With the coronavirus forcing masses of people to work from home, it has only accentuated the cyber risks businesses face from “human-activated” cyberattacks, according to Tony Pepper, CEO at Egress.
Cybersecurity is not new and despite the amount of resources used to build protection tools or raise awareness of the threats, it’s still a major concern for businesses and individuals alike. In fact, implementing and strengthening cybersecurity tools is as important as ever. A study from Cybersecurity Ventures claims that by 2021, cybercrime is expected to cost the world $6trn, a sizable increase from the $3trn value back in 2015.
Companies are not ignoring the threat at their doorsteps. Gartner released research which claims the total spend on information security products is expected to reach $124bn by 2022. It also claims that budgets for cybersecurity within businesses has risen by 141% between 2010 and 2018. Furthering this claim is a report from The Conference Board, which surveyed 750 CEOs and around 800 C-Suite executives across Europe, Latin America, China, Japan and the US, on their fears for 2020. Over 70% of respondents stated they were increasing the sizes of their cybersecurity budgets to combat threat levels.
For more than two-thirds of CEOs to be increasing their cybersecurity budgets, there must have been a major catalyst. Pepper believes this was the rising prominence of data protection regulations like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and more. Pepper said, “With new regulations following in GDPR’s footsteps, there’s a hefty price tag associated with data breach incidents and non-compliance. Setting aside security budget now, will help them to avoid punitive action in the future. Additionally, extra security budget will enable organisations to respond to evolving threats and mitigate associated risks before sensitive data is compromised.”
While budgets might be increasing due to the rising pressures on protecting data and customers, online attacks are not the biggest worries for CEOS. The report from The Conference Board claims that cybersecurity was the sixth biggest fear in 2019, despite being the most feared issue in 2018. The biggest fear of CEOs during 2019 was a recession, which is looking more likely with the coronavirus pandemic.
The rise in budgets can be attributed to the rise in compliance costs for data protection regulations, with CSO Online stating 88% of companies spend more than $1m for GDPR compliance. While the costs are rising, fears are not, which Egress pins on the fact that fines for failed compliance were slow to take off. However, as we have passed two years since implementation, fines for data breaches can be quite hefty. Last year, British Airways was fined £183.39m by the UK’s ICO after finding the company had used card skimming to collect personal and payment information from customers. American hospitality firm Marriott International has also received a sizeable penalty, with a £99m for exposing guest records of 339 million guests.
“It’s imperative the security community continues to keep data security a top-level priority,” he said. “Not just to protect organisations’ reputation and avoid these costly fines – but because firms have a duty of care to their clients to protect their data.”
Human threat
There are a range of types of malware or techniques used by criminals in their attempts to scam money out of businesses. While companies can implement devices to identify and prevent attacks from taking root, one of the hardest aspects for a business to account for is their own staff. Employees are at the frontlines and many are unaware of the risks they are faced with and the damages they can cause by simply clicking a link in a fake email. Consultancy firm Willis Towers Watson claimed that 90% of data breaches in the UK last year were triggered by human error. Similarly, Kaspersky Labs claimed in its study that 90% of cloud data breaches were due attacks that targets employees.
“Previously, organisations have used a number of technologies, including firewalls, static DLP and anti-spam solutions, in attempts to protect sensitive data from outbound and inbound threats,” Pepper said. “Yet the number of email data breaches has continued to increase.”
“Almost all of these incidents are ‘human-activated’ – they’re caused by people, your employees, accidentally or intentionally leaking data. To mitigate this, we need ‘human layer security’ technologies, which deeply understand people’s behaviour and apply contextual machine learning to detect anomalies driven by error, such as misdirected emails, or when someone is intentionally exfiltrating data against company policy, for example when moving to a new job.”
Ensuring employees are informed enough to spot a suspicious email or they are certain the email is going to the right location is tough, and mistakes will always happen. Egress is helping businesses to overcome this challenge through its cybersecurity tools. The company, which is based in the UK, wraps a protective layer around employees to prevent these “human-activated” errors occurring.
Egress offers an end-to-end email security platform which encrypts sensitive data and identifies risky behaviour to better prevent breaches. By leveraging machine learning and DLP technology, the solution can stop emails being sent to the wrong person and with the wrong attachments. Furthermore, recipient analysis combined with content inspection can be used to uncover attackers trying to engineer employees into causing data breaches or sending funds.
Has coronavirus changed the market
At the start of 2020, the world was not prepared for the coronavirus and no one could have anticipated the measures the world would take. Moving into the new year, Egress identified misdirected emails, business email compromise (BEC) and targeted spear phishing attacks would be the biggest cyber challenges businesses would face.
Egress believes that misdirected emails are a “real sleeping giant when it comes to data security.” Everyone with a business email can freely send emails wherever they like, leaving a major space for data breaches. Mistakes happen and an employee can easily attach the wrong document or send to the wrong email address. Even double checking can not stop mistakes happening. Not only do they risk personally identifiable information being wrongly sent, but also business sensitive information like a client agreement or invoice.
These types of attacks can happen to a business of any scale. The same goes for BEC and spear phishing attacks. It only takes a lapse in awareness and a major data breach can happen. Last year, a man from Lithuania pleaded guilty to stealing $123m from Google and Facebook by posing as a vendor and faking invoices. This was achievable through spear phishing.
With the coronavirus forcing masses of employees to work from home, these three threats are even more paramount, Pepper stated. A report from Tessian claims that 52% of people working from home are being laxed with their cybersecurity.
“With more people working remotely, the risk of an accidental data breach from a misdirected email or attaching the wrong file to an email has grown,” he said. “People are working later into their evenings or more frequently from mobile devices as they, understandably, flex their working hours around their personal duties, such as childcare, or blur the boundary between home and office by having their desks set up at dining room tables, etc. External factors like this make it much more likely for errors to occur and data to be accidentally leaked.”
There have been numerous criminals trying to take advantage of the pandemic. Businesses and staff are not prepared for working from home, with many systems not in place to ensure strong security while working from home. Various scams have been targeting the panic and fear people have right now.
He said, “These attacks take advantage of an environment of heightened anxiety and disruption, and have included anything from malicious links promising PPE or updates on the spread of the virus in “your local area”, to fraudulent online seminars or business training that scrape unsuspecting users credentials and fake invoices that need to be paid “immediately.”
Companies need to ensure their staff are prepared and have the necessary protections in place to stop these attacks.
To find out more information on Egress click here to visit their website.
Alternatively, you can reach out to them at: info@egress.com
Copyright © 2020 FinTech Global
Copyright © 2018 RegTech Analyst
