Cybersecurity threats to businesses are not only more numerous than ever but are now becoming more sophisticated through the use of artificial intelligence (AI) by perpetrators and more dangerous in their use for geopolitical aims.
In its annual review of cyberattacks released in January, threat intelligence researcher Check Point found that organisations around the world experienced an average of 1,158 weekly cyberattacks each during 2023 – a rise of 1% from 2022.
It was revealed in April, meanwhile, that half of businesses (50%) in the UK, 70% of medium-sized businesses (70%) and nearly three-quarters of large businesses (74%) had experienced some form of cyberattack in the last 12 months.
GlobalData analytics indicate that companies are aware of the importance of cybersecurity, with it placing 13th out of over 130 in a list of the most mentioned themes in company filings globally and across industries from May 2023 to April 2024.
Despite that, GlobalData’s recent Thematic Intelligence: ESG Sentiment Polls Q1 2024 found that only 8.8% of businesses believe that cybersecurity is the theme that will affect them the most over the next 12 months. High inflation (36.2%), geopolitical conflict (35.9%) and digitalisation (10.5%) are all viewed as more pressing issues.
In contrast, a recent survey by ClubCISO, the members’ forum for information security leaders, found that 62% of chief information security officers (CISOs) agree that the industry as a whole is not equipped to deal with AI cyber-attacks, with 63% saying they rate the severity of the threat posed to their businesses by AI cyber-attacks as critical or high. Indeed, 40% of respondents said the emergence of AI hasn’t altered their priorities, and, for more than three-quarters (77%), AI hasn’t triggered a change in cybersecurity spend.
Of this, Rob Robinson, EMEA head of Telstra Purple, which runs ClubCISO, tells Verdict: “The vast majority of organisations that we found in these findings have done nothing to increase their funding to increase their spend in terms of cybersecurity to address what is obviously going to expedite the type of sophistication, the volume and the complexity and the autonomy of threat that organisations are facing … The vast majority see it as a threat, but the vast majority aren’t spending money on it.”
Sophistication of cyberthreats
Notably, the methods by which cybercriminals are perpetrating attacks are much the same as ever, with AI mainly being used to facilitate and improve existing approaches.
“I would say that the threats themselves are not necessarily changing,” says Barry O’Connell, senior vice president and general manager for EMEA at managed detection and response firm Trustwave. “The techniques and tools and approaches that people use are broadly the same, but they’ve got way more sophisticated.”
Richard Hummel, threat intelligence lead for network visibility platform NetScout, agrees, commenting: “They're not attacking them with novel methods. They're not using necessarily new attack vectors. They're not using zero days. They're basically just using the same thing they've been using for a decade or two and just using it in new ways, or they're going after different assets, or they're putting a little bit more forethought into what they're attacking.”
Robinson too has found that, despite the advancements in AI, it hasn't changed the approaches of cybercriminals. “It's just exactly that it's compounded, expedited and accelerated the volume of threats in those given technology areas,” he says.
He adds: “It comes down to volume and adaptability. AI can do that in a way that that a human just can't. Instead of applying some kind of scripting-based approach or some kind of level of human sophistication and intelligence, that sophistication and intelligence is being applied by artificial intelligence to an increasingly effective level, and therefore the take up or the exposure is becoming far more rapid and far more sophisticated.”
Coupled with greater the sophistication with which AI can deliver the types of attacks with which businesses have become familiar is a recognition that attackers themselves are becoming more organised. Hummel suggests that the cyber-criminal “underground” shifted from an individual doing individual things to a more organised ecosystem.
“I'm going to code the malware, you're going to do the spam messaging, you're going to write the spam messages, you're going to host my infrastructure,” he says by way of characterizing this shift. “And that's been an evolution in progress for five or six years. So, they've already begun that transition, and it's only continued to this day. You have an entire criminal ecosystem now, where you can basically outsource a lot of the aspects of a campaign.”
This greater level of organisation means that criminals are also being more selective in how they target businesses.
O’Connell explains: “What [organisations] are finding now is that the attack surface is much, much larger than they thought it was originally. It's not just your PCs, it's now your operational controls and your factories or your oil refinery or whatever it might be – that is now is now part of that attack surface.”
Elaborating on this, he adds: “The challenge is that a lot of these organisations – particularly when you look at healthcare, manufacturing and so on – have very, very long supply chains. What we're seeing is that there are a couple of attack vectors that are very, very common. There’s email that everybody talks about, but the other is the supply chain and the ability for a bad actor to enter into the weakest part of that supply chain.”
