1、INDEPENDEN T P U B L I C AT I O N BYRACONTEUR.NETWhy do we have such a hard time with passwords?Find out more on page 3INDEPENDEN T P U B L I C AT I O N BYRACONTEUR.NET08/05/2022#0805Alison ColemanWriter and editor,senior contributor at Forbes,with articles published in The Guardian,Quarterly and ot

2、hers.Jonathan EvansJournalist,specialising in HR,the future of work and leadership,with work published in The Independent,Metro and PA.Sam ForsdickRaconteurs staff writer,specialising in technology and the future of work.He has written for I-CIO,NS Business,Press Gazette and New Statesman.Tamlin Mag

3、eeA London-based freelance journalist specialising in technology and culture for a range of publications.Kate OFlahertyAn award-winning cybersecurity and privacy journalist,writing on issues that matter to users,businesses and governments.Charles Orton-JonesPPA Business Journalist of the Year,former

4、 editor of EuroBusiness,specialising in fintech and startups.David StirlingA freelance journalist specialising in news and features for national newspapers and business magazines.Chris Stokel-WalkerTechnology and culture journalist and author,with bylines in The New York Times,The Guardian and Wired

5、.Emma WoollacottJournalist writing about business,technology and science,and a regular contributor to the BBC News website and Forbes.Distributed inPublished in association withAlthough this publication is funded through advertising and sponsorship,all editorial is without bias and sponsored feature

6、s are clearly labelled.For an upcoming schedule,partnership inquiries or feedback,please call+44(0)20 8616 7400 or e-mail .Raconteur is a leading publisher of special-interest content and research.Its pub-lications and articles cover a wide range of topics,including business,finance,sustainability,h

7、ealthcare,lifestyle and technology.Raconteur special reports are published exclu-sively in The Times and The Sunday Times as well as online at .The information contained in this publication has been obtained from sources the Proprietors believe to be correct.However,no legal liability can be accepte

8、d for any errors.No part of this publication may be reproduced with-out the prior consent of the Publisher.Raconteur Media/cybersecurity-2022raconteur/raconteur_londonP E N T E S T I N GCY B E R B R E AC HT E C H S T R AT E GYHow to hire a penetration tester and make use of their adviceNegligence or

9、 lack of training:whos to blame in the wake of a breach?Five strategies tech leaders are using to protect their ContributorsS T R AT E GYLead publisher Sophie FreemanDeputy editorFrancesca CassidySub-editorsNeil ColeGerrard CowanChristina RyderCommercial content editorsLaura BithellBrittany GolobHea

10、d of productionJustyna OConnellDesign and production assistantLouis NassDesignCelina LuceyColm McDermottSean Wyatt-LivesleyIllustrationKellie JerrardSamuele MottaManaging editorSarah VizardDesign directorTim WhitlockCYBERSECURITY&IT GOVERNANCEReports editorIan DeeringDan Patefield is head of the cyb

11、er and nation-al security programme at TechUK.He believes the National Cyber Strate-gy continues“the robust leadership”the UK govern-ment has taken across the cyber domain over the past decade.“The UK has built strong foundations,ena-bling the industry to strengthen its cyber resilience in the face

12、of the ever-growing threat landscape,”he says.One of the key differences between the previous strategy and the revised one is the onus it places on the whole of society to improve the countrys cyber capabilities.Although it is a government-led strategy,there is a much greater emphasis on the respons

13、ibility of the private sector and citi-zens to manage cyber risks.As Chancellor of the Duchy of Lancaster,Steve Barclays responsibilities include oversight of the Cabinet Offices cybersecu-rity remit.Speaking at the strategys launch,he said:“The new National Cyber Strategy sets out a clear vision fo

14、r building cyber expertise in all parts of the country,strengthening our offensive and defensive capabilities and ensuring the whole of soci-ety plays its part in the UKs cyber future.”This change in tack is one that David Woodfine,managing director of Cyber Security Associates,welcomes.“People thin

15、k cyber is all about technology,”he says.“But cybersecurity involves people,processes,culture and society.By focusing on the cyber ecosystem of the UK,were not relying on the big technology companies to protect us.Were encouraging everyone to be cybersecure and to improve awareness.”Ransomware is ma

16、lware which targets individuals.In its 2021 review,the National Cyber Security Centre warns that it is“the most significant cyber threat”facing the UK.Similarly,Verizons 2021 Data Breach Investigations Report showed that 85%of attacks involved a human element,high-lighting the need for greater educa

17、tion in cybersecurity and justifying the National Cyber Strategys society-wide approach.Woodfine was involved in the develop-ment of earlier iterations of the UKs nation-al cybersecurity strategies,when he was at the Ministry of Defence.“In some regards,people are our weakest points in cyber defence

18、.But if we get it right,people can equally be our strongest defence mecha-nism,”he says.The new strategy also emphasises the importance of resilience,something that Dayne Turbitt think is“critical”.Turbitt is senior vice president and UK general man-ager of Dell Technologies,a company that has worke

19、d closely with the UK government to help devise its cyber strategy.n imminent cyber attack is an inevitability.Research by cyberse-curity firm Trend Micro shows that more than three-quarters of global organi-sations expect to be successfully hacked in the next 12 months.Changes to the way we work ha

20、ve increased the likelihood of cybersecuri-ty breaches.Remote working and cloud computing are highlighted as two of the most high-risk factors.The current geo-political climate is another significant fac-tor.The Five Eyes intelligence alliance warned recently of increased malicious cyber activity fr

21、om Russia,since the inva-sion of Ukraine.The revelation that details of UK govern-ment employees appeared on Russian sites makes the success of the UK governments recently revised cybersecurity strategy even more crucial to secure the country and businesses within it.In January,the UK governments Na

22、tion-al Cyber Strategy set out its three-year vision to improve the countrys digital resilience.It focuses on five pillars:strengthening the cyber ecosystem;improving resilience;developing new tech-nologies;international influence,and countering threats.It lays out plans to expand the existing appro

23、ach of 2016 to 2021,with the ambition of making the UK a global leader in cyber.Sam ForsdickAThe foreword of the strategy references the importance of using technology sup-pliers that share the UKs values.This pro-vides an opening for UK-based technology companies to work across the countrys critica

24、l national infrastructure.“It gives a great opportunity for us here in the UK to serve our customers and help them through their cyber strategy,”he says.The new strategy also recognises the need for a more“diverse and technically skilled workforce”to create a more inter-nationally competitive sector

25、.Currently,more than half(53%)of the UKs 1,838 cybersecurity firms are registered inLon-don and the South East,employ 45%of the countrys cyber professionals and account for 91%of external investment.Steps are underway to address this regional imbalance.The 12 govern-ment-funded cyber clusters,which

26、are located across the length and breadth of the UK,are being instructed to strengthen their links between local business and aca-demia and to encourage greater collabora-tion across the UK.As chair of Gloucesters Cyber Tech group,Woodfine has seen how closer inter-actions between schools,universiti

27、es and businesses can improve pathways for peo-ple to get into the cyber industry.“The strategy provides a good building block but I would like to see a concrete plan,”he says.“We can see the strategies and the plan for the next 36 months.But as a business owner,Id like to know how I can influence i

28、t and understand how were going to protect the UK digital infra-structure of the future.”There is also an emphasis on improving education and skills in this area.There has long been a digital skills gap in the UK;Turbitt describes cyber talent as being as“rare as hens teeth”.The strategy docu-ment a

29、ddresses this with the promise to“expand the nations cyber skills at every level”.But there are few details on how this can be achieved,beyond upskilling teach-ers and encouraging more young people to take up cyber.“Arguably,the government hasnt done enough to increase the take-up of STEM subjects,”

30、he says.“But it isnt just the responsibility of the government.Its the responsibility of industry,in part-nership with the government,to figure out how we address this and any spotlight on this topic is a great thing.”As an initial document,there seems to be wide agreement that the National Cyber St

31、rategy addresses many of the key chal-lenges currently facing the sector.Turbitt believes that its now up to the private sec-tor to“step into the breach”.“What will follow from this is invest-ment of public money in these areas.And it will then be beholden to UK industry to work within that framewor

32、k to go and exe-cute it,”he says.HOW OFTEN ARE UK BUSINESSES ATTACKED?Frequency of cyber breaches experienced by UK businessesIPSOS Mori,2021Hiscox,2021 Although it is a government-led strategy,there is a much greater emphasis on the responsibility of the private sector and citizens to manage cyber

33、risksOnly onceLess than once a monthOnce a monthOnce a weekOnce a daySeveral times a dayDo not know19%22%6%29%14%7%2%A SPIKE IN CYBER SPENDINGCybersecurity as a percentage of IT spend in the UK2020202112%20%Shields up as new cybersecurity strategy looks to the futureAre the UKs latest plans to devel

34、op the countrys cyber capabilities sufficient to deal with the latest digital threats?C Y B E R S EC U R I T Y&I T G O V E R N A N C E02More than 320,000 people reported being a victim of phishing in the US in 2021 according to the FBI,up by a third compared to the previous year.It is by far the big

35、gest cause of cybercrime and can have devastating consequences on people and businesses.Yet organisations continue to be caught out as hackers take advantage of the Covid pandemic and the ability to be more personal in their attacks.THE RISE OF PHISHINGThe different types of phishingBulk phishing:in

36、discriminate attacks sent to many people in an organisationSpeak phishing:targeted attacks on specific people in an organisationWhaling:attacks against high-value targets in an organisationSmishing:using text messages as the source of the attackVishing:using phone calls or voice messages as the sour

37、ce of the attackTHE MAJORITY OF ORGANISATIONS HAVE FALLEN VICTIM TO PHISHING ATTACKSPercentage of global IT workers who say their company was the target of a phishing attack,both successful and unsuccessfulBulk phishingBusiness email compromiseEmail-based ransomware attacksSmishingSocial mediaVishin

38、gSpear phishing and whalingNo attacksOne to 10 attacks11-50 attacks50+attacksTotal unknown14%36%33%15%2%33%34%34%35%37%35%13%13%14%16%17%13%1%2%1%1%2%2%27%27%28%23%21%22%23%21%22%26%26%31%Proofpoint,2022PEOPLE ARE FALLING FOR PHISHING ATTACKSPercentage of employees who say they fell for a phishing s

