they’d been selected. These ‘employees’ all bought laptops and shipped them to the threat actor in the belief that they were following instructions to send their devices to Uphold for configuration.

“There is an army of people – and they are so sophisticated,” he says.

Intricate scams of this type do at least seem relatively rare. Jaffe says that low-level ID phishing and port-scanning attacks are the most common, while Ash Hunt, CISO at financial services firm Apex Group, reports that “about 90% of the loss exposure I’ve seen is driven by accidents. It’s death by a thousand cuts – the tiny issues that are low in severity but high in frequency.”

How can CIOs and CISOs respond to the heightened threat?

Vicki Gavin, head of information security at education firm Kaplan International, argues that maintaining an effective defence comes down to ensuring good ‘security hygiene’. This entails regularly reviewing your systems and procedures.

“You don’t just install a lock on your front door and think ‘my work here is done for the next 25 years’,” she says. “You’re constantly re-evaluating whether you have the right protections in place. Whether you’re talking physical security or cybersecurity, it’s the same thing.”

Technology and security chiefs have long extolled the virtues of taking a layered defensive approach. This is espoused by the US National Institute of Standards and Technology’s “identify, protect, detect, respond, recover’ framework, which recognises that remediation is as important as detection.

There’s an understanding that there is no silver bullet to cybersecurity, but a belief that an effective defence starts with people rather than technology.

It’s death by a thousand cuts – the tiny issues that are low in severity but high in frequency

The CIO, or the CISO where a firm has one, must have boardroom accountability for security and enough budget to invest in the necessary resources and introduce security principles earlier in the software development cycle. Robust awareness programmes should send a strong message that cybersecurity is everyone’s responsibility

“You’ll need to engage the hearts and minds of your board colleagues,” Gavin stresses. “And you don’t make that happen just by quoting stats.”

Hunt believes that CISOs and CIOs must take a more analytical approach to risk if they’re to stand any chance of mounting an effective defence against each fast-developing cyber threat.

“They need to do risk analysis modelling, a decision-based approach under which they can work out which events are most likely to occur and generate the highest amount of loss,” he says. “They can then use that information to inform investment decisions.”

CIOs and CISOs should also mandate and lead routine incident-response exercises, while their regular engagement with the boardroom on security matters can build trust, improve alignment and even encourage more investment. Jaffe recalls that, when he worked as a cybersecurity consultant, he had a client in clothing retail. “At that company, the board said: ‘Here’s $60m – don’t be the next Target.’”

Yet he believes that broad cooperation among the potential targets of cybercrime is the best way to keep the collaborative criminals at bay. To this end, Jaffe wishes that state agencies, security vendors and supply chain partners would share more intel. He accepts that there is understandable resistance to doing this, especially among organisations that have fallen victim to attacks. 

Such businesses will “only want to make public what information they’re obliged to reveal, for PR or regulatory reasons. So that does prohibit organisations from sharing useful knowledge before their peers are also hit.”

Adjei-Ampofo agrees, citing a case where Uphold identified someone who’d stolen a customer’s assets. The firm worked with the trading platforms to lock those funds, but the money eventually had to be released on a legal technicality, partly because the FBI’s response was too slow. 

“That”, he says ruefully, “was a lost window of opportunity.”