Cyber risks for organisations
The recently published 2024 edition of GlobalData’s Cybersecurity report notes phishing, malware, water holing and zero-day exploits as being the main untargeted threats organisations face today, with spear-phishing, Distributed denial of service (DDoS) and supply chain attacks as the main targeted forms.
Supply chains – both physical and digital – have become a target for attackers both looking to infiltrate company systems through third-party access or integrations or simply looking to cause disruption.
Of the issue, the report explains: “Cyberattacks targeting software supply chains are increasingly common and are typically devastating. These attacks are effective because they can take down an organisation's entire software supply chain and services, resulting in massive business disruption. According to IBM’s 2023 Cost of a Data Breach report, supply chain compromises took an average of 233 days to identify and 74 days to contain, for a total lifecycle of 307 days. That average lifecycle was 37 days or 13% longer than the average lifecycle of 270 days for data breaches attributed to another cause. In the 2023 study, 15% of organisations identified a supply chain compromise as the source of a data breach.”
The report also notes that governments worldwide are beginning to take supply chain security seriously and cooperate more closely to prevent such attacks due to their potentially severe results. Indeed, the potential for creating chaos and tension is one such reason why cyber attacks like those targeted at supply chains are not just focussed on businesses but on geopolitical aims too.
Geopolitical cyberattacks
“I would say that attacks associated with geopolitical events are greater than ever before,” says Hummel. “Honestly, if I had to pinpoint the turning point, it was when Russia invaded Ukraine ...”
“It's happened sporadically throughout history, but now it seems like nearly every political move, or every major thing, or anybody getting up talking about how they're going to send humanitarian aid to Ukraine or Saudi Arabia, and Germany coordinating together for arms movements and things like that – all of these like major kinds of cross international conversations, things that impact NATO things that impact the United Nations – all of this stuff seems to be like a prime opportunity for these hacktivists to sow chaos or to speak out their agenda.”
One such recent example – actually prior to Russia’s invasion of Ukraine – was when Sweden applied to join NATO. The country saw an onslaught of DDoS attacks, with a NetScout report stating: “This signalled a spike in unseen tensions and retaliation from several politically motivated hacker groups. In fact, Russian hackers disrupted government operations in Sweden via ransomware attacks.”
Relatedly, Hummel points to quasi-governmental websites as being an area in need of greater protection.
“If I had to choose any one area that I think should have a little bit more attention paid to it, I would say a lot of websites that deal with political issues that are not necessarily the straight government, they're not government administrative portals or things like that, but they're sites that handle a government information, or that handle services or messages that are relevant to the public audience,” he says.
“Take, for instance, all of these geopolitical conflicts that are ongoing right now and you think of the Anonymous Sudans and the NoNames and all these other threat actors. There are like 1,200 threat actors I think that we've seen in the last six months, just everywhere, and every time you put one down, there's 1,000 orders that come back. These guys, they want to sow discord, they want to sow chaos, they want to upset the masses, they want to create paranoia and fear, and so often they will go after websites that are not necessarily critical, but it gets people thinking, ‘Wow, they just took that down. What else can they do?’”
Sectors at risk
Elsewhere, the types of organisations most at risk of cyberattacks are understandably those with the most to lose, such as those in financial services and healthcare. Hummel, though, believes financial services is second only to government for its digital security – and that the necessity for that due to handling money is not the only major factor.
“One of the reasons I firmly believe that they are like that is not just because of the money because these guys share knowledge,” he says, referencing finance, banking, commercial banking and insurance specifically. “FS-ISAC, right? It’s a great resource, and most of the major players in the banking industry are part of FS-ISAC. They freely share all of this information. ‘Hey, we saw this threat. It’s coming in this way. Here’s the network. Here are the details. Here ARE the characteristics. Here’s the analysis’.
“And it’s a group-think, and it’s shared knowledge so that everybody knows what’s out there and what’s impacting them. And that in turn, translates to better security postures for a lot of these organisations.”
The Financial Services Information Sharing and Analysis Center (FS-ISAC) is an international not-for-profit membership organisation with the stated aim of “reducing cyber risk for the sector through intelligence sharing.”