39、cam at work in the past 12 monthsPhishing emailSmishing attack26%74%32%68%YesNo or dont knowTessian,2022PHISHING ATTACKS ARE ON THE RISENumber of phishing websites,determined by the unique base URL found in phishing emailsAPWG,2022Q4 13Q4 21Q3 21Q2 21Q1 21Q4 20Q3 20Q220Q1 20Q4 19Q3 19Q219Q1 19Q4 18Q

40、3 18Q2 18Q1 18Q4 17Q3 17Q2 17Q1 17Q4 16Q3 16Q2 16Q1 16Q4 15Q3 15Q2 15Q1 15Q4 14Q3 14Q2 14Q1 14111,773125,215128,37892,47346,824136,347253,007241,140158,574289,371464,065364,424277,693144,721146,375190,942180,577263,538233,040151,014138,328180,768182,465266,387162,155165,772146,994571,764637,302611,8

41、77616,939730,372888,585THE TOP FIVE CYBERCRIMES IN THE USInstances of each cybercrime reported to the FBI in 2021PhishingExtortionIdentity theftPersonal data breachNon-payment or non-delivery323,97239,36051,62951,82982,478Federal Bureau of Investigations,2022PHISHING ATTACKS HAVE REAL-WORLD CONSEQUE

42、NCESPercentage of global IT workers reporting the following as results of successful phishing attacks54%48%46%44%27%24%22%18%17%15%11%Credential or account compromiseRansomware infectionLoss of data or intellectual propertyMalware other than ransomwareReputational damage Widespread network outage or

43、 downtimeAdvanced persistent threatFinancial loss,or wire transfer or invoice fraudZero-day exploitFinancial penalty or regulatory fineBreach of customer or client dataProofpoint,2022FINANCIAL SERVICES IS THE MOST TARGETED INDUSTRY FOR PHISHING ATTACKSThe most targeted industries in the fourth quart

44、er of 2021FinancialSaaS,webmailRetail and ecommercePaymentSocial mediaCryptocurrencyLogistics and shippingOther23.2%19.5%17.3%9.3%8.5%6.5%4.1%11.6%APWG,2022R A C O N T E U R.N E T03Commercial featureemory remains something of a mystery.Neuroscientists every-where are working to unlock the secrets of

45、 human memory,many of which continue to elude us.But one theory posits that we dont usually remember our original memories we remember the last time that we remembered them,like copies of copies of copies.The nature of our digital lives necessitates that we create more complicated,unique combination

46、s of letters,spaces,phrases,upper-case,lower-case,signs and symbols in order to access the services we rely on at home and at work.These are only grow-ing:a recent study from LastPass shows 90%of people have as many as 50 online accounts.Given our time-pressed lives,is it any wonder that,even in 202

47、2,the top five most common passwords leaked to the dark web were 123456,12345678,Qwerty,Password,and 12345?Why do we have such a hard time with passwords?Heres the answerPasswords have been with us in some form or another since the dawn of computing.Yet were only marginally better with them todayWhi

48、le 90%of internet users are wor-ried about having their credentials stolen,a staggering 83%wouldnt know if their pass-words had been leaked to the dark web.The majority of people reuse passwords across accounts,and 45%dont change passwords even after a known breach leaving personal accounts and orga

49、nisations wide open to attack.In terms of user safety,theres clearly a mismatch at play here:while users correctly perceive the danger of credentials theft,theyre not doing anything about it.Today,a single compromised account can easily create a disastrous domino effect where not only the original t

50、arget suffers,but so do their contacts,suppliers,and everyone else in their wider network in fact,recycled passwords are often the first point of entry into conducting a successful supply-chain attack.Financial and reputational damage can easily spiral out of control,and one stolen credential is all

51、 it might take.In spite of their ubiquity the password has,after all,been with us since the earliest days of computing passwords remain a fun-damental weak spot.Ultimately,they rely on end-user choice.Security teams can imple-ment some measures,but they are limited in the guidance they can really en

52、force,or the technical guardrails they can install.Weak or recycled passwords are a case of human fal-libility,and thats unlikely to change provided humans remain fallible.Which we will.Attackers are all too aware of these vulner-abilities in human psychology and so security teams need to be too.Peo

53、ple havent evolved to memorise frequently changing generated passwords its just not something thats been a part of our evolutionary history.So while its true that every user has a role to play in the safety of their organisation,its not possible or even desirable that every-one becomes a security-ob

54、sessed password expert.Its up to organisations to implement safeguards,maintaining a balance between usability,security,and keeping the onus of responsibility away from weighing too heavily on the user.But the idea that people are a weak link in security is perhaps an unfair misnomer.People are peop

55、le,and as such,systems should be built around their blind spots,patterns,or bad habits to help guard against them.Thats why its so important to under-stand the psychology at play.“As humans,we have finite cognitive resources that we use to navigate our every-day lives,”explains chartered psychologis

56、t and professor of psychology at Bournemouth University,John McAlaney.“Workplaces can be very intense,requiring us to pay attention to multiple things at once we are continu-ally in a state of having to prioritise.”Picture being on a drive and spotting flash-ing lights in your rearview mirror.Its an

57、 emer-gency vehicle,and you reflexively prepare to move aside a quick,impulsive decision,but the correct one.These intuitive reflexes are often a strength,but they can be a weakness too:“Sometimes making a quick decision based on limited information will result in an incorrect decision,”says McAlane

58、y,“and this could be the case with password safety.”If an individual is juggling a lot of tasks,they may not prioritise security.This“doesnt mean they dont understand its importance or are being lazy,”McAlaney adds,“its often just the case people feel they have many other tasks that need to be done

59、with limited resources.”Bolting the digital doors Fortunately,there are both technical and cultural initiatives that organisations can take to make our digital lives a little more secure.In our homes,it only takes an intruder one entry point to pry open access everywhere.In the digital world,the sam

60、e is true,but at a far larger scale:one set of stolen credentials could leave your whole organisations net-work open for attack.With good reason,its socialised into us to lock the doors and windows when we leave our homes.A single pin tumbler lock is wor-ryingly simple for any would-be intruders to

61、pick,and thats why most homes reinforce front and back doors with more secure sys-tems like deadbolts.A simple plaintext pass-word is the digital equivalent of that pin tum-bler.Its a deterrent,but easily cracked.But deadlier still are default passwords.Internet-connected devices on your net-work,in

62、cluding routers or CCTV systems,will often ship with default passwords enabled.Leaving these in place means youre“basi-cally leaving your keys in the door,”says pro-fessor of cyber security at Ulster University,Kevin Curran.“There are search engines like Shodan which crawl the web for connected Inte

63、rnet of Things devices,and hackers will try defaults on all of them.”The number one rule,then,is to use dif-ferent passwords all the time,everywhere.“One should have a reputable password manager which will create complex,strong passwords,”Curran comments.These are then stored in an encrypted vault.“

64、You then only need to remember one master pass-word,and the password manager will auto-matically take care of logging you into differ-ent sites with secure passwords.”However,password managers only work if individuals fully trust them to generate and safely store passwords and users need to have the

65、m installed on every device they use to access their accounts,points out CIO of Endava,Helena Nimmo.LastPasss business password manager,for example,protects all endpoints across the organisation,wher-ever employees work,with full control for IT over deployment and policies.Suggesting and managing un

66、ique,strong passwords,the secure manager reduces the number of pass-words employees have to remember and,as such,helps mitigate poor password hygiene.Organisations can improve password security by combining multiple approaches.Encouraging employees not to share pass-words across personal and company

67、 accounts,and suggesting employees use sentences,for lengthier passwords,is a good start.“Securing the password management process with multi-factor authentication,which relies on a PIN or biometrics,and making sure that passwords are changed regularly by everyone within the organi-sation,without ex

68、ception,are also good practice,”says Nimmo.Measures like these can fit into a cyber-security by design framework,says Curran,where security staff help to craft a set of pragmatic guidelines so that organisations can more completely consider the full remit of protections and processes that should be

69、in place.You need to understand what barriers are preventing the employees from changing their behaviour,such as the conflict between the need for security versus the pressure to be productiveMBusinesses need to have a holistic understanding of cybersecurity as an organisation-wide risk,along with a

70、ll their legal and regulatory implications,and password awareness is part of this.Organisations should train staff,identify which risks to avoid,accept,and mitigate,and communicate business-wide policy to senior management.However,even with training,it can often take people to make a mistake themsel

71、ves before they learn.Security teams could consider sending phishing emails contain-ing fake malware to employees,which,when activated,educate them on their mistakes.Culturally,employees take their cues from leadership,adds McAlaney,so if they feel senior management are only paying lip service to se

72、curity,staff are less likely to invest in the topic themselves.Leadership need to practice what they preach as well as training staff.Increasing knowledge doesnt neces-sarily lead to behaviour change,and this is where a lot of education initiatives fall down:merely having employees sit through a sem

73、inar or online course is not necessarily going to make anyone behave more securely.Knowledge helps,but it doesnt definitively translate into action.“Instead,you need to understand what barriers are preventing the employees from changing their behaviour,such as the con-flict between the need for secu

74、rity versus the pressure to be productive,”says McAlaney.“If an organisation finds half their staff did not change passwords after a breach,then the first step should be to open a genuine,non-judgemental,dialogue with employees to find out whats stopping them from making these changes then finding a

75、 way forward taking these issues into account.”For more information,visit Six tips to guard your digital doorsTheres no fool-proof way to protect any organisation,but keeping some principles in mind from culture through to technology,implementation,and ongoing maintenance can go a long way to help.E

76、mbed security in your culture.Create a culture where all levels of the organisation understand and value security,and where staff feel comfortable reporting mistakes.However,accept that raising awareness is not always enough to change behaviour,advises Bournemouth Universitys John McAlaney.Businesse

77、s can hit a wall if they think security culture ends at training.Be cyber smart.Phishing,smishing(text or SMS),and vishing(voice call)attacks are on the rise.Carefully review any messages you receive by double-checking the senders email address.Be on the lookout for poorly written email copy,and don

78、t blindly accept any MFA requests.Set up your cybersecurity tools.Technology makes securing you and your data a lot easier.Implementing solutions like a password manager and multi-factor authentication(MFA)will secure your data and bolster best practices.Update your software.Cyberattacks often targe

79、t vulnerabilities in older applications.If you receive an alert from Apple,Microsoft,or Google about an urgent security update,install it right away.The same applies to smart home devices or other Internet of Things(IoT)gadgets.Conduct an audit.Do you know where your data is?Is every piece of inform

