Best practices to defend and respond to cyber-attacks, drawing on analogies with the COVID-19 pandemic, were set out by Brian Honan, CEO, BH Consulting, during this week’s IRISSCON 2021.
Honan began by warning organizations: “What you put in place to defend or secure your network won’t stop the attackers. It will delay the attackers, but a sophisticated attacker will get by your systems eventually, so what you need to do is design your security to delay them long enough to detect them, so you can respond and kick them back out.”
Of the 500 UK security professionals included in the survey, 37% admitted their organization does not have specific contingency plans in place to mount a prompt response to a ransomware attack during weekend and holiday periods. This is despite all the respondents being at organizations that had previously suffered a successful ransomware attack.
This lack of preparedness has a significant impact on the capabilities of security teams. For example, over two-fifths (43%) of respondents said they required more time to mount an effective response, and close to a third (31%) indicated they need more time to fully recover from an attack over weekend and holiday periods. This is despite 89% confirming they are concerned about attacks taking place during these times.
According to a 2020 Ponemon Institute report, insider security events increased by 47 percent between 2018 and 2020. More telling is the fact that the average cost of an insider attack is now in the range of $11.1m to $13.3m, which is 42 times higher than the average ransom that was paid in 2020. Moreover, insider attacks have continued to evolve in 2021. Currently, leadership teams need to be just as concerned with hackers bribing employees to unleash an internal ransomware attack or falling victim to the insider-threat-as-a-service model as they are with employees committing fraud or stealing IP to take to a competitor. The danger of an insider threat is very real, and what’s worse is that the numerous and unsuspecting ways they can occur means that they’re often too difficult to prevent.
The termination gap is exactly what it sounds like: an insider threat caused by the gap of time between an employee’s termination (or a change in their job role and function), and a de-provisioning of their role-based access credentials to critical access points and assets. According to the Ponemon Institute 2020 Cost of Insider Threats: Global Study, there were 4,716 insider incidents recorded across the globe. In addition, criminal insiders made up 14% of insider breaches last year with a price tag of over $4 million—this caused by improper user access provisioning.
Today, Code42, announced it is to deliver its data exfiltration alerts and dashboards within the Splunk® Security Operations Suite. Security teams using the Code42 Insider Threat app for Splunk can identify and prioritize the most critical insider risk events, speeding response to data leaks and malicious attempts to exfiltrate data.
The Code42 Insider Threat app for Splunk will advance SOC analysts’ insider threat detection capabilities by making it easier to surface data leak alerts with context, simplifying triage and investigations. Accessible through Splunkbase, the Code42 Insider Threat app for Splunk will help security teams reduce investigation and response time.
According to a 2020 study, the average global cost of insider threats rose by 31% in two years and the frequency of these incidents spiked by 47% in the same time period. The risk is also present for small and medium sized businesses (SMBs). While 72% of organizations reported an increase in insider attacks in 2020, 66% of key decision makers in SMBs do not think breaches are likely to occur. Only 14% of SMBs have any kind of breach defenses in place; the rest are vulnerable to potentially devastating cyberattacks. While daunting, the reality of modern business dictates that companies of all sizes, in all industries, must be cognizant of cybersecurity issues and prepare accordingly.