IT security in 2022 - what you need to know

Article by Jack Rosier of QMS International, one of the UK’s leading ISO certification bodies.

We’re living in the age of computers, with technology playing a more important role in our lives with each passing year.

With the pandemic acting as a catalyst for increasing digitalisation, 2022 is likely to see more technology usage than ever before – so businesses need to make sure they’re prepared.

Embracing technology has been great for us as a global community in many ways. For example, it has enabled people and businesses to almost seamlessly shift to remote or hybrid working models, with a plethora of collaborative software to utilise.

However, this can be a double-edged sword. The more technology organisations interact with, the more opportunities for cyber criminals to launch cyber-attacks.

At the beginning of 2021, QMS International carried out a cyber security survey among businesses and 75.7% of the respondents reported that they now felt more open to attack. Another 10% reported that they had no confidence in fending one off.

This stresses the importance of understanding what good IT security looks like and how you can protect your business, employees, clients and stakeholders from dangerous and costly cyber-attacks. If organisations and individuals are aware of best practises and show due diligence in cyber security protocol, there is minimal reason to worry.

In this article, the experts at QMS International take you through potential risks to IT security in 2022, upcoming changes that might affect businesses, and best practises to implement to ensure cyber operations are completely secure.

Ransomware

The Chief Executive of the UK’s National Cyber Security Centre, Lindy Cameron, has warned that ransomware is “the most immediate danger to UK businesses” and all organisations could be at risk of cyber-attacks through the use of ransomware.

According to an analysis of reports made to the UK’s Information Commissioner’s Office (ICO) by CybSafe, the number of ransomware incidents in the first half of 2021 doubled compared to the number reported in the first half of 2020.

Ransomware is a type of malicious software which cyber criminals deploy on an unsuspecting person’s computer network in order to encrypt their files.

​​If a cyber-criminal is successful in doing this, it enables them to extort the victim into paying large fees to decrypt their files and make them accessible again.

Nowadays, most people tend to have their data backed up somewhere, whether it be on an external hard drive or on the Cloud. Most cyber criminals have clocked onto this and now threaten to release stolen files online. This same threat has also been used on those who have refused to pay the criminal.

Often, cyber criminals will target customer service and HR teams as they are easily reachable employees who hold information valuable to the cyber-criminal.

It’s absolutely crucial that organisations ensure they’re well equipped to prevent ransomware attacks in the coming year, and make sure all employees have a fundamental understanding of how to spot and avoid potential ransomware attacks.

Spear phishing

With the pandemic forcing people to adopt new technologies, cyber criminals have been using different methods to carry out their attacks. One method that seems to have gained popularity has been spear phishing.

Spear phishing is a type of digital communication scam that targets a specific individual or organisation. It’s designed to trick unsuspecting victims into clicking a link and willingly giving away their credentials. Unlike conventional phishing, which is a broader approach to the same goal, spear phishing is a lot more personal, and can be a lot more deceiving.

In order to prevent spear phishing attacks, organisations should create filters which flag incoming emails as either internal or external, which allows the recipient to see if somebody is trying to trick them.

Additionally, organisations should ensure employees are educated to understand what spear phishing is and how it can be prevented. This information can be simply delivered through eLearning on cyber security.

One Tech World Virtual Conference 2022

01 APRIL 2022

Book your place now to what is becoming the largest virtual conference for women in technology in 2022

FIND OUT MORE

Remote or hybrid working

Over the past two years, the various lockdowns and a shift in attitudes has led to businesses adopting mass remote working or moving into hybrid working models. Now, in 2022, it’s clear to see that the movement towards remote and hybrid working is here to stay, with 85% of managers believing that having teams with remote workers will become the new norm.

However, remote working presents a number of challenges to an organisation’s cyber security. Data supplied by Darktrace to The Guardian revealed that the proportion of attacks targeting home workers rose from 12% of malicious email traffic in March 2020 to more than 60% six weeks later when the nation was in lockdown.

Risks like unsafe networks, digital file sharing, and outdated software make up part of a long list of risks that should be addressed by all organisations with remote workers.

These risks should not put off organisations from allowing employees to work remotely, but instead should encourage all businesses to ensure their cyber security policies are up to date and cover remote working responsibilities.