80、ation protected?Have you shared any sensitive credentials?Try to map out where your data is,who might have access to your information,and take a digital headcount.Trust your gut.If money or highly sensitive information(like your National Insurance number)is requested and the sender needs it quickly

81、take a moment to assess the situation.Dont be afraid to ask questions and get all the facts before pressing send.213456PASSWORD PSYCHOLOGYHow good are peoples password knowledge and habits?WHAT PEOPLE DOWHAT PEOPLE SAYLastPass,2021of people would not know if their information was on the dark web83%o

82、f people have up to 50 digital accounts to protect90%agree that compromised passwords are concerningknow that using the same password or a variation is a risk79%92%Rely on their memory to keep track of passwordsAlways or mostly still use the same password or variationof people dont change their pass

83、word even after a known breach 65%51%45%C Y B E R S EC U R I T Y&I T G O V E R N A N C E04BIOMETRICS ON THE RISEBiometric authentication and identification market value worldwideMRFR,2021at an impasse soon locked in an endless game of Whac-A-Mole,as is the Sisyphean case with traditional perimeter d

84、efence.But,Vescent adds,the best security on the planet can be useless if stored incorrectly.“Any data is only as secure as the system in which it is stored,”Vescent says.“Some-times these systems can be easily pen-etrated due to poor identity and access management protocols.This has nothing to do w

85、ith the security of biometrics.Its to do with the security of stored data.“This means the real concern about using biometrics is about how data is stored,how secure the system is,and how much control the owner of the biometric has over it.”In Six Principles,Vescent and her co-authors advise that to

86、reduce these risks,biometrics should not be stored in central-ised databases.Crucially,users should own and be able to control their biometric data.This data should also be just one component in a wider security landscape for example,as a supplementary measure,used to provide confidence ratings,or i

87、n tandem with other proven techniques such as passphrases.For Sampson,one of the main questions is avoiding the potential for state overreach.To prevent this,biometrics-based initia-tives should be conducted in partnership with trusted private sector providers;these should be auditable,transparent,a

88、nd con-ducted under agreed governance arrange-ments and standards.But before we race towards using our faces,fingerprints and voices as a salve for all our security woes,perhaps its worth proper-ly considering the potential for undesira-ble,second-order consequences.After all,if we waive over all th

89、at makes us unique-ly human in the name of security what do we have left?Fingerprints crossed:are biometrics secure?n intelligence agent stalks a corri-dor,landing on an imposing secu-rity door.Leaning into a panel that brushes its frame,they put their face into position and,with a satisfying series

90、 of computerised bleeps and boops,their iden-tity is confirmed the portal opens.These body-powered gateways were once firmly part of science fiction.But today,most of our devices feature fingerprint scanners and facial recognition software.Our unique biological traits make biom-etrics a secure and c

91、onvenient means to authenticate our identity.Given the alarm-ing frequency that plain-text passwords are leaked online,its little surprise that con-sumer technology companies and enter-prises are using biometric information such as voice,face or fingerprints to authenticate a users identity.“Increas

92、ing the length and complexi-ty of passwords increases their resilience to a so-called brute-force attack,which attempts to try all the possible combina-tions of characters,”says Steven Furnell,IEEE senior member and professor of cyber-security at the University of Nottingham.“Advice from the Nationa

93、l Cyber Security Centre is to build longer passwords by com-bining three random words.But,unfortu-nately,that isnt always guaranteed to work,as some systems and services still insist on checking composition and demand a mix of character types.”No matter the complexity of a passphrase,it cant compete

94、 with the robustness of bio-logical information for identity authenti-cation.While a single password could leak onto the web and cause all kinds of chaos,flesh and blood are much trickier to copy.So,biometrics would seem to be an appro-priate alternative.Indeed,Furnell says theyre the“key to non-int

95、rusive,friction-less security”.But there may be hidden dangers in relin-quishing our biological information to the digital sphere,and what feels frictionless today could come at a cost in future.Take the USs withdrawal from Afghan-istan in 2021.Not only did it leave citizens at the mercy of the Tali

96、ban,it also left their biometric data up for grabs.In 2007,the US trialled Handheld Interagency Identity Detection Equipment in Afghanistan,which recorded fingerprint,iris,and facial data.The technology was developed to locate insurgents,then US forces subsequently extended their use to those who co

97、operated.Ultimately,the personal data of more than 1.5 million Afghans was matched against a database of biometric data and stored in a centralised repository.When this fell into the wrong hands,it revealed information about individuals who had worked with the US,placing them at risk.These databases

98、,whether created inten-tionally or as accidental by-products,are one of the chief issues of biometric security,says Britains Biometrics and Surveillance Camera Commissioner,Fraser Sampson.“At a simplistic level,biometrics is about measuring and matching.And for match-ing,a biometric needs a comparat

99、or,”Samp-son explains.“A collection of comparators is a database.And if you retain biometric material,youve created a database.”There are many issues with centralised databases;one is,that theyre prone to leak-ing.When you throw biometric data into the mix,complications that are reminiscent of human

100、itys darkest moments come to the fore.In the field of biometric surveillance,says Sampson,one persons idea of protection may be someone elses idea of oppression.“While humanitarian uses of biometric identity can save lives,the same biome-tric data can be used for domination and exploitation,”warns S

101、ampson.“It can be used to marginalise and persecute people on grounds of race,ethnicity and religion.”The benefits of biometrics their unique-ness,their incontestable ties to real humans are exploitable as their weaknesses,too.The abilities of determined,capable hack-ers with resources should never

102、be under-estimated.While biometrics are generally difficult to spoof right now especially as,for many hackers,lower-effort attacks are more fruitful what is true today may not be the case tomorrow,as attackers lever-age better computing and become more sophisticated.“Nobody Im aware of has yet been

103、able to demonstrate an unhackable system,”Sampson says,“or an unreachable data-base.The stakes make it worth it,whether thats hostile state activity or reconnais-sance,or commercial hacking.If theres a commercial value to crack something,you can sell that.”Fingerprints,voice,and facial recognition h

104、ave all been touted as the next step in the evolution of online security.But should we hand over our unique physical traits so readily?As the use of biometrics increases and converges,there will likely be fewer,but bigger,databases if these trends continue.While this would reduce the likelihood of b

105、reaches and errors,it would increase the impact of compromised security.That said,its“not impossible,but it is very hard for someone to spoof a biomet-ric”.So says Heather Vescent,futurist and co-author of Six Principles for Self-Sover-eign Biometrics.Its unlikely,then,that cyber researchers and att

106、ackers will arrive Tamlin MageeB I O M E T R I C SACrossfire-proofing for British firmsUkraines cyber conflict with Russia has intensified,increasing the risks of collateral damage far beyond their borders.SMEs in particular need to reinforce their digital defences longside the carnage thats taking

107、place on the ground in Ukraine,a theres a parallel war being waged in cyberspace.Ukraine and Russia are highly IT-literate societies with infrastruc-ture that relies on digital technology,which is why theyve been going to great lengths to try to bring down each others systems.In fact,Russia has been

108、 mounting cyber attacks for decades,with hostilities intensi-fying significantly after it seized the Crimean peninsula from Ukraine in 2014.Electricity supplies have been a prime target for disruption since then,for instance.Such attacks have been reasonably focused so far,reports Alan Woodward,visi

109、ting professor of cybersecurity at the University of Surrey.But,just as so-called guided missiles can wreak havoc on innocent civilians,a misfir-ing cyber attack can cause collateral damage beyond its intended target.For this reason,businesses far from the physical battleground especially SMEs,whose

110、 cyber defences are generally likely to be relatively basic need to be wary of Russias online war with Ukraine.“Effective cyber attacks will quite often use a vector in the supply chain,”Woodward says.This makes it possible for a business with no connection to Ukraine or Russia to be caught up in an

111、 attack,simply because it shares a software provider with a company that does have such links.In 2017,for instance,the NotPetya ransom-ware strain(widely viewed as the handiwork of Russian military intelligence agency the GRU)was launched through a tax prepara-tion app used by many firms in Ukraine

112、and plenty outside the country too.“The next time that everyone updated their software bang,theyd taken in this massive piece of ransomware,”Woodward says.Some of the companies whose systems were infected had to write down billions of pounds from their balance sheets in the process of fixing the pro

113、blem.“A number of small and medium-sized businesses were practically wiped out,”he adds.This is why the UKs National Cyber Secu-rity Centre(NCSC)has advised British busi-nesses to remain alert for such attacks and bolster their defences accordingly.The NCSC doesnt believe that Moscow is delib-eratel

114、y seeking to target British enterprises.Rather,its concerned that an assault tar-geting organisations in Ukraine could easi-ly affect enterprises in other countries.And British firms have more to fear from Russia than a less-than-discriminate cyber strike mounted by the GRU.Dr Victoria Baines is a s

115、enior researcher,author and speaker whos worked with bodies such as Europols European Cybercrime Centre in The Hague.She says:“The line between according to Baines,who adds:“Its become increasingly clear that some states are also using ransomware and cryptocurrency scams to generate revenue.”Its ano

116、ther reason why the debate about whether to pay ransoms or not has become so heated.“Ultimately,we cant rule out the possibility that ransoms paid by SMEs in the UK and elsewhere are supplementing the Kremlins war coffers a sobering thought,”she says,but stresses that the threat is also“largely prev

117、entable”.Woodward agrees that there are several straightforward and effective steps that firms can take to protect themselves from the GRU and from Russian cybercriminals whove been let off the hook.“This may sound like a broken record,but look at the NCSCs guidance,”he says.The centre has plenty of

118、 advice on matters such as how to manage passwords;handle emails to avoid downloading malicious attachments;and set up corporate networks so that theyre more resistant to attack and less likely to spread malware onwards if they do get infected.“One of the most common vectors for ran-somware is an em

119、ailed Excel spreadsheet that has a macro in it.If people open it and the right network policies arent in place,theres nothing to prevent that macro from dialling home and pulling in some mal-ware,”Woodward warns.While it may seem costly,commissioning external expertise to satisfy yourself that your

120、firms networks are as secure as they can be is likely to be a sound investment.If you want to do it in house,be sure to cover all the simple aspects that can easily be overlooked,Baines stresses.“Basic digital hygiene for instance,keeping software up to date,running a security program that scans for

121、 known threats and staying alert to the latest phish-ing scams is an effective way to counter many of the cyber threats facing SMEs,”she says.“There really is no excuse not to do these things.They arent rocket science and theyll help you to avoid so much pain in the long run.”state-sponsored and pro