Noting that there are ISACs for various other industries, Hummel says of their value more broadly: “You can see that the maturity level of a lot of these security professionals that are part of these things is much higher than those that are not because [the latter are] not benefiting from that group-share. I think that plays a big role. This re-education process, making sure that everybody’s aware of what’s happening out there, there definitely are tiers of who’s prepared.”
Healthcare has, at times, been a sector less prepared than it should have been. In the UK, for example, outdated software has left the National Health Service at risk on occasion. More broadly, though, the sensitivity and thus value of the data within healthcare globally makes it a major target.
“The value that is happening in healthcare is really around patient data and being able to get that,” says O’Connell. “What we're seeing now – and it’s probably more in the US at the moment given the healthcare system there – is significant ransoms several times higher than the average being paid by healthcare organisations, not to mention the impact of the revenue loss.
“We'll see hundreds of millions of dollars of revenue loss in these organisations because they can't operate, and then they will ultimately pay the ransom. So, I think that what's happening is, and again, this is not unusual for a lot of criminal activity, is that the organisations that probably are least prepared, or historically have been least prepared, are where we're seeing an increase in the number of a number of number of attacks. Healthcare tends to be fairly soft.”
O’Connell also notes that Trustwave is seeing legal and services firms as being increasingly at risk of attacks.
“Legal firms have a lot of data, they often have a data repository – some tool that's used specifically for that industry – but a lot of that floats around through email, goes out to external counsel, comes back in again,” he says. “What we're seeing is the value of that IP and your reputation as a law firm is that data. If I find out that someone is in a court case and I can get a hold of the information, then, as a legal firm, I can start asking for terms if you want this information back, if you don't want to put this public.”
While some sectors and businesses may be more at risk than others, the reality is that all are at risk increasingly.
Of this, Robinson says: “I think as much as we could pinpoint some risks and exposures in given market verticals, it’s more about understanding that combined threat profile and that combined risk.”
Prevention and protection
Few organisations today do not have measures in place to protect themselves from cyber threats. The difficulty is knowing what is needed, how much must be spent and how to stay up to date with an evolving threat landscape.
“One of the challenges we have is that the definition or identification of a return on cybersecurity investment is somewhat nebulous,” says O’Connell. “You're basically trying to prove a negative. It’s an insurance type of approach. So, it is challenging when businesses have those dilemmas of where to invest, particularly from a digital perspective. ‘Should I invest in enhancing my platform, identifying more and more use of social media, my marketing campaigns, or whatever it might be?’
“And then someone says, ‘Well, you got a bill here for 20 million to do a cybersecurity programme.’ And the question is, ‘Well, what's my return on that?’ It's a challenging conversation to say, ‘Well, will you guarantee that I don't get hacked, or will you guarantee that I'll be secure?’ And the answer is, if you’ve got any sense, the answer is, ‘No, I can't guarantee that at all!’
“‘So, what, do you want me to spend 20 million on this thing that you can't guarantee is actually going to improve anything?’ ‘Well, yeah, I do.’”
Despite the difficulties in working out how to apportion cybersecurity investment, it remains a critical expenditure. And, over time, the sector itself has developed.
“Now, the conversation in security is not necessarily prevention as the cornerstone but visibility,” says Hummel. “What we want to try to do is detect a threat as soon as possible. If you can detect that before they compromise you, awesome, right? Do it. If you can't, you need to detect them the moment they enter or very soon thereafter. You also need to have forensic evidence. If they do compromise you what did they do afterwards? How do they pivot laterally, laterally? Did they exfiltrate anything?”
Hummel adds: “From the defendant’s point of view, we need to ensure that every single piece of exposed infrastructure you have on your network is under production. It's not sufficient to say that, ‘Well, just my critical asset over here is secure and I'm fine.’ Not necessarily because, even if your critical assets stay up, if all the other dominoes around you fall, you're still going to have egg on your face, right?
“Adversaries will absolutely capitalise on that. And they'll boast about it. And they'll make claims. And then, all of a sudden, you have a very persistent journalist that comes and says, ‘Man, this got taken down and here's the proof of it.’ And now you've got this article on CNN, and this company says, ‘Well, hey, our critical stuff never went down.’ Doesn't matter. Some parts of you went down. And so now you have reputation damage, right?
“So, we just need to think about things from that point of view is just make sure everything you own, everything that has a network footprint is protected. And understand that the adversaries are using the same old stuff over and over again, but they are changing what they're targeting. They're changing necessarily, how they're going after those assets.”