Training employees, carrying out risk assessments, making sure workers are using secure connections, and introducing robust information management frameworks will all help protect your business during hybrid or remote working.

Create a culture of IT security in 2022

From larger businesses to SMEs and start-ups, creating a culture of security is one of the most effective ways to protect your business against all types of cyber-attack in 2022 – and you can do this through ISO 27001 and ISO 27002.

ISO 27001 is the internationally recognised Standard which provides the framework for a comprehensive Information Security Management System (ISMS). It implements 114 legal, physical and technical risk controls that allow an organisation to carry out robust information management.

It’s set to be updated in the coming months to reflect the current challenges to an organisation’s IT security – making 2022 a great time to put in place a futureproof framework to protect your business.

Another Standard receiving an update in 2022 is ISO 27002 – the code of practice for an ISMS, which provides details on the requirements and controls in ISO 27001. Again, this update will make sure ISO 27002 reflects and addresses the current challenges businesses face in relation to IT security.

Adopting the latest versions of these Standards is a great way to give your business all-round protection in 2022 and beyond – so you can reassure your stakeholders and clients, fulfil your legal obligations, and keep your information secure at all times.


The new world of cyber crime: What to know and how to stay ahead of attacks 

Article by Helen Sutton

New cyber crimes are discovered and reported on with increased regularity, with some –– such as Colonial Pipeline and JBS Foods –– drawing global headlines.

One of the more increasingly common types of cyber crime is ransomware, which comes as no surprise considering the number of ransomware attacks on organisations increased by 93% in the first half of 2021 when compared to the same period in 2020.

While ransomware –– and more broadly cyber crime –– isn’t new to IT professionals, the recent surge has spurred public and private sector leaders worldwide to seek effective and sustainable solutions to detect, mitigate, and prevent new cyber threats.

Finding solutions is challenging due to the widening and diversifying information landscape –– which by itself comes with a new variety of daily risks, the growing complexity of enterprises’ infrastructure, and increased use of digital currencies that allow for anonymity. And cyber criminals are exploiting organisations’ lack of understanding about the vulnerabilities that this complexity creates.

How did we get here? Where can we go?

Ransomware is far from new. In fact, the first ransomware attack, the PC Cyborg Trojan, was over 30 years ago in 1989. New age ransomware is not only more sophisticated, due to advanced distribution efforts and technological developments, the demand for ransomware payments is far more frequent since the onset of the COVID-19 pandemic. With many organisations forced to unexpectedly shift their workforces to be remote, cyber criminals quickly began targeting vulnerable digital infrastructures.

That’s not to say that remote work solely bears the blame for the proliferation of cyber attacks. While it remains a key factor as remote and hybrid models become more common, the growth, maturation, and sophistication of ransomware continues to have an outsized role. Ransomware groups have become highly orchestrated operations and license their capabilities to other hackers via the ransomware-as-a-service (RaaS) model. Their operating models are similar to that of well-run organisations, including the use of support desks and service level agreements.

As such, ransomware should be one of the top threats to an organisation that leaders should be concerned about.

How have organisations and governments responded?

The response to ransomware attacks varies. Most organisations pay the ransom, despite the fact that many government agencies strongly recommend not doing so. They argue that ransom payments will only incentivise criminals. In an effort to disincentivize ransomware attacks, China has banned the use of Bitcoin as that is the currency of choice for most cyber criminals.  Australia has also announced new legislative reforms, which include a new set of offences to further criminalize ransomware.

However, it’s easy to understand why organisations opt to pay. Their stolen data has been encrypted and held hostage, and they want to get it back as soon as possible to avoid business continuity issues and/or the potential release of sensitive data. Generally, ransomware groups unencrypt the data and restore access.

But organisations should beware of a rising trend: double and triple ransomware extortion, whereby ransomware groups wrest additional payments out of companies on top of the initial ransom demand. Double ransomware tends to focus on threats to publicly release the stolen data of the company first targeted, while triple ransomware makes various demands on the company’s customers and suppliers.