122、fit-driven cyber threats has become very blurred.”Baines cites the WannaCry ransomware attack in 2017 as a case in point.This spread far beyond its original target,causing chaos for the National Health Service,as well as Renault,FedEx and Deutsche Bahn.Europol estimated that more than 200,000 comput

123、ers in 150 countries and especially Russia were disabled.WannaCry was eventually traced back to a gang with ties to Kim Jong-uns regime in North Korea.But the link between private criminal enterprise and national govern-ments goes further than that,according to Baines,who points out that the Conti T

124、eam a prolific ransomware gang thought to be based in St Petersburg “has recently declared its support for Putin”.This means that its members could act as hired guns,aiming to cause chaos for any organisation around the world that speaks out against Russias actions.Before the invasion,Russia had act

125、ually gained some good publicity for startingto round up some of the countrys more notorious cybercriminals.Their arrests,some of which were filmed and broadcast worldwide,had indicated a shift in approach from the Kremlin that many countries welcomed.But,now that Russia has become an out-cast,the P

126、utin regime has far less incentive to clamp down on domestic cybercriminals.This means that were all more at risk,Chris Stokel-Walker We cant rule out the possibility that ransoms paid by SMEs in the UK and elsewhere are supplementing the Kremlins war coffers The line between state-sponsored and pro

127、fit-driven cyber threats has become very blurredC Y B E R WA R FA R EACYBERSECURITY IS THE NUMBER-ONE RISK FOR SMALL BUSINESSES Leading risks for small enterprises worldwideCybersecurity39%Changes in legislation and regulation21%Pandemic outbreak25%Shortage of skilled workforce16%Climate change/incr

128、easing volatility of weather14%Business interruption(including supply chain disruption)32%Market developments18%Natural catastrophes21%Macroeconomic problems15%Fire,explosion14%Allianz,202245%of companies worldwide were using biometric authentication in 2021Okta,2021$99.63bn2027(projected)At a simpl

129、istic level,biometrics is about measuring and matching.And for matching,a biometric needs a comparator JGI/Tom Grill via GettyImages$33.26bn2019 dowell via GettyImagesR A C O N T E U R.N E T05The breach and the observance:pen test essentialsn the 2003 version of The Italian Job,Charlize Theron plays

130、 an ethi-cal safe-cracker who pits her wits against the latest models to tell the manu-facturers whether their products are any good.Naturally,she can crack the lot.And pretty soon shes lured into an ingenious gold heist involving Mini Coopers,but,alas,no Sir Michael Caine.A more imaginative remake

131、might have cast Theron as a penetration tester.These skilled professionals hack into IT systems to pinpoint their weaknesses for their owners.A company needs to know whether its valu-able data is secure.But,as per the film,it also needs to know that its pen testers are elite white-hat hackers who ar

132、ent going to cause mayhem in the course of their work.So how do you go about finding a reliable pen tester?Will North is a good person to ask.He used to run a consultancy running pen tests for clients but now sits on the other side of the fence,hiring them to hack the products of MHR International,a

133、 developer of HR and payroll software where hes chief security officer.In the past few years hes commis-sioned almost 30 tests.Hiring is no easy task,according to North.“The repercussions of employing an under-skilled tester can be severe.Youll get a false sense of security that your systems are pro

134、-tected,”he says.“Unfortunately,it can be very difficult to evaluate the competence of an ethical hacker.”He recommends two places to find candi-dates:large consultancies and specialist boutiques.The consultancies come with a caveat.“These organisations are often expensive.They can charge nearly 2,0

135、00 a day,”North says.“Their operating model also means that they often use relatively inexperienced staff to do most of the work.”He believes that boutiques are likely to offer a more cost-effective service.The downside is variability the chances of hir-ing a dud are greater.The solution?“You need t

136、o rely more on word of mouth.”As for testers qualifications,the ones to look out for are Crest,GIAC or Check certifi-cation.But beware:even the most impres-sive-looking CV may not be a reliable indicator.So says Hugo van den Toorn,manager of offensive security at Outpost24,a boutique specialist in r

137、isk assessment.“Dont treat certifications as a gold stand-ard,”he warns.“The reason is simple:any-one can learn,but this is about understanding and bringing knowledge into practice.Unfortunately,not everyone can pay to take these qualifications or sacri-fice sufficient personal time to obtain them.C

138、heating is a prevalent issue as well.”Look for a“core hacker mindset”,van den Toorn advises.For instance,does the candi-date blog about cybersecurity matters?Do they have a career showcasing their exper-tise?How do they perform on external vali-dation platforms such as Hack the Box?Strong candidates

139、 may write their own applications to enhance the off-the-shelf products that pen testers commonly use.Once youve chosen your candidate,its vital to know how to brief them.What exactly do you want them to prove?Equally impor-tant,what are the parameters of the test?“There should always be a limit of

140、exploitation set,which describes how far into production systems that ethical hack-ers can go,”explains James Griffiths,a for-mer GCHQ cyber expert and co-founder of Cyber Security Associates.“If the client has a huge ecommerce site,for instance,you wouldnt want an ethical hacker changing live data.

141、But there may be cases where The penetration test is a vital protective measure,but there are some important caveats to consider when commissioning a white-hat hacker to probe around your systemsyoud want to prove that it could be done.Normally,this can be replicated in a devel-opment environment to

142、 ensure that availa-bility is not affected.”Griffiths says that a pen test can last from two days to three weeks,with a week being the norm.A key decision is whether to include social engineering hacks.These may involve the pen tester visiting the cli-ents premises incognito to gain physical access

143、to systems or drop infected USB flash drives to see if anyone picks them up and uses them out of curiosity.Other acts of skulduggery could include swiping the pass of an employee or even stealing a laptop.He says that an under-used tactic is to commission a so-called purple team opera-tion.In a norm

144、al test assault,attackers(known as the red team)take on defenders(the blue team).In a purple team,both sides work together under the guidance of an expert coordinator to share their knowl-edge.Reds attack,blues defend and then both parties disclose their thoughts to iter-ate the security improvement

145、s.Griffiths believes that its a richer process than the standard exercise.And then theres the question of what to do with the results.Bizarrely,many compa-nies fail to act even when theyve been alert-ed to serious chinks in their armour.“Its a big frustration to testers when they see the same vulner

146、abilities cropping up time and time again,”reports Gyles Saun-ders,ethical hacker at NormCyber.He adds that a common problem is that cli-ents leave an easy route open,making the pen testers job simple.“When we see such vulnerabilities,we must exploit them,because a cybercriminal would do the same.Wh

147、ile thats a valuable exercise,if the client doesnt then act on our recommendations,were back to square one come the next test.”Pen testing is a vital element of ensuring cybersecurity,yet companies too often fail to instruct their white-hat hackers ade-quately.At worst,a poorly briefed hacker could

148、bring down vital infrastructure.And the last thing youd want is to see the smok-ing ruins of your IT system,recalling Caines immortal line in the original Italian Job:“Youre only supposed to blow the bloody doors off!”IBM,2021Charles Orton-JonesCommercial featurets not quite Nostradamus,but being ab

149、le to predict the future using the power of AI and math-ematics could be the best way to defeat ever more confident and sophisticated cybercriminals.Governments and businesses may have raised the white flag in response to the 50%year-over-year increase in weekly attacks across the globe last year ac

150、cording to Check Point Research figures but software security giant BlackBerry says they do have the power to fight back.“If you look across the market at the moment,the most common method of defence against cyber-attack is detect and response,”says Keiron Holyome,vice president UKI and emerging mar

151、-kets at BlackBerry.“The industry has given up on trying to prevent attacks happening,but we are putting preven-tion at the back,centre and front of our strategy.We are using technology in the right place to stop malicious activity getting near to your networks.”Growing threatsHolyome is referring t

152、o BlackBerrys AI prevention first approach.Its suite of Cylance AI products includes CylancePROTECT,which identifies and stops attacks at the door.It can detect and prevent potentially harmful code in less than 50 milliseconds and can pre-dict malware attacks on an average of 25 months prior to appe

153、aring online.These attacks are increasingly coming from a range of sources such as state actors and are aimed not just at govern-ment or big business but also at innova-tive start-up firms and their lucrative IP(intellectual property).Indeed,in its 2022 Annual Threat Report,BlackBerry highlighted a

154、cybercriminal underground optimised to better target local small businesses.It said small-and medium-sized busi-nesses were facing upward of 11 cyber threats per device per day.And 2019 research from Ponemon Institute found that over 70%of SMEs had suf-fered a breach and,such is the finan-cial and r

155、eputational impact,that 60%of those attacked go out of business within six months.Criminals,it added,were also increasingly engaging in their form of a shared economy with groups shar-ing and outsourcing malware allowing for attacks to happen at scale.Other dangers are coming from public cloud platf

156、orms which are unwittingly hosting malware,email and text phishing and watering hole attacks where criminals look for weak-spot websites within a targeted organisation.The increase in hybrid working during the pandemic is also putting extra strain on security with sensitive data being accessed from

157、bed-rooms and garages.Supply chain weaknessAnother area of vulnerability is the soft-ware supply chain which Holyome says is increasingly being used as an attack vector.There are two elements to this,with the first being weaknesses in the traditional supply chain such as tyre sup-pliers to a car man

158、ufacturer.“At some point,they will have access to say your e-procurement systems but even if they are not connected to your internal networks then you could be impacted by a ransomware affect-ing their business,”he explains.“What are the implications for your company if you have to close for seven d

159、ays and you operate a just-in-time system?Ensuring that there is cyber resilience throughout your supply chain is critical.”The software which makes up the supply chain is also crucial.Due dili-gence needs to be done on all software which suppliers are employing.“There could be issues of software vu

160、lnerabil-ities within software.Dont just allow random installs by ensuring that you have a good corporate policy around deployment,”he adds.Prevention firstDetect and response can also be an answer,identifying when employees click on dodgy malware links,but it is not enough,Holyome warns.“It can be

161、both time and cost inefficient.If you rely on it,then you are allowing malicious activity to happen in your environment.That can cause huge financial and reputational issues for your business and loss of criti-cal customer and client data.”It is why BlackBerry has been develop-ing Cylance AI since 2

162、014.It is now on its 7th generation of products.Based on a mathematics model,the AI continuously analyses changes occurring on endpoints in a network,uncovering threats that would be difficult,if not impossible,for a human analyst to find quickly enough to mitigate.When a potential threat is iden-ti

