Insights

Cybercrime now costs the global economy more than one trillion dollars — each year. This staggering figure is just over 1% of global GDP. This recent data shows how the cost has increased more than 50% since 2018 where global losses were around 600 billion dollars.

It will come as no surprise that cyber-attacks increased to record numbers in 2020, given the disruption and turbulence caused by a global pandemic. 2020 was the busiest year on record for UK cyber-attacks against businesses, with a 20% increase in attempted hacks from 2019. Beaming found that an attack was initiated every 46 seconds on average — with UK businesses each facing an average of 686,961 attempts to breach their defences.

Why has Covid-19 led to a rise in cyber-attacks?

As nations shifted overnight to a working-from-home model, this rapidly accelerated digital transformation plans for many businesses – bringing their plans forward by years. Microsoft believe we saw two years’ worth of digital transformation during the first two months of the pandemic.

Attackers unsurprisingly identified potential opportunities to capitalise on this dramatic transition and pivoted to take advantage. With many users, devices and systems now living outside the corporate network perimeters, a host of new vulnerabilities were being exposed publicly for those organisations that were still relying on traditional legacy security approaches and technology. Much of this legacy technology was designed for situations where everything was kept ‘behind the company firewall’ using an outdated ‘castle and moat’ approach. This left IT managers scrambling to manage remote access, whilst also having to secure what they could as quickly as possible with disjointed piecemeal solutions and little control.

As well as the technical vulnerabilities, hackers also recognised how Covid-19 presented many opportunities to exploit the emotional vulnerabilities of people. We’ve seen attacks from individuals, hacking groups and nation states which all attempt to prey on the widespread fear and uncertainty around the pandemic — for example, fake emails about NHS vaccine opportunities, Government financial support packages or World Health Organisation advice etc.

With disruption comes change, which presents many opportunities for attackers – most of whom are opportunistic by nature and relish the opportunity to capitalise on such events.

What types of cyber-attacks affected businesses?

Businesses faced a range of attack types in 2020. Whilst much of this was in keeping with what we’ve seen in recent years, there were some tangible shifts in the number of attacks, the approaches that attackers took and the reasons for doing so. Here we look at some of the most notable types of attack and how they affected businesses.

Supply chain attacks

A supply chain attack is where an attacker gains access to an organisation by compromising part of its supply chