New year – new awareness for more data security?

1. Understand security risks from IT/OT convergence and cloud use holistically.

Operational technology (OT), software and hardware for monitoring and controlling industrial plants and processes, used to be isolated solutions, separate from the IT systems in the company. Today, with the Internet of Things (IoT), it is increasingly networked electronic solutions that are merging with classic information technology (IT): the so-called OT/IT convergence. While IT manages all systems and processes for data processing, OT does this for machines and facilities. In short, IT takes over the productive and OT the operational control processes – in a connected and interlocking way. Many advantages such as remote work, AI, big data, machine learning, etc. are possible in this way. 

And at the same time, the growing OT cloud migration provides many attack surfaces, because often outdated industrial protocols are used, accesses are not sufficiently secured and, above all, vulnerabilities are not patched. Claroty's latest ICS Risk & Vulnerability Report provides a lot of knowledge about security vulnerabilities in industrial control systems (ICS). And frightening numbers: 71% of all vulnerabilities are classified as high or critical. 90% have low attack complexity and offer easy play to repeat offenders.
Accordingly, the first maxim for action in 2022 is:  
We must address the threat situation by making data security in the cloud the top priority. To achieve that, OT/IT risk areas such as misconfigurations, vulnerabilities and identity and access management must not be considered separately, but as a cohesive whole for secured business continuity. Encryption can prevent tools from gaining access into network resources. Authentication can prevent identity misuse through a sophisticated authorisation concept.
 

2. Understand cybercrime-as-a-service (CaaS) as a new reality and defend against it in the best possible way.

Some reports of successful hacker attacks from last year read like scripts for science fiction movies. Unfortunately, they are not. Ransomware groups in particular continue to professionalize on the darknet and are already openly placing ads to find experts* to destroy backup technologies in order to have even more leverage against companies. And the blackmailed companies reliably pay to become masters of their data again – according to various surveys on the web, over 80% of all ransomware victims comply with the ransom demands. Mostly in Bitcoin, since no payment channels can be traced this way. It is therefore a lucrative market with classic business models.
In exchange for licence fees, you can buy malware, even with technical support. These are no longer isolated nerds, but well-organized cybercrime groups with names like Lockbit, Avaddon, SunCrypt or Hello Kitty.

Whether it's changing ransomware tactics that encrypt data, DDoS attacks that cripple networks or increasing Active Directory attacks that directly access user permissions – the variety of potential threats to digital infrastructure is high and demands a great deal of knowledge from those who are responsible for information security in the company in order to be able to identify and manage cyber risks. As well as an interdisciplinary team of different IT specialists*, stakeholders* and the management. Because no one can know all the risks or assess them correctly in terms of their significance for the company, nor can they know the probability of occurrence or the possible consequences. These are discretionary decisions to be made jointly. But there are now proven techniques with qualitative and/or numerical values. Mostly, the risks are mapped in a matrix to show probability and impact and to estimate a quantification of the possible damage. This is the only way to check whether the costs for countermeasures are appropriate. The fact that this will never be a finished process, but must be regularly checked and new countermeasures must be taken, is a matter of course in the highly agile cybercrime scene. The goal must be to become more resilient to attackers*, because preventing the attacks is nearly impossible – the methods are significantly ahead of previous measures.

To show at least a glimmer of hope: A growing awareness of cyber security, as well as increasing efforts for uniform software security standards and the emergence of a global cyber security alliance are the right ways to strengthen the overall level of security.
 

3. Recognize the role of each individual employee* in the company and strengthen their personal responsibility.

In all surveys on the web about cyber security, employee negligence is considered the biggest security threat to companies. Together with the trend toward location-independent working.

In the last 2 years, the number of home-based jobs has increased exponentially. Equally explosive has been the increase in credentials for SaaS & cloud platforms. Interfaces and network resources have not been protected to the same extent. As a result, ransomware attacks and data theft via remote access connections have been on the rise. Often with identity theft of employee data captured via their private internet connections. Zero trust or passwordless authentication should be standard in any company that enables remote work. But it isn't. Just one example. And there should also be clear rules for dealing with company-owned or private devices used for work. But even these are still missing in many companies today.

So, is employee negligence really the biggest security threat? Or is it not rather the lack of awareness at management levels that personal responsibility can only develop if one understands one's own role within the big picture? In other words, everyone in the company needs to be much better involved.

It is essential to pick up employees in their daily work environments – with simple, understandable language and easy-to-follow examples. However, the entire IT language is riddled with abbreviations and highly complicated strings of technical methods. This stirs up fear and rejection, offers no clarification and does not create a basis for personal responsibility. Cyber risks come from people and cyber security is for people – this is too often missing as a mental basis when communicating the increasing threat situation. Training is not enough. A process instruction is not enough. Regular repetitions are not enough if the multitude of risks is not illustrated with practical examples from your own daily work. Basics and terminology can be taught via interactive quiz formats. Acting out concrete scenarios helps to demonstrate the understanding of the entire networked structures. This is the only way to increase the awareness of all employees in the company in the long term. And this is the only way to ensure that IT requirements are observed and that, for example, new, unprotected applications and services are not installed at the user's discretion, which may make working at home easier, but certainly pose a massive threat to the company.