163、fied,Cylance AI thwarts it in real-time by taking decisive,automated action.But it is also continuously learning.“It develops and evolves over time.It learns based on the previous bad behav-iour data it has seen and adapts its model intuitively,”Holyome states.“We have a predictive advantage in secu

164、ring systems against legacy malware and we can pre-dict what is likely to form the nature of a future attack and again prevent it.”He says Cylance AI also has an advan-tage over signature-based models which are constantly having to run file updates.There will be a period within that which leaves a n

165、etwork out of data and exposed to attack.“Updates for Cylance AI are much less frequent,”he says.So how predictive is Cylance AI?Mystic Meg or Nostradamus himself?Holyome says his stock position given the vicissitudes and uncertainty of life is to say that CylancePROTECT can stop 99%of potential att

166、acks.One example is the Colonial Pipeline ransomware cyber hack last summer where the US energy company was forced to shut down its pipeline system.The group had to pay$5million to the Russian-based cyber-criminals DarkSide to restart its oper-ations.“We got hold of that virus after the attack and f

167、ound that even using our 2015 version of CylancePROTECT it would have been able to predict and prevent it,”Holyome says.Indeed,in a recent test,BlackBerrys suite of Cylance products was,on the independent Mitre ATT&CK testing frame-work,100%successful in preventing both the Wizard Spider and Sandwor

168、m attack emulations early before any damage occurred.Similarly,its CylancePROTECT solution recently earned the maximum AAA rating from cybersecurity testing organisation SE Labs.Talent gapBlackBerry believes that its sophisti-cated technology can also help lessen the impact of the huge talent gap in

169、 the industry.“There is an enormous lack of cybersecurity skills and expertise with SMEs especially struggling to hire cyber security professionals,”says Holyome.“Cyber criminals dont switch off at 5pm on a Friday and re-start at 9am on Monday.They are taking advantage of the lack of dedicated emplo

170、yees includ-ing increasing attacks on holidays like Christmas when they know nobody is in the office.”He says its products can ease this worry for hard-pressed bosses and staff.“No signature updates reduce an IT man-agers workload plus the prevention-first strategy decreases pressure to recruit spec

171、ialist security skills,”he says.“Our AI is very much fire and forget.Just let it do the hard work for you.”And hard work it will be Holyome warns.“Threats are increasing not decreasing.Companies of all sizes cant ignore this and need to reconsider their cybersecurity strategy,”he says.“They must und

172、erstand that security is a jour-ney,not a destination and approaches should continually evolve to meet new threats.Detect and response can leave you vulnerable.Prevention first is the answer.Who wouldnt want to know the future and stay safe?”For more information and to download the BlackBerry 2022 T

173、hreat Report,visit you need a prevention-first security strategyAgainst a backdrop of growing and evolving threats and skills gaps,organisations of all sizes need to reconsider their cybersecurity strategyI The industry has given up on trying to prevent attacks happening,but we are putting preventio

174、n at the back,centre and front of our strategyTHE GROWING THREAT LANDSCAPEFrom ransomware to supply chain attacks,threats are evolving rapidlyThe European Union Agency for Cybersecurity,2021of managed service providers reported ransomware attacks against SMEs in 202185%Advanced persistent threat(APT

175、)groups were credited with carrying out 50%of supply chain attacks from January to July 202150%In 66%of supply chain attacks from January to July 2021,sup-pliers either did not know or did not report how they were compromised.66%Exploiting trust in the sup-plier accounted for nearly 62%of attacks on

176、 customers from January to July 2021.62%BlackBerry,Threat Report,2022cyber threats per device per day are faced by SMEs11+of SMEs have suffered a breach70%of those attacked go out of business within six months60%P E N T E S T I N GI The repercussions of employing an under-skilled tester can be sever

177、e.Youll get a false sense of security247days the time taken on average to identify and contain a data breach44%20%of data leaks contain personally identifiable informationof cyber attacks are initiated through compromised credentials the most common attack vector Funkey Factory via GettyImagesC Y B

178、E R S EC U R I T Y&I T G O V E R N A N C E06Used specific tools designed for security monitoringRisk assessment covering cybersecurity risksTested staff(i.e.mock phishing exercises)Carried out a cybersecurity vulnerability auditPenetration testingInvested in threat intelligenceshow“a knee-jerk react

179、ion.There is a lot more that organisations can do to become more resilient before placing the blame on their employees.”One option is a refreshed cybersecurity training programme that reflects post-pandemic working patterns.While many businesses provide such training to their employees,often these o

180、ver-look the new vulnerabilities exposed by the technologies that facilitate wide-spread remote working.The cloud is one example.Nearly four out of ten businesses have accelerated their migration to cloud technologies during the pandemic,according to McKinsey,with 86%expecting this acceleration to p

181、ersist post-pandemic.But as Brass points out,the cloud creates more routes for cybercriminals to hack a business,undermining perceptions of the technology as a completely secure option.“It makes the attack surface larger and more homogenous because you have these cloud-based work packages that are t

182、he same being deployed to large numbers of people,meaning that once a hacker figures out a particular compromise,they can apply it to all sorts of replicas.”With more applications and tools being stored in the cloud,more people require access to it.This means the amount of data the average employee

183、can access has grown exponentially in a short period of time.Cybercriminals are exploiting this.Theyre using the primary benefit of the cloud its ability to connect workers to essential company documents regardless of their location to access large amounts of data through a single breach.This is par

184、t of a broader set of challenges,which stem from the fact that our home environments are fundamentally not as secure as offices.The immediate shift to home working exposed our work laptops and business-es data to an array of consumer-connect-ed Internet of Things(IoT)devices.According to Which?,smar

185、t products in the home from light switches to speakers experience an estimated 12,000 hacking attempts each week.Smaller,cheaper products often lack many of the security features of traditional computers,making them easier for cybercriminals to hack.The threat posed by lax security systems for some

186、IoT devices would ordinarily be isolated to consumer data.But with wide-spread remote working,these devices now act as a gateway for hackers looking to access a companys data.“Most consumer devices have dubious security specifications,”Brass says.“They have default passwords and really short Employe

187、e or employer:whos to blame for a cyber breach?magine your football team has just narrowly lost a game.Whos respon-sible for the defeat?Is it the goal-keeper,who let the ball slip through their fingers,or the striker who missed a sitter?Maybe its the managers fault,for failing to devise and implemen

188、t a successful game plan?Many businesses dismiss employees who enable a cyber attack.But is thisa fair reaction?And what responsibility does the employer bear?Now take this analogy and apply it to a business trying to assign blame in the aftermath of a cyber attack.Does the blame lie with the IT dep

189、artment for failing to put effective cyber defences in place?Or is it perhaps the fault of the CEO for not implementing a culture of cyber aware-ness?Perhaps the employee who clicked the link that contained malicious software should take responsibility?Many businesses opt for the latter choice.Resea

190、rch from security company Tessian found that 21%of the 2,000 US and UK workers they surveyed have lost their jobin the past year after making a mistake that compromised their com-panys security.Irina Brass is associate professor in regu-lation,innovation and public policy at Uni-versity College Lond

191、on.She says the figures Jonathan Evans Its like being accused of stealing when you dont even know youve taken somethingB R E A C HIDEFENSIVE COORDINATIONWhich of the following have you done over the past 12 months to identify cybersecurity risks in your organisation?software update periods,if at all

192、.And if a hacker compromises them,they scan a work device that is on the home network for vulnerabilities and an employee wont even be aware its happening.”The correlation between the shift to remote working and rising cyber attacks suggests its the unique working environ-ment caused by the pandemic

193、,rather than employees themselves,thats driving the spike in breaches.The solution may be fur-ther training for employees on the impor-tance of cyber hygiene both in and out of working hours.The legality of dismissing an employee after they make a cybersecurity mistake also warrants consideration.Ac

194、cording to Monica Atwal,managing partner and employment law specialist at Clarkslegal,an employers reasoning for dismissing an employee usually falls into two categories:gross negligence or gross misconduct.These reasons require an employer to prove that on the balance of probabilities the employee

195、is either culpable of serious carelessness or they engaged in a clear and serious violation of the companys rules.The lack of regular training offered to employees on cybersecurity undermines the validity of these reasons,Atwal adds.A study from Software Advice,earlier this year,found that 44%of SME

196、s have not trained their team on cybersecurity since 2020.This is despite 62%of them experi-encing an increase in cyber attacks in the same period.The absence of a“systematic approach to cybersecurity”weakens an employers argument for dismissal by gross negligence,in Atwals opinion,because of the ne

197、ed to demonstrate that an employee received“intensive training”on a“regular basis”and still acted carelessly.“An employee would clearly have an unfair dismissal claim and you would get short,sharp shrift from an employment judge if you said you received one training session on something that is so c

198、omplicated and nuanced,”she says.“Its like being accused of stealing when you dont even know youve taken something.”Despite the risk of being sued for unfair dismissal,Tessians research shows that many employers believe employees should shoulder the blame for any cyber incidents that happen on their

199、 watch.The same research found that 29%of businesses have lost a client because of a cyber mistake in the past year.Jeff Han-cock,is founding director of the Stanford Social Media Lab.He notes that many employers are trying to“pin the blame”by dismissing employees after a breach.“Businesses want to

200、provide a reason for why it happened to their clients,”Hancock adds,“but this comes at a long-term cost because employees are going to be less like-ly to report attacks in the future.”A policy of dismissing any employee who makes a cyber mistake risks instilling a cul-ture of fear around reporting s

201、uch inci-dents.In time,this would leave a business more vulnerable to hackers,as employees become unwilling to report any breaches or vulnerabilities theyve noticed in the com-panys cyber defences.The solution,in Hancocks opinion,is a company culture where cybersecurity is at the forefront of every

202、employees mind,regardless of their position.This would involve regular training sessions on the latest hacks cybercriminals are using.It would be underpinned by an understand-ing between employers and employers that cyber breaches are inevitable and not the responsibility of any one person.In a simi

203、lar way that a football team deals with a match loss,a breach is rarely thefault of just a single individual.Good cybersecurity requires input from every employee at a business whether theyre the CEO or an intern.Many high-profile cybersecurity incidents paint a misleading picture of the type of att

204、ack businesses should expect.Most breaches dont result from a hacker circumventing an organisations cyber defences.Instead,cybercriminals are increasingly incorporating social engineering techniques into their scams,relying on psychological manipulation,rather than technology,for success.Phishing em