How to stay ahead of attacks

Despite these cascading trends, there are some measures organisations can take to protect themselves. To start, invest in identifying your vulnerabilities and technologies that can detect them in real-time, and educate your workforce on the various types and traits of cyber crimes. The latter may sound simple, but according to Jen Easterly, Director of the U.S. Cybersecurity Infrastructure Security Agency (CISA), 90% of successful cyber attacks begin with a simple phishing email.

She also points out that using multi-factor authentication makes accounts 99% less likely to be hacked. Surprisingly, even at large companies, these fundamentals are either in place but not working well enough or are not in place at all.

Although cyber crimes are increasingly complex, mitigating and protecting against them doesn’t always have to be.

The convergence of cyber-physical risks

Cyber crime doesn’t only lead to cyber damage. More often than not, what happens in the digital domain bleeds into the physical world.

For example, when the ransomware attack on IT services company Kaseya forced Swedish supermarket chain Coop to temporarily close 800 of its stores. Or when the Irish healthcare system was hit by a ransomware attack that caused it to shut down all of its IT systems, jeopardising patients’ health and safety.

A few organisations have responded to the convergence of these cyber and physical risks by creating a security operations center (SOC) that houses both their physical and cyber security teams. In those instances, cyber and physical risks are handled by the same analysts or co-located analysts. We’ve seen this model adopted by some of the big banks. But this approach is still fairly rare.

The power of real-time information

We know that cyber attacks will continue to rise in frequency as well as complexity, and can occur at any given time, anywhere in the world. As such, it is critical that organisations invest in technology that gives them access to real-time information –– where the most relevant information is extracted from large and diverse volumes of data –– so that they can detect cyber threats and vulnerabilities as early as possible and within the context of their people, assets and operations.

Those that do invest in such technology will be able to not only stay ahead of cyber threats, but quickly and effectively mitigate and respond to risks, allowing them to better protect their people, organisation, stakeholders, and bottom line.

About the author

Helen Sutton is Senior Vice President of EMEA & APAC Sales at Dataminr. She has 20 years of experience in enterprise software across multiple industry sectors. Prior to joining Dataminr, she held several sales leadership roles, including those held at Splunk, DocuSign and SAP.


Cyber resilience planning has to be taken as seriously as health and safety for every business

Article by Joanna Goddard, Director of Programmes, Business Resilience International Management (BRIM) and Board Member of Converge.

cybersecurityCyber-attacks are on the rise. In the past few weeks, hackers brought down the entire IT network of Waikato District Health Board in New Zealand  that led to surgeries being postponed and emergency operations cancelled at public hospitals.

Indeed, this crippling attack was just one among a slew of daily cyber assaults hitting New Zealand's health and hospital network in recent months, according to the country’s Ministry of Health.

In recent days, we read about a ransomware assault on Ireland’s health network where hackers stole health data of thousands of patients, the ramifications of which are yet to be fully realised. Another recent attack shut down an important United States fuel pipeline last month.

Hackers are increasing their cyber-attacks on public health and corporate entities across the world, with their impact increasingly make the headlines, but these attackers are prepared to hit any business – large or small  - so why do businesses not make this a priority and treat cyber resilience in much the same way as it does with its health and safety procedures?

After all, a new start up business, for example, will have IP to safeguard and protect, but a vulnerable and unprotected IT and people infrastructure which doesn’t have the necessary protocols to mitigate against cyber-attack, could very much spell the end of a new business before it properly gets off the ground.

The key word here is ‘Prevention’.

The UK Government offers a lot of free guidance and tools , through the National Cyber Security Centre (NCSC) – the Cyber division of GCHQ. It has a raft of measures such as a toolkit for company board members which includes  ‘Exercise in a Box’ a very useful practice, similar to running a fire drill for your company.

Instead, however, you get your team involved in running a mock cyber-attack drill. This will help any business identify any gaps that need to be plugged. It is often lack of staff training that can lead to cyber risk, long before an attack on IT systems causes a problem.

With this support from Government, it is now down to each start up to engage with their nearest resilience Centre and absorb this valuable support There is a similar centre in Scotland, The Scottish Business Resilience Centre, also chaired by Paul Atkinson, Chair of Converge, a renowned start up investor.

As cyberattack incidents become more sophisticated, there is a consensus that it will be not ‘if’, but ‘when’ a situation arises.

