Sam Curry, the Chief Security Officer at Cybereason, tell us how companies can overcome digital security and privacy challenges
What are the top three cybersecurity trends we should be looking out for?
Ransomware attacks are increasing at a rapid rate and the attackers won’t relent. In many ways, companies and organizations have to pull themselves up and tackle the ransomware problem head-on. Solving the problem starts with education and preparing for this now. Preparing to ensure that if hit, the least damage occurs as possible. Reducing the blast radius, and ensuring recoverability are critical. These are fully within organizations’ controls, but it will require investment and attention. Ransomware can be stopped with a detection mindset. Don’t let them spread and plant Ransomware throughout. Catch them and kick them out before they detonate their payloads.
We will continue to see COVID-19 related cyber threats against healthcare facilities, research companies, and those organizations in the supply chain distributing the vaccine. Kudos to the pharma and research companies for working with law enforcement agencies to face these threats head-on with advanced cyber tools and improved security hygiene. Motivated hackers will be successful every time they attempt to hack a company because they are well funded and are looking to reap both financial and political fame. As the protection surface expands to mobile, the cloud, and other potential attack vectors, those companies that can detect a breach quickly and understand as much as possible about the hacking operation itself, will be able to stop the threat and minimize or eliminate the risk altogether.
Risks to mobile phones and devices are real because of the challenges that remain in securing the remote worker. Business executives represent a higher risk since their access to critical systems through mobile devices is not commonly restricted by the same higher degree of protection and limits imposed on other employees. Adoption of endpoint and mobile endpoint management and protection and response solutions will expand in medium and small enterprises and help reduce the risks.
What sort of security challenges are people facing when working from home and how is your company equipped to handle those challenges?
Much like a video game, we’ve beaten the IT and security challenges of WFT levels 1 and 2; but the end of 2020 brought with it new classes of attack that won’t take the same simple solutions going forward. 2021 and future “levels” in this WFH world (and eventually work from anywhere or WFA) will require us to realize that the attackers are adapting to attack the new enterprise footprint: home ISP connectivity, ancient printers and routers, IoT, social networks, and more. Attacks like SolarWinds and Hafnium reminded us of one dimension around supply chains, but new dimensions for attack are going to emerge now, and attackers have had time to develop these attack types.
What this calls for is new strategies ahead of time: prepare in peacetime, pursue least trust environments, build according to an Internet Café model where we expect networks to be compromised, invest in new education, certify home workspaces, and most importantly take a detection-first mindset. After you build security, assume compromise and constantly be improving how to uncover that, remediate it, minimize its damage, and so on.
How has ransomware evolved during the pandemic period and what are you doing to tackle the problem?
Hospitals and research companies and organizations involved in distributing vaccine supplies have faced a constant barrage of ransomware threats over the past year. Ransomware’s popularity has skyrocketed because that’s where the money is. It will continue to grow because it is very profitable to threat actors. To turn the tables on adversaries and return defenders to the high ground we need to deploy solutions that can stop it cold — we need to collaborate, we need to prepare ahead of time or the beast will continue to get fed and keep on growing.
If your company suffers a ransomware attack and your network is taken offline, it is critical to make a risk-based decision on paying or not. Before paying, check with your lawyers and law enforcement and make sure they aren’t a prohibited organization and that they will give you what you’re paying for: access and confidentiality. There is no honor among many thieves, but the various groups do have track records and past behavior is a good indicator of the future.
How can companies overcome digital security and privacy challenges?
Just as there are tradeoffs between security controls and ease-of-use, there are also tradeoffs between security on the one hand and privacy on the other. It’s time to dust off those old policies about using personal machines and acceptable use and update them. It’s also critically important for security professionals, and a new class of privacy professionals, to lean in on the business and ensure that companies treat privacy-related data as a privilege, not a right. Classification models have to live and breathe and translate into controls, processes, and real governance for information flow.
Make sure that the data behaves and moves as you decide it should and build controls, to both ensure this happens, and that it is extremely hard to abuse or suborn. Getting this wrong is worse than failure; it could verge on negligence with existential consequences for companies. The best companies will be private-by-design as we used to talk about secure-by-design because privacy and data rights will only get more stringent globally over time, not less!
What are the key factors organizations should consider making sure digital economies of today are secured?
At its heart is the need to be user-centric and respectful of data and how it is used. Have the tough conversations now and make sure the company knows what it sells, to whom, and how; and put the guard rails in place to ensure that the core business doesn’t drift into grey areas or danger zones from privacy and data integrity perspective.