205、ails are one example of a social engineering scam.These employ a wide range of psychological manipulation techniques to fool the recipient of the email to open a link or attachment that contains malicious software.Some prey on peoples fears,anxieties,or emotions,causing them to lower their defences

206、and let a hacker into their system.Others invoke a sense of scarcity or urgency to goad a victim into acting quickly without thinking.Jeff Hancock,founding director of the Stanford Social Media Lab,regards cybercriminals as“good psychologists”,given the wide range of manipulation techniques they use

207、.But,as Hancock points out,there are cognitive vulnerabilities unique to the workplace,making businesses particularly vulnerable to these types of scams.“With businesses,the hackers will know about social relationships.You can easily see who someones boss is,and because many people are deferential t

208、o authority,this creates a good attack for hackers looking to get employees to share confidential information.”Widespread home working has exacerbated this issue,with many employees losing the face-to-face time with their managers thats essential for trust building.Cybercriminals exploit this by cre

209、ating scams that prey on an employees desire to impress senior team members and the vulnerabilities unearthed by isolation.Often these scams lead the victim into a decision-making process thats quick,complex and vulnerable to emotional persuasion.This combination is highly effective when the victim

210、is unable to speak to colleagues and get a second opinion on a suspicious-looking email.Such vulnerabilities add to the perception that staff are often the weakest link in an organisations defence against cybercriminals.However,the vulnerabilities posed by human psychology in cyber attacks are rarel

211、y given the same attention as the technological threats from hackers in cybersecurity training.Good cybersecurity is about more than technology.With social engineering scams on the rise,businesses need to create a training programme that informs employees both what cyber attacks look like and the th

212、inking that underpins them.When an employee enables a breach,employers may need to determine whether it came about through carelessness or ignorance about the threat posed by hackers.The answer could guide any disciplinary action.But reaching a concrete answer is a complex process,particularly given

213、 the number of cyber attacks created on a daily basis.According to the AV-Test Institute,some 450,000 new pieces of malware are detected every day.Hackers send about 3.4 billion phishing emails daily to potential victims.The range and frequency of attacks on businesses complicates the training proce

214、ss for employees.Team members must be constantly vigilant about a variety of threats that prey on both the technological vulnerabilities of the business and the psychological vulnerabilities of its staff.Despite the increase in attacks by hackers,Julien Soriano,chief information security officer at

215、Box,believes employees must be aware of the data they have access to.“You cannot separate ignorance from carelessness in the wake of a cyber attack.Ignorance is carelessness,”he says.“It is the employees responsibility to do the right thing and comply with their employers policy and understand their

216、 role and responsibility in keeping their access safe.”The lockdown-driven surge in remote working dramatically increased the amount of data employees can access.Virtually overnight,businesses shifted to a work from home system,meaning their data was placed into a more vulnerable environment and at

217、the same time many employees had greater access to critical documents and information than ever before.This increased both the likelihood and repercussions of a cyber attack,meaning employees need to be always aware of the threat posed by hackers.Yet with remote working here to stay,the only careles

218、s or ignorant actor in the aftermath of a cyber incident is the employer that fails to protect their data,says Alex Rice,co-founder and CTO at HackerOne.“Inevitable human error is never a satisfactory explanation for a cybersecurity incident.If a human caused a breach of your company simply by click

219、ing a single link,your security practices are to blame,not the human,”he says.“If a company acts to its best ability to reduce cyber risk,it is not anyones fault beyond the cybercriminals who chose to commit the crime.“We need to get out of this toxic blame cycle that discourages transparency and co

220、ntinuous improvement.”How human psychology causes cyber attacks Are employees careless or ignorant about cybersecurity?33%of UK businesses had formal policies covering cybersecurity risks as of 202184%of cyber attacks rely on social engineeringENISA,2020Ipsos MORI,202135%34%20%15%13%9%Ipsos MORI,202

221、1R A C O N T E U R.N E T07Commercial featureThe huge increase in home and hybrid working over the past two years means that CIOs and CISOs have re-evaluated security policies and are looking to bolster endpoint security.Its little wonder that Gartner Group report that 61%of CIOs of organisations pla

222、n to increase spending on cyber and information security this year.Its turned out to be a bigger project than expected.According to a survey of 750 IT decision makers carried out by Tanium,82%of CISOs said that they were over-hauling endpoint security,but 94%were faced with endpoints that were eithe

223、r unprotected or overloaded with conflict-ing software agents.As many as one in five endpoints were discovered to be vulnera-ble to attack.Organisations are experiencing more attacks than ever before.Cybersecurity Ventures notes that ransomware attacks on businesses occur every 11 seconds.All the wh

224、ile,businesses experienced a 50%increase in weekly cyberattacks in 2021.Cyber criminals are also becoming more targeted in their attacks.Microsofts recent Digital Defence Report stated that threat actors have rapidly increased in sophistication over the past year,using techniques that make them hard

225、er to spot,and which threaten even the most seasoned IT security team.Criminal groups targeting businesses have moved infrastructure to the cloud,where they can hide among legitimate cloud services,and attackers have developed new ways to scan the internet for systems vulnerable to ransomware.This m

226、assive growth in the number and complexity of attacks,combined with a global shortage of IT security profession-als,is a big problem for businesses.Something needs to change Endpoint security company Tanium says there is a fundamental problem in how most organisations approach endpoint security mana

227、gement.As the number of IT security threats increases expo-nentially,companies often respond by buying another point solution.In the last year,90%of organisations have bought at least one new IT security point solu-tion,and almost half(45%)have bought at least four new products,according to the Foun

228、dry Security Priorities Study.A typical enterprise now has 43 separate IT security and security management tools in its infrastructure.This approach simply isnt sustainable.When businesses add more tools to their infrastructure,they dont necessarily The cybersecurity fail-safeDespite spending 122bn

229、each year on security solutions,organisations are finding it harder than ever to protect their IT infrastructure.Security is changing and its time for the convergence of security and operationsincrease their protection,because the pace with which new threats emerge is faster than most organisations

230、can keep up with.This is especially true in todays highly distributed organisations.Theres also some evidence that the effective-ness of some point solutions is falling;according to one recent report in the New York Times,the first detection rates of some antivirus tools has fallen below five percen

231、t.Then theres the issue of keeping up with a proliferation of point solutions,each with its own data,interface and owner.Perhaps one tool is managed by IT opera-tions and reports into one data silo daily,but another is managed by compliance and reports quarterly into another data silo.If that scenar

232、io is repeated 40 times,thats an example of the data headache that CIOs and CISOs are facing.This patchwork approach cannot provide complete protection,and it can be actively harmful to corporate security efforts.If an organisation has multiple security tools sitting in multiple silos,CIOs cant get

233、a clear overview of how many endpoints there are,much less how effectively they are protected,and what changes need to be made.In many ways,security is a data visibility problem.When an organisation is running dozens of systems,and dozens of IT secu-rity solutions,each generating huge vol-umes of da

234、ta at different rates,how is that data being integrated and understood?Simply put,companies cant protect what they cant see.Todays security decision-makers need help.They need a platform that helps them to keep up with a proliferation of endpoints,and to understand exactly how each one is performing

235、,the threats posed to it,and how it can be protected.This information needs to be available in one place,and in real-time.Only then can CIOs create a single view of security that is needed to deliver effective protection and create a strategy that prioritises the right things at the right time.Whats

236、 needed is a converged solution.Just how bad are things out there?Tanium spoke with hundreds of IT secu-rity decision makers who said they want a way to reduce and simplify endpoint secu-rity management.Key challenges that organisations face in managing endpoint security include siloed teams,especia

237、lly in IT operations and security,that arent able to share security data quickly or effectively.Despite this,many business leaders feel a false sense of confidence about their protection.Second,poor visibility of security data leaves networks vulnerable to attack.Some 64%of businesses expect to expe

238、ri-ence a cyber attack in the next 12 months.This lack of visibility and fragmented approach puts companies at risk of finan-cial losses,downtime,damaged brand reputation and potential heavy fines for non-compliance.This is a huge concern given that 20.4%of vulnerabilities that are discovered within

239、 businesses are classed as high or critical risk.It also takes an aver-age of 61.4 days to remediate a critical risk,according to Edgescan,presenting a huge security risk to organisations.Endpoint security management must be a higher priority for business leaders.In a recent Harvard Business Review

240、survey,70%of business leaders said they thought that leadership should be more con-cerned about cybersecurity.A new approach to endpoint security management“Its crystal clear that businesses need a new approach to endpoint management that helps us to keep pace with tomor-rows threats,”says Steve Dah

241、eb,CMO at Tanium.The reason why so many enter-prises fall victim to ransomware attacks is that the tools they use are no match for the sophistication of attackers:tools are slow,unreliable and lack a common data-set to operate from.And they inherently create silos.This approach to security isnt work

242、ing.Its time to unite tools and data with a uni-fied solution:converged endpoint man-agement(XEM).Introducing converged endpoint man-agement(XEM)Tanium takes a unified approach to IT security management.Its platform com-bines multiple endpoint tools and data so that organisations can have visibility

243、 and real-time data on all endpoints,through a single interface.“Unlike traditional,fragmented approaches to endpoint management,XEM maximises visibility,control and trust,and allows teams to interact with all end-points in seconds,regardless of the scale and complexity of the IT environment,”says D

244、aheb.XEM provides accurate,real-time data to support end-to-end automation,so information security teams can align their efforts and protect their organisations against attacks more effectively.With a unified approach,theres no need for staff from IT operations,compliance,security and numerous other

245、 siloes to spend hours collating and sharing data.It can be viewed in a single interface,meaning IT security teams can do more with less resources.Legacy management systems are often at the heart of problems for organisations looking to improve visibility and efficiency.Moving to a converged platfor

246、m gives back countless hours of management time,allowing companies to allocate headcount elsewhere and address dangerous vul-nerabilities more quickly and effectively across the whole organisation.The case for better data IT leaders cant make effective decisions about security without the right visi

247、bility into data across their infrastructure.XEM provides real-time information from every single endpoint,so that critical informa-tion isnt locked in siloes,accessed by dif-ferent teams using different tools.By converging tools into a single inter-face,companies can focus on actually delivering ef

248、fective security.With XEM,organisations can easily see,assess and manage all their IT security data in a single view.Data can be shared,allow-ing for more effective collaboration and easier,more cost-effective manage-ment.Ultimately,a converged approach provides reliable,timely insight that can be u

