“The prime threats to businesses continue to be the same threats we have seen for the past decade”
When it comes to cyber threats, explains our guest columnist, it’s the same old story – and if your business isn’t prepared, you might be at legal risk
In late October 2021, the European Union Agency for Cybersecurity, ENISA, published its Threat Landscape Report. Now in its ninth edition, this report should be considered the primary source material for IT professionals that are serious about addressing cyber threats and mitigating cyber risk.
This is true irrespective of whether you have a technical or corporate risk background. It’s a subject that could easily fill a book, but let’s focus instead on three issues raised by the report. Ignore them at your peril.
Email-related threats
The report distinguishes between email-related threats that exploit weaknesses in the human psyche and our everyday habits, versus technical vulnerabilities in information systems.
It’s fair to say that familiarity with awareness and training programmes was heightened in 2021 as unsavoury phishing training practices hit the headlines on both sides of the Atlantic.
In the UK, West Midlands Trains suffered a significant public backlash for entrapping its staff with an email containing a promise of a bonus to employees for their loyalty and commitment through the Covid pandemic. Change the location to the United States and the business involved to the Tribune Publishing Company and you can take a good guess at the New York Times headline ( pcpro.link/329tribune).
But the damaging headlines don’t end there. In other news, the US enterprise security company Proofpoint agreed to transfer a series of disputed web domains to Facebook.
Proofpoint’s phishing-awareness training platform ThreatSim had used facbook-login.com, facbook-login.net and other lookalike domains related to Instagram. The decision to transfer domains back to Facebook was a sensible choice given it had all the hallmarks of a clear case of trademark infringement. But it does raise the question: if a training course can’t use lookalikes because of trademark infringement, then what purpose do such courses serve?
The answer to that question might well be contained in the insights shared by Professors Angela Sasse and Melanie Volkammer. Their work could save firms significant resources, both in time and money ( pcpro.
link/329phish). They concluded that not only did phishing training have limited efficacy, but the benefits evaporated within days.
This is particularly interesting in light of the fact that this insight is echoed in the latest ENISA Threat Landscape Report: “[D]espite the many awareness and education campaigns against these types of attacks, the threat persists to a notable degree.”
In other words, phishing training courses are not materially benefiting businesses by providing long-term defensive measures.
Prime threats
The second issue, which struck me as I was reading the report, was that while the names of cyber threats have changed over the years, the underlying problems are the same.
To check this, I reviewed the reports dating back to 2012. In the 2020 report, ENISA identified nine prime threats, with the top two being ransomware and malware. From 2019 back to 2015, ransomware and malware were again reported as prime threats. So no change there, then.
In 2014, the two prime threats were ransomware and malicious code. Reading deeper, by malicious code it meant trojans and worms, or what we today call malware. In 2013?
There were differences, but they were again slight. ENISA warned about ransomware and included the terms “rogueware”, “scareware” and “malicious code: worms and trojans”.
The previous year, 2012, the word “ransomware” wasn’t yet part of the lexicon of cyber threats; it was simply referred to as rogueware or scareware. Malware was just worms and trojans.
To put it simply, the story since 2012 remains the same. Only the names have changed.
This should give firms comfort: despite the widespread reports of novel or zero-day attacks, the prime threats to businesses continue to be the same threats that we have seen for the best part of the last decade.
Moreover, and perhaps most importantly, the key trends identified in the report place compromise through phishing emails and brute-forcing on remote desktop protocols (RDP) as the two most common ransomware infection vectors.
This shouldn’t be a shock. Oxford University professor of government, Ciaran Martin, formerly the founding executive of the UK’s National Cyber Security Centre and its first CEO, has frequently been quoted as saying, “the problems we face are chronic and not catastrophic”.
Lessons to learn
So why is it important to establish that the threats are not novel but remain the same? There are two
reasons at the very least. First, directors have a duty to exercise reasonable care, skill and diligence.
This legal obligation can be found in the Companies Act in both the UK and Ireland, and it can also be found throughout the common law world contained in domestic legislation from Canada, Australia and New Zealand. The obligation exists in the US, but isn’t yet codified.
Civil law countries have a similar requirement. The Germans adopted this duty of care into the AKTG, which is the set of laws that governs companies noted at the stock exchange. It reads: “In managing the affairs of the company, the members of the management board are to exercise the due care of a prudent manager faithfully complying with his duties.”
The question that businesses, their boards, shareholders and other stakeholders should ask is this: are directors meeting their obligations to the company if they do not address the most significant known threats to their business?
Threats that, let’s be clear, businesses have been warned about year after year from trusted, independent experts. Threats that are more than reasonably identifiable; these threats are easily identifiable.
This brings me to the second reason why it’s important to establish that the threats aren’t novel but remain the same year on year.
In the event of a cyber attack where business operations are disrupted, the company reputation is damaged because of leaks, or the share price suffers a shock on the news, a solid defence available for firms and their directors is that the threat was not reasonably identifiable.
The courts don’t expect directors to see around corners, but they do expect them to read the writing on the wall. This is all the more pressing when that writing has been on the wall since 2012.
So, when a threat is reasonably identifiable, the next question firms should ask is whether that threat is avoidable, perhaps by transferring or managing the risk.
Cyber insurance provided something of a safety net up until recently. But the insurance sector is reeling from losses and reacting to the explosion of ransomware attacks by requiring clients to implement minimum cyber security standards to address known cyber threats. This is how insurance companies have historically managed other risks.
Essentially, in order to limit their losses, insurance companies are requiring the insured to take reasonable steps to protect themselves and build in digital resilience. Helpfully, insurance firms are specifically calling out certain measures. Going forward, the insured will need to have implemented standards that include such measures as multi-factor authentication, encryption, DMARC and endpoint protection.
Insurance companies operating in the cyber insurance space are now turning away businesses whose cyber security posture is so weak that it bears all the hallmarks of an easy target.
So, if you can’t transfer the risk to the insurance company, how else can you deal with these known threats? One answer is to make sure you have sensible responses to the same questions that the courts will ask:
■ Is the threat well known and understood?
■ Is the solution known and understood?
■ Is it reasonable, proportionate and affordable? (This will depend on the type of business that you are managing.) ■ Finally, would a reasonable director implement it?
Answering yes to all of these and taking no action means your business has limited the defences available to it. Not only in the face of a cyber attack but in the aftermath, which could include compliance issues, regulatory fines and class actions.
To put it simply, if a threat is reasonably foreseeable and avoidable, it is incumbent on the managers of the firm to manage it. This brings us to the third issue: what can businesses do?
Specific mitigation actions
This third and final issue relates to email-related threats and ENISA’s point that associated training appears to have no material impact. You will remember it wrote: “Interestingly, and despite the many awareness and education campaigns against these types of attacks, the threat persists to a notable degree.”
That said, in the recommendations, the authors also wrote: “Provide regular user training on how to identify suspicious links and attachments and how to report them.” This seems unusual if the conclusion is that, despite training, the threat persists to a notable degree.
Comfortingly, however, the report eport does include solutions that hat are known to work, including ncluding the recommendation to o put “security controls into place on the email gateway to reduce the frequency or possibility of the lures arriving to your employees’ inboxes” and to implement one of the standards for reducing spam emails, specifically the DMARC standard that helps protect email users. Reassuring, as the DMARC protocol will turn ten years old in 2022!
“Insurance companies are turning away firms whose cyber security is weak”