CISOs Prepare. PHOTO: Cybercrime Magazine.

Cybersecurity 2023: Batten Down The Hatches

CISO strategies in a time of uncertainty

Charlie Osborne

London – May 3, 2023

There is, perhaps, no more challenging time to be a chief information security officer (CISO).

Today’s cybersecurity leaders and their teams must manage cyberattacks ranging from ransomware and browser session hijacking to Business Email Compromise (BEC) and credential theft.

And, should a security incident occur, the blame is often firmly laid at their feet.

Organizations face no singular attack vector or challenge: a security incident can be caused by everything from an employee mistakenly clicking on a phishing email sent by a convincing scam artist to a zero-day exploit triggered by a state-sponsored threat group.

That being said, cybercrime techniques are constantly evolving — and this forces organizations today to become agile and proactive in their approach to cyber defense.

Cybersecurity Ventures predicts that the cost of global cybercrime will reach $10.5 trillion USD annually by 2025. Indeed, the global cost of ransomware alone is expected to exceed $265 billion by 2031, with attacks set to occur every two seconds.

As cyberattacks become more complex and the average cost of a data breach now tops $4.3 million, according to IBM, organizations must pivot from a reactive approach to cybersecurity to a proactive mindset.

Speaking to Cybercrime Magazine, Gordon Lawson, chief executive officer of Conceal, a zero-trust web-browser isolation technology provider, said that the industry is seeing the vectors for ransomware and credential theft, in particular, “becoming so sophisticated that we need more proactive measures” to protect users.

“It’s very, very difficult with something like security awareness, by itself,” Lawson said. “It’s not sufficient. Having a proactive, preventative measure is essential to protecting organizations.”

Cybercrime Radio: Cybersecurity is a zero-sum game

Black hats only need to be right once

Prepare carefully

An issue that appears, time after time, is an inherent need for basic security hygiene.

Weak security controls, training with no intrinsic value, reused common passwords, no multi-factor authentication (MFA), no zero-trust protocols, unsecured endpoints, and gray visibility into existing networks are all common factors that degrade business security.

Speaking to attendees of the IDC Security Summit this month, Zac Warren, chief security advisor at Tanium, an endpoint management security platform provider, highlighted this issue — adding that by being proactive, businesses will be better prepared for when the inevitable storm hits.

“You’re just leaving your front doors open, your windows open, you’re just inviting bad actors into your house,” Warren told us. “While a lot of technology sold today is being marketed and sold towards finding and protecting organizations from zero-days, if you’ve left your front door open, why would you need to worry about ninjas coming from the skylights?”

Poor visibility and legacy systems

For many organizations, increasing visibility into their existing networks is a significant step toward bolstering security hygiene and proactive security.

Until devices, software, licenses, endpoints, data storage systems, and other corporate resources are mapped out in cybersecurity assessments, it isn’t possible to create an effective security management plan, and this lack of visibility creates blind spots that could be exploitable by threat actors, either now or in the future.

However, proactively protecting a network by casting an eye over existing resources is a challenge for many organizations working within the confines of legacy infrastructure. These environments are more common than they should be.

Legacy systems may be unsupported or non-compliant. High-level, shadow accounts belonging to long-departed employees may still exist. They may not support modern security technologies, such as MFA or endpoint protection. Vulnerabilities, left unpatched and overlooked, may cause security incidents leading to covert surveillance, data theft, or ransomware outbreaks.

In other words, handling the security challenges of legacy systems can be a nightmare for CISOs — and today’s leaders are well aware of what problems old architectures can bring.

In Warren’s words, “If I had my way, we’d just blow [them] up and throw [them] out the window.”

Ignoring existing issues: a threat to future prospects

It’s not just about the present; failing to upgrade, modernize, and manage network security woes proactively can also impact a company’s future prospects.

Speaking to Cybercrime Magazine, Matthew Wilmot, group head of Enterprise IT and Information Security at Frasers Group, an organization that acquires failing businesses to revitalize them, told us that failing to tackle security issues proactively can cause real harm to a firm’s future prospects.