249、sed to drive better,faster deci-sion-making.Thats essential in todays fast-moving threat landscape.Providing effective governance IT governance is a top priority for many CIOs but when it comes to security,it can be almost impossible to achieve.Organisations have multiple teams with responsibility f

250、or IT security,including compliance,govern-ance,IT operations,security and risk.These teams are often working in isolation from each other,so theres no visibility of organi-sation-wide threats.“Without collaboration or visibility about organisation-wide risks,enterprises can develop blind spots,maki

251、ng both security and compliance a challenge.If you dont have visibility into all your endpoints,its almost impossible to enforce access pol-icies and maintain control across your IT infrastructure,”Daheb says.The good news is that fixing these blind spots doesnt need to be a complex,time-consuming p

252、rocess.XEM provides a relatively quick solution to existing chal-lenges,increasing efficiency and effective-ness by reducing unnecessary complexity and improving visibility of your IT assets.Daheb adds:“Taniums platform approach means that everything you need from risk and compliance to data monitor

253、ing and more is accomplished in a single solution.We can identify where all your data is in a matter of seconds,meaning that you can deploy security tools across all endpoints,with a single control plane and common data set and taxonomy.”Making a differenceDaheb says:“Taniums XEM offering is the onl

254、y solution that allows teams to collec-tively perform detailed and complete dis-covery,in-depth assessments,enterprise prioritisation,cross-platform remediation,and continuous vigilance everywhere.”XEM-based approaches to endpoint security allow organisations to deliver convergence of IT operations

255、and security,as well as the security infrastructures that are based on point solutions.The Tanium platform aims to change the market and meet the twin challenges of spiralling cybersecurity threats and rising complex-ity of endpoint security management.Without XEM,the industry will inevitably see mo

256、re breaches,more attacks,more data leaks and more problems.Its time to make a change.Learn more about converged endpoint management(XEM)-visit Unlike traditional,fragmented approaches to endpoint management,XEM maximises visibility,control and trust,and allows teams to interact with all endpoints in

257、 seconds,regardless of the scale and complexity of the IT environment Its crystal clear that businesses need a new approach to endpoint management that helps us to keep pace with tomorrows threatsTanium,2021The Foundry,2021of CISOs said they were in the process of overhauling their endpoint security

258、The number of separate IT security and security management tools a typical company has in its infrastructure82%43 ENDPOINT SECURITY IS CHANGINGHow are companies mitigating cyber attacks through XEM technologies?believe organisations are likely to become compromised by a successful cyberattack in the

259、 next 12 monthsshare of enterprises in which up to 20%of endpoints are unknownmean time taken to remediate a system with critical risk61.4 daysEdgescan,2021frequency of expected ransomeware attacks on businesses by the end of 202111 secondsCybersecurity Ventures,2018Edgescan,2021Harvard Business Rev

260、iew Analytic Services,2022Tanium,202020.4%70%of discovered vulnerabilities were high-or critical-risk agree leadership should be more concerned about cybersecurity94%64%Tanium 2022C Y B E R S EC U R I T Y&I T G O V E R N A N C E08The HEAT is on:cybercriminals hunt down web bargainscommerce came to t

261、he rescue of millions of us in the pandemic,be that new iPads to keep the kids busy or a hot tub for stressed adults.But the rush by firms to meet this wave of demand,whether they were a startup,an established ecommerce firm or a bricks and mortar store going online for the first time,left another g

262、roup of people very happy as well:cybercriminals.“Many businesses were forced to adopt new selling methods and ways of meeting customer expectations on the fly,”says Yoav Kutner,co-founder and chief execu-tive of ecommerce platform Oro Inc.“At the same time,companies were focused on alle-viating sup

263、ply chain strains and cybersecu-rity fell a few rungs down the priority ladder.Hackers are now taking advantage because ecommerce sites are a treasure trove of personal data.”This includes online and email addresses when customers sign up to sites,as well as credit card details when they pay for the

264、ir purchases.Tom McVey,sales engineer at Menlo Security,says this data means ecommerce firms“have a target on their back”.He also fears that many ignored basic security fac-tors as they clamoured to drive sales.“The security maturity of a startup is not that high,”he says.Typical threats to ecommerc

265、e opera-tions,he adds,include highly evasive adap-tive threats(HEAT),which can bypass traditional security defences that include firewalls and secure web gateways.Menlo saw a 224%increase in HEAT attacks in the second half of 2021.This can encompass smishing which is essentially email-style phishing

266、 but this time via text message.The principle is the same in that the hacker is trying to tempt a user to click on a link and unleash malware or ransomware onto a corporate or personal site.Traditional phishing remains a threat,with criminals taking advantage of vulner-abilities in new releases from

267、 Firefox or Chrome to launch browser attacks.Again,all you need to do is click on a link in an email for a browser to open and for a mal-ware virus to be launched.“Were also seeing double-dip ransom-ware,”McVey adds.“Ransomware is where data on your system is encrypted by a crim-inal,and they refuse

268、 to unlock or decrypt it until a ransom is paid.But double-dipping is especially a problem for ecommerce firms because the hacker also steals their custom-er data,uploads it online outside the com-panys network and threatens to leak it.If that happened,your entire reputation would be ruined.”Jim Her

269、bert is VP and GM for EMEA for global ecommerce platform BigCommerce.Other exotic sounding threats,he says,include SQL injections(where an ecom-merce site insecurely stores data in a SQL database)and cross-site scripting(which involves inserting a piece of malicious code into a webpage).This exposes

270、 users to mal-ware and phishing attempts.Another potential means of attack is e-skimming.The rise of ecommerce in the pandemic has opened a lucrative avenue for cybercrime.Now businesses need to wise up to the latest methods of attack and strengthen their defencesThis is when attackers steal credit

271、card information and personal data by using phishing or XSS to access a site,then they capture a checkout payment in real time.Cyber and online payment fraud is a fur-ther concern.According to Statista,global ecommerce losses in 2021 reached around$20bn(16bn),an increase of more than 14%compared wit

272、h 2020.Abstract House sells original art and sus-tainable picture frames to customers via its website and was already established when the pandemic started.But it has seen the scale of threat,including fraud,increase over the past two years.“We launched in 2017 and saw exponen-tial growth in demand

273、during the pandem-ic,”says co-founder and CFO Summer Obaid.“People began to be comfortable about buying online,including art.“Thats been great for the business,but it has also brought interest from elsewhere.For years,we didnt see any fraudulent sales but now were experiencing more such as people or

274、dering several 500 gift cards.You may get one order like that but when it is multiple,we try to get more information.”The company,whose original paintings sell for up to 2,000,was aware that dealing with a huge amount of customer data made it vulnerable to attack.Its policy of proac-tively checking

275、for anything concerning also applies to phishing emails,with employees encouraged not to click on exter-nal links and to delete them immediately.But it also has third-party help such as Shopify Plus,which uses machine learning algorithms to flag up orders that could be fraudulent.It also uses Google

276、 Business Suite to help protect against spam and secure private data in the cloud.In addi-tion,data can only be seen by employees with privileged access.McVey advocates web and email gate-ways to“keep the bad on the outside”and adopting the remote browser isolation model.This means that if an employ

277、ee does click on a phishing link,there is no direct contact with a companys website and the malware wont run.Herbert says firms should look at basic protections such as two-step authentica-tion passwords,regularly upgrading soft-ware security updates,securing browser connections and ensuring that al

278、l con-nected devices are cyber secure with anti-virus software and firewalls.When it comes to payments,Obaid uses an SSL(secure socket layer)certificate on its website,meaning that all data is encrypted at checkout.For McVey,it is the cloud including cloud secure web gateways which not only ecommerc

279、e but all businesses should be looking towards for better cybersecurity.“It is rare for a company to store all its data at its premises nowadays,”he says.“All of the documents,applications and emails which we now need to help more people work from home are on the cloud.But most company security stra

280、tegies remain focused on the office and protect-ing that.There is a disconnect and little recognition that the world has changed.You cant have an office-based approach for a cloud-based world.”Another impact of hybrid working,McVey argues,and similar to the point Kutner made about the supply chain,i

281、s that a lot of IT spend has gone on making the transition as smooth as possible for employees.“Secu-rity has taken a bit of a back seat,”he says.Obaid says SMEs especially cant afford to let that happen.“It takes years for a com-pany to build trust with a customer,but one negative experience can be

282、 a massive blow to your business.Cybersecurity is a real thing,”she says.CYBER THREATS IN ECOMMERCEShare of online merchants reporting increased fraud attempts due to the Covid pandemic worldwide in 2021,by regionCybersource,2021David StirlingCommercial features the war in Ukraine contin-ues to unfo

283、ld,the world is becoming more geopolitically insecure.Global instability and uncer-tainty has heightened organisational risk for businesses.One of the areas most impacted by this growing risk is cybersecurity.Cyberattacks have increased in sever-ity and frequency as hackers have become more sophisti

284、cated in recent years,with such activity up 50%in 2021,according to technology security expert Check Point Research.Ransomware is now one of the most common attack vectors.But a new breed of ransomware variant has surfaced that cant be stopped using traditional means and thats why its imperative com

285、pa-nies develop more robust cybersecurity strategies to prevent them.Tackling global instability“Organisations will need to review their security measures to defend against ransomware and other malware assaults,”says Maurice Gibson,product manager,cybersecurity at global talent and reskill training

286、provider Wiley Edge.“Executives have to be proactive and have a plan in place for what to do if their organisation is attacked.This will help them make decisions quickly and effectively without panicking and rush-ing during a crisis.”Global instability has created new employment challenges for firms

287、.Among the biggest insider threats in the wake of the great resignation of 2021 are mid-career employees who quit,but still had access to valuable data and knowledge.Added to that,the Covid-19 pan-demic forced many organisations to move their workforce to remote work almost overnight.But because emp

288、loy-ees home networks often used devices outside of the companys monitoring and direct control,security can be more easily compromised.That has meant businesses have had to ensure workers home networks are protected as part of their overall cybersecurity plan and protocols.As many firms have been fo

289、rced to change suppliers in different regions because of increasing geopolitical dif-ficulties or disruptions,they have also had to do their due diligence and make sure any third-party providers they work with have cybersecurity practices that comply with their own.“With geopolitical shifts in power

290、,organisations are having to find new suppliers to guarantee their produc-tion domains can be maintained while reducing expenditures,”says Gibson.“Organisations are engaging third parties who may or may not have gone through the same level of due diligence and are attempting to untangle con-nections

