Cyber lessons for 2022

By Amit Roy Choudhury

While sophisticated security products are a must, organisations need to imbibe a security mindset.

The New Year started off with news that several OCBC bank customers in Singapore had their entire life’s savings wiped out of their accounts after they clicked on links in fake SMS messages purportedly sent by the bank. Nearly 470 customers cumulatively lost SG$8.5 million within a few minutes of clicking the links.

The attack was clearly well-planned. The fake SMS came into users’ phones in the same SMS thread that contained pervious legitimate messages sent by the bank, including OTPs (one time passwords). This gave the message a high degree of legitimacy for the victims.

OCBC is investigating the matter and will no doubt find out what happened. But hackers will move on, refine their techniques and strike other targets using another innovative hacking method. How can cyber chiefs make sure similar incidents don’t happen again?


2022, come what may


One of the few certainties that Chief Information Security Officers (CISOs) will have to contend with in 2022 is that the networks will face a barrage of increasingly sophisticated attacks. This is irrespective of the size of the company or its sector.

Digitalisation, which has been accelerated by the ongoing global pandemic, has increased the value of data and the network. For companies, it is no longer just about losing the data; a lack of access to the network due to intrusion can have devastating consequences.

That is one of the reasons why ransomware was one of the biggest attack vectors in 2021. More often than not, companies would rather pay the ransom rather than lose, even temporarily, access to the network and data.


Education crucial


Tech is a crucial part of cybersecurity, but employee education in good cyber hygiene is equally important to ensure strong and resilient networks.

A study in 2020 showed that 43 per cent of C-Suite business leaders who reported a data breach cited human error as the second major cause of data breaches. The top cause for a data breach, according to the study, was the deliberate theft or sabotage by external vendors. It is not with reason that the top two causes highlighted in the study were human-related and not technology-related.

Attackers today rarely bother trying to attack businesses through technological means only. They often simultaneously target people, as they are seen as an easy way into protected networks. A well-structured cybersecurity awareness training regime can help educate employees and increase their awareness of cyber threats.

Imbibing a culture of security within an organisation is quite difficult to achieve and requires continuous effort as well as clear-cut guidelines on safe cyber behaviour. There are two reasons why this has to a continuous process.

First, there is a constant churn of employees and systems. Firms need to establish processes to educate new employees on a company-wide security-first culture.

Second, the threat landscape changes with technology constantly evolving. Employee education needs to keep up with fresh threats.


‘Why’ and ‘How’ important


Employee training should not just be theoretical concepts. It should cover the “why and how” factors in cybersecurity: why someone may be at risk and how the risk vector could pan out. Firms could regularly send employees to external courses so they can better understand risk factors.

One important required aspect is applying cybersecurity guidelines across the company. While levels of network access would vary with the type of work and level of seniority, fundamental security requirements should be the same for every employee, from the junior-most to the CEO.

These include authentication; tracking of which data bases are accessed and by whom; systems and processes required for actions like requesting payment from the finance department, either for self or for a third party.

In summary, advanced security training regimes can monitor security and help develop a culture of good cyber hygiene, making people the first line of defence for network security.


Role-based access


Role-based access control (RBAC) goes hand in hand with employee education. Most companies follow the idea that the higher the seniority levels, the greater the access to company’s data, systems and processes. While it makes sense to assume that senior employees would need more access, it does not necessarily have to be network-wide.

RBAC systems allow organisations to control who can access valuable information at both broad and granular levels. Administrators can designate what an employee has access to and how, as well as assign roles and access permissions that are sufficient for the employees to do their jobs.

The importance of RBAC systems is that even when hackers steal employee credentials to access a network, there is a limit to what files and databases they can access and what they can do with them.


Multi-factor authentication & VPN


Sometimes, simple common sense security measures can be as effective as costly cybersecurity software. Studies have shown that weak or stolen user credentials are used in 95 per cent of web application attacks.

Identity theft is an easy, low-risk, high-reward type of crime. It is the fastest-growing type of crime and is now more profitable than drug-related crimes. Two-factor and multi-factor authentication along with end-to-end encryption can ensure that networks are more secure with an extra layer of against data breaches.

With remote and hybrid working model becoming the norm, security at a user’s home or place of work has become an important factor for consideration. While company networks are usually secure, an employee’s home network could have an unsecure Wi-Fi connection. This can cause massive problems for network security if a hacker manages to compromise the Wi-Fi. A secure and strong VPN (virtual private network) connection is a must for employees working remotely.

Linked to Wi-Fi vulnerability is endpoint device security. Any device, be it mobile or computer, that accesses the network should have the latest security software and patches before they are allowed access to the system. This ensures that remote workers do not get access to the network using compromised devices, which can give hackers access to the company network.

Finally, regular data back-up is a must. Even in the event of a compromise, say a ransomware attack, the company will have the means to ensure continued access to their most valuable asset – data.

In conclusion, while protecting networks from increasingly sophisticated cyber attacks may appear daunting, simple and relatively easy to implement solutions can go a long way in helping mitigate the threat posed by hackers going into 2022.

Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.