Suppose a potential acquisition is on the table, but severe vulnerabilities or evidence of network compromise are found during due diligence. In that case, this may lead to price reductions or walking away from a deal entirely.

Wilmot noted that while it never used to be necessary to “kick the tires” of legacy networks in the past, cybersecurity concerns now impact financial decisions made by the board. IT leaders have a strong voice, and their recommendations, which require a level of security hygiene and compliance to be met, could impact commitment to a deal.

“Many old systems require business decisions — whether to lift them into the existing, modern environment, or to start from scratch,” Wilmot told us. “You’re not really assessing vulnerabilities if you’re just moving their environments into your own. It’s now about having eyes internally to understand internal lateral movements [and whether they] are malicious or not. The attack vectors have changed and that means the board has to become more aware of this.”

Employees: from risks to assets

The pandemic forced organizations worldwide to rapidly shift to remote and cloud-based networking tools, taking resources off-prem and introducing remote and hybrid working to employees.

The human links in the chain often cause data breaches and security incidents — and when you introduce remote work, mobile endpoints, and expand the network outside of the office, it’s critical to adequately train staff who have become the defacto firewalls and pathways into an organization’s networks.

It is possible to help protect employees on the ground; for example, by adopting intelligent technologies that manage connections at the mobile, browser, and cloud levels.

However, there also has to be a balance between being proactive and not frustrating employees, who, in turn, may disregard basic security hygiene and may not play by the rules, increasing overall risk.

“The challenge is that you can’t get in the way of an employee’s workflow,” Lawson commented. “Organizations want to protect users, but they also want to make sure that they aren’t totally inconvenienced.”

It requires only one successful phishing email, one malicious link clicked, or one executable laden with ransomware and triggered on a network to cause a security incident. However, cyber-aware and proactively trained staff can also become valuable defenders in their own right — notifying IT teams of suspicious or unusual activity, theft, and scams.

Perhaps most importantly, employees that are aware and consider themselves supported by their company may also reveal mistakes that could trigger a broader security incident, and without fear.

Mark Rayner, owner of Conceal partner Imperium Consulting, told Cybercrime Magazine:

“The humans that are actually at the computers need to understand what a threat they can be to an overall security program, but also what an asset they can be just by attending some training.”

More than a yearly class on basic security is required. To be proactive when it comes to security, modern-day businesses must invest in their staff as well as smart technologies.

If organizations take the time to train and support their employees, they can also be relied upon to keep the business operating when — not if — a cybersecurity incident occurs.

“Time and time again, I sit with an organization that’s been hit by ransomware,” Warren says. “Everybody runs around with their hair on fire because they are having to take their attention away from keeping the lights on and dealing with an attack.”

Prevention over a cure

By doing preventative work beforehand, organizations can mitigate the damage and disruption caused by inevitable attacks.

Proactive security begins with adequate security hygiene, network visibility, and education. Security is a multi-layered, complex ecosystem that requires consistent effort from leaders, IT teams, and on-the-ground employees.

CISOs need to develop programs that consider each element, ensuring that everyone in an organization is cyber-aware.

Rayner told us that it is fundamental for organizations to take a proactive approach, which also includes being mindful and flexible. As cyber threats evolve, so must our response to them.

Today’s CISOs shoulder the challenge and pressures of securing their organization, a prospect that may contribute to the high rates of burnout amongst our defenders. As a result, Rayner believes that part of being proactive should also consider the position of our CISOs, who are “underrated” and already “spread ridiculously thin.”

He wishes CISOs new to the role the best of luck, commenting:

“It’s Dante’s ninth layer of hell. Once you think you’ve got one thing sorted and done and put to bed, then four more are banging on your door.

CISOs are the most underrated people in an organization and the most abused. They are still underfunded, many organizations still don’t realize how critical they are to the company, and as a result, they don’t get the attention and the credence they should.”

As Lawson says, “They have to be right every time. The bad guys need to be right once for a breach to happen.”

Charlie Osborne is an Editor-at-Large for Cybercrime Magazine

Go here to read all of Charlie’s Cybercrime Magazine articles. 

About Conceal

Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.

With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.

Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.