No industry is spared when it comes to being targeted by cybercriminals
With attackers becoming increasingly aggressive and better equipped, it is clear that all organisations, public and private, must take appropriate measures to best protect themselves.
The global security market is skyrocketing, as business leaders look to invest in cybersecurity and fortify their defences.
Forecasts indicate the market will reach £275 billion by 2028, driven by an explosion of IoT devices, the proliferation of ecommerce platforms and increased expenditure on virtual private networks (VPNs) to accommodate the new normal of hybrid working. With this in mind let’s explore some of the key trends that will continue to power huge investment in cybersecurity over the coming year.
An increasingly exposed public sector
As public sector departments continue their digital transformation, more and more services vital to our daily lives are being digitised. As such, the public is expecting even stronger guarantees of trust and transparency regarding the security and use of their data.
Fostering a relationship of trust will therefore continue to be a huge priority for the public sector. Reflecting this is the Government Digital Service strategy for 2021-24, and one of its missions being to ensure that technology platforms underpinning the GOV.UK website are readily available and secure for both the public and enterprises.
For this reason, some public bodies such as the National Cyber Security Centre and Ministry of Defence are already using the ethical hacker community to help deliver on these guarantees and reassure citizens of the online services they use, and we expect others to follow suit. This year, we’re likely to see more government bodies launch large-scale bug bounty programs to help them develop strong, visible, and tangible cybersecurity posture.
Remote working creates larger attack surface
While the COVID-19 pandemic created major upheaval; it also proved to be the catalyst in making remote and ‘hybrid’ working a permanent fixture, providing employees with more flexibility and often greater job satisfaction. However, this has inadvertently meant that the ‘human factor’ in cyber risk has grown considerably. On top of this, the acceleration of migration to the cloud, and more generally, the digitalisation of businesses, has only increased their attack surface – opportunities that cybercriminals are keen to exploit.
For this reason, security awareness training of employees will continue to be a major strand of a company’s overall cybersecurity matrix. A proactive approach to security will see businesses look to make ‘cyber hygiene’ everyone’s business, however it’s important that enterprises do not take a ‘one size fits all’ approach to cybersecurity awareness training.
A company taking a pragmatic approach understands that some employees pose a much greater risk than others, due to their behaviour or position in their company. Here, taking a tailored approach to training, that is personalised for both users and developers, will see the enterprises get the best ROI.
Vulnerability Disclosure Policy will be best practice
Following a model promoted by many regulators such as the European Agency for Network and Information Security (ENISA), a growing number of organisations are implementing Vulnerability Disclosure Policies (VDP). A VDP is a framework that allows anyone to report vulnerabilities easily and securely within an exposed organisation – without financial compensation. Essentially, white hats acting as good Samaritans.
Fortunately, many IT security teams are becoming aware of the benefits of using the cyber research community to help them uncover vulnerabilities. However, to make use of this valuable resource businesses need to provide the security community with a legal and technical framework that protects all parties – which is where a VDP comes in.
From a cost-benefit perspective, A VDP should be seen as a no-brainer for organisations: it gives them the means to be informed of weaknesses in their cybersecurity defence and to remedy them accordingly, at low cost. Not to mention, if a cyber-attack were to occur due to a vulnerability that a researcher had discovered and was unable to communicate to the organisation affected, due to the lack of the appropriate protocol, the damage in terms of reputation would be catastrophic.
Log4Shell on top of mind
Log4Shell, a critical zero-day vulnerability in the widely used Log4j Java logging library, is still on everyone’s mind in the cybersecurity world. This vulnerability, which was discovered through a bug bounty program, is already considered to be the most critical security flaw of the last decade. In short, throughout 2022, Log4S will keep cyber experts occupied, with all ‘layers’ of IT systems potentially impacted. It is therefore a real work in progress and one that will require continuous monitoring for many months ahead.
With threats continuing to evolve, organisations know that the protection and resiliency of their network is a number one priority. Thankfully, there are solutions, such as bug bounty programs and VDPs which enable businesses to safeguard their network. Complementing this with security awareness training is a must for organisations to achieve a holistic security posture in the defence against sophisticated threats.
About the Author
Rodolphe Harand is Managing Director at YesWeHack. Founded in 2015, YesWeHack is a Global Bug Bounty & VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 35,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
Featured image: ©Blackboard