Today’s prime concern in business continuity planning should be about what happens if your management and IT systems go down, as a cyber-attack takes hold. Would you know who your customers are? Can you contact them?  Can you contact your suppliers? Importantly, Can you still access your bank accounts?

Hacking and online fraud are damaging for any firm but for small businesses – particularly start-ups with limited resources – they can be devastating.  One shocking statistic is that 60% of small companies go out of business within six months of falling victim to a data breach or cyber-attack.

In recognition of this, Converge will be hosting a special session this autumn to help academic entrepreneurs adopt strategies for fighting cyber threats.


WeAreTechWomen covers the latest female centric news stories from around the world, focusing on women in technology, careers and current affairs. You can find all the latest gender news here

Don’t forget, you can also follow us via our social media channels for the latest up-to-date gender news. Click to follow us on Twitter, Facebook and YouTube


macbook pro on black background displaying Gmail, phishing emails

Is it acceptable for companies to send fake phishing emails to their employees?

macbook pro on black background displaying Gmail, phishing emails

Article by Sandrine FRÉMEAUX, professor at Audencia Business School and Yvan BAREL, professor at the University of Nantes

One of the recent news stories that caught our attention was that of US web provider GoDaddy who had to apologise to its employees after sending them an email promising a USD650 Christmas bonus and asking them to fill out a form with their personal details that turned out to be a computer security phishing test…

The development of remote working since the start of the epidemic has dramatically increased the risk of phishing attacks. HMRC detected a 73% rise in email phishing attacks from March to September in the UK.

The fight against phishing is certainly a serious issue, and it is vital that employees are aware of the risks of external attacks by offenders posing as colleagues in order to gain access to confidential information or disrupt systems.

But should management – with the help of IT teams – trick their employees to teach them a lesson about the risks of cyberattacks? Was GoDaddy (and so many others) right to test employees by sending them fake phishing emails in order to identify those who were most susceptible to scammers? The idea of this type of action is that once they have been caught out, these “feckless” employees should undertake mandatory cyber security training.

However, several studies have shown that this type of action is far from effective, and can even have harmful consequences.

Firstly, employees who were caught out in this way seemed just as likely, and sometimes even more likely, to be vulnerable to future cyberattacks. Secondly, these ‘guilty’ employees were likely to feel shame, resentment and a weakening of their confidence, and their commitment to the company and their productivity was adversely affected. Finally, it was perceived as a breach of trust by management, making it more likely that the employees would become passive and distrustful, even ignoring future management emails.

Moreover, these fake phishing emails can cover highly sensitive and vital subjects, for example, making employees believe that they must quickly sign up for a mandatory coronavirus screening campaign. It makes it even worse when the name of the sender used by the IT departments is that of the company’s own HR Department, whose function is to protect and help employees, not to trick them.

So why do some organisations choose to trick their employees in such a way? It is undoubtedly the result of a purely rational vision of risk – like vaccination. The employees are ‘inoculated’ with a phishing email, the rationale being that this action, like a harmless injection of virus, should lead to immunity. Or, because IT departments are afraid that in normal circumstances, the training they provide often has little effect, they decide to use shock tactics to jolt their employees out of a false sense of security.

It is above all a human story, a story of IT departments fearing that their training will be badly received and not understood. But the problem is that those employees who are caught risk being presented as naive, reckless or irresponsible, when they are more often the victims of a lack of education. And the responsibility for this clearly lies with IT departments.

By opting for this type of action, IT departments forget that many employees are in fact eager to be educated, to be helped, to be supported, and to know more about IT cyber security. And as a result, the tricked employees are less likely to see IT cyber security training as a positive step, but as a sanction or a threat.

Employees need to be supported by IT teams to protect themselves against cyberattacks. The gifts of time, attention, vigilance and information from IT departments are precious, and they are even more valuable when they can be received in a spontaneous manner. No matter how anxious management teams are to ensure the highest standards of resistance to cyberattack, they must completely resist the temptation to stigmatise staff. They should instead choose a dynamic of mutual aid and support, delivered without fear or coercion, allowing all employees to work efficiently and to feel safe at the same time.