291、 with a third-party vendor in a less desirable geography.”Plugging the skills gapA deeper issue is trying to find and retain employees with the right skills and tools for the job.And because technology is constantly evolving,so new talent is always needed,as well as continually updating the existing

292、 work-forces skillsets.But as the relentless war for talent continues,current employees are being stretched to the limit,being required to do more and carrying out multiple jobs to cover the work that needs to be done if someone cant be recruited for those roles.This is evidenced by the fact that th

293、ere are almost 465,000 unfilled cyber jobs in the US alone,according to US govern-ment-sponsored data.This can often result in burnout and workers leaving because theyre fed up or cant take the pressure,workload or longer hours.Despite the obvious problems this presents,it also provides employers wi

294、th the perfect opportunity to turn it into a positive.By considering a wider range of candidate,in terms of age,gender,eth-nicity and background,they can finally address this long-standing issue.“This opens possibilities for employ-ers to look outside of their usual recruit-ing pools when hiring tec

295、hnology pro-fessionals.Employers may benefit from sourcing various talents from different communities,which can lead to creativ-ity and a better work environment.”Junior talent can also play a key role in helping meet employers needs amid disruption.“Junior talent may lead to more adaptability in or

296、ganisations,”says Gibson.“Rather than relying on certain locations to fill openings,junior talent can be found wherever the busi-ness is or where it wants to expand.”He adds:“Junior talent enables an organisation to develop its personnel from the bottom up,providing them the chance to apply their sk

297、ills toward the companys benefit.Many companies are paying a premium for skilled employees in an expensive labour market.Junior talent allows firms to spend less up front and reinvest funds into training and upskilling opportunities that help rein-force talent retention.”Strategic risk managementIn

298、response to the war in Ukraine,as with any other international crisis,in addition to having a solid cybersecurity strategy in place,firms also need to test their business continuity and recovery plans to ensure they work and are up to date.They also need to find in-country talent or suppliers that w

299、ill help them isolate themselves from the conflicts impact.Linking all this together,organisa-tions need to have established and effective lines of communication with suppliers,industry peers,governments and employees.They also need to look at the bigger picture in terms of the long-term impact on b

300、usiness and how they can mitigate that risk.Moving forward,the need for better cybersecurity has never been greater.As a result,companies must re-eval-uate their broader risk and business continuity strategies,ensuring they continue to comply with the latest set of data privacy and security regula-t

301、ions,as well as assessing current and emerging geopolitical risks,and how they will tackle them.For more information about Wiley Edge can help with your cybersecurity recruitment needs visit up cybersecurity amid a geopolitical crisis The war in Ukraine has exposed the need for firms to have a robus

302、t cybersecurity strategy in place alongside a young talent poolA Rather than relying on certain locations to fill openings,junior talent can be found wherever the business is or where it wants to expandthe number of unfilled cyber jobs in the US alone465,000Cyberseek and US Commerce Department,2022E

303、 C O M M E R C EEGlobeNewswire,202156bnProjected size of the ecommerce fraud detection and prevention market by 2025 Companies were focused on alleviating supply chain strains and cybersecurity fell a few rungs down the priority ladderAPACLatin AmericaEuropeNorth America86%79%77%68%Moyo Studio via i

304、StockR A C O N T E U R.N E T09“We can help to close the skills gap if we work to increase the cyber literacy of employees across the organisation people who arent specifically working in cyber roles but individuals in finance,the legal team and other parts of the business,Rosso suggests.“If we can i

305、ncrease everyones awareness,that will reduce the need for as many cybersecurity professionals.”Achieving this will entail tailoring peo-ples training carefully,Hadley stresses.“This is about ensuring the right knowl-edge and skills are aimed at the right people in the right roles,”he says.“Non-techn

306、ical employees need something that measures what decisions they would make in a given situation and how much confidence they would have in doing so.It should help them to understand the risks better.For members of the board,I might want to run a half-day facilitating session around a simulation.”All

307、 these strategies will be necessary,given that the cybersecurity skills gap is expected to widen even further.“Organisations need to start talking about the fact that this is a long game,”Rosso warns.“There isnt going to be a magic pill.”Commercial featureHow many of these connected assets are desig

308、ned for security-fi rst?They werent really designed with security in mind at all.If you have any infrastructure network,manufactur-ing network or even just a business thats been around for longer than 20 years,you will no doubt have legacy devices.If youre in the energy sector,as one example,legacy

309、devices made 20 years ago are what run your business,and they were certainly not designed with security in mind.They were simply built to function,and theyre unman-ageable by agents today.The saving grace has been that attackers are generally only now starting to gain the specialist knowl-edge to un

310、derstand these kinds of devices that run factories,control dams,water treatment facilities and the like.Until fairly recently businesses were kept reasonably protected,at least relative to how exposed they are.But thats changing very fast.Without unifi ed asset visibility and intelligence across the

311、 attack surface,there is no security in the modern enterprise,says Desiree Lee,chief technology offi cer for Data at ArmisJust how exposed are companies to these kinds of threats?If companies knew how exposed they were on a foundational level,they wouldnt be so worried about the niche,high-skill att

312、acks from nation states.Theyd be far more worried about the openings and gaps that are making them vulnera-ble to less-skilled attackers.While com-panies prioritise the subset of tradition-ally well-safeguarded assets,bad actors are keenly focused on the vastly expanded attack surface of assets insi

313、de and outside the perimeter.Assets not actively mon-itored by security tools or tracked across the attack surface are effectively invisible,and if unchecked bring an uncalculated risk of exposure.Feeble in-depth defences from the edge to the data centre give adversaries the upper hand.The increas-i

314、ng frequency and sophistication of opera-tional technology(OT)attacks is a wake-up call to all asset operators,controls engi-neering teams,IT network operations and cybersecurity teams.In which industries are you seeing at a particularly heightened risk exposure?Manufacturers and healthcare provid-e

315、rs are key sectors for IoT,but we are also seeing retail experience a surge.Even though retail is not manufacturing,retailers have distribution facilities and their lack of IoT security means they are a target.If youre in energy or manufacturing,youve had this understanding of lots of different devi

316、ces in your environment for a while.But big retail-ers with thousands of stores effectively dont know whats in them.Theyre not used to working with those devices,but they are getting breached through them.What are potential consequences of a cyberattack on connected assets?There are a couple of prim

317、ary goals for cybercriminals.Ransomware is typically an economically motivated attempt to lock up your data until you pay to get it back.That can be very costly fi nancially.But nation state attacks,or really targeted attacks,dont always have economic motives.Like with the famous NotPetya attack,att

318、ackers might be simply trying to destroy the data to thwart oper-ations.On infrastructure attacks,specifi -cally,the goal could be to disrupt or alter whats happening with,for instance,water treatment.Stuxnet is the most famous OT cyber attack and it ruined a large chunk of Irans nuclear centrifuges

319、.As well as causing signifi cant economic,operational and reputational damage,cyberattacks on connected assets can also cause environ-mental hazards and even threaten peo-ples safety.Why do companies need to shift from data-centric security to asset-centric security?For a long time enterprises tried

320、 to implement a data-centric approach to security but this has mostly failed due to the unstructured nature of data.Data-centric security sounds great until you realise it requires a whole bunch of teams in your organi-sation to go through each device and try to code the individual bits of data on i

321、t as high risk or not sensitive.It is incredibly difficult to catalogue and categorise data,and beyond the reach of most organisations.They might have started the project,but they certainly havent finished it.Asset-centric secu-rity is a more realistic way of getting at data-centric security.Through

322、 this approach,its far easier to categorise an asset.You can say this asset is part of a system that we know has sensitive data somewhere in it.Thats far simpler than saying heres the sensitive data on this asset and then doing that thou-sands of times.Moving to an asset-cen-tric approach allows for

323、 far quicker implementation of security controls,which then better addresses the needs of the modern enterprise,reduces time to value and increases the ROI on the security investment.How is Armis helping organisations to secure their connected assets?Armiss unified attack surface man-agement platfor

324、m provides com-plete visibility with intelligence to secure every asset across the attack surface.We have the ability,in an automated way,to discover assets,identify what they are and also identify what theyre doing.That last piece is critical to understand-ing the risk of your assets.If its an inte

325、r-net-connected server,you know the risk is much higher and the data it has on it is less protected.If its a server thats talk-ing to a bunch of databases,you have an idea that the server is part of a complex system with sensitive data on it.Having an automated way,with human readable device context

326、,to catalogue and cate-gorise asset risk is a huge,foundational part of security.If you cant identify and quantify risk and see where the gaps are in your environment,its simply a matter of time until you are breached and feel the full force of a severe cyberattack.For more information,visit Asset-c

327、entric security is a more realistic way of getting at data-centric security.Through this approach,its far easier to categorise an asset.You can say this asset is part of a system that we know has sensitive data somewhere in it Q&AAt what pace has the connected asset environment accelerated in recent

328、 years?Its expanding rapidly.Theres been a dramatic increase in both the number and types of devices on networks,many of which companies depend on as a critical part of what makes their busi-ness run.By 2025 the number of con-nected assets will go beyond anything we could have imagined just a few ye

329、ars ago.The biggest change is the migration away from traditional assets computers fi lling up the networks and doing the work to a whole host of other devices.As many as 75%will be non-IT assets containing embedded software.Its not just con-trollers that happen to be online.Its also industrial robo

330、ts,for instance,in facilities that organisations rely on.Most compa-nies havent been able to keep up with this pace of change.How connected assets create security blind spotsCyberspaced:how to bridge a skills chasm t the end of March,the Depart-ment for Digital,Culture,Media and Sport warned that 39

331、%of busi-nesses had reported experiencing cyber attacks or breaches of data security in the preceding 12 months.In its Cyber Security Breaches Survey 2022 report,it urged organ-isations to strengthen their defences.Yet this is far easier said than done.The number of unfilled cybersecurity jobs world

332、wide grew from 1 million to 3.5 million in the eight years to 2021,according to research by Cybersecurity Ventures and this gap is unlikely to close any time soon.new tech,”Rosso says.“The Russia-Ukraine conflict and the heightened cyber alerts;the zero-day vulnerability in the Log4j Javalog-ging ut

333、ility that emerged in December;the recent breach at ID management specialist Okta all these are worsening the situation.”Certain roles are proving particularly hard to fill.The US Computing Technology Industry Association(CompTIA)has high-lighted specialisms such as penetration testing,auditing,risk management,gov-ernance,cryptography,social engineering and the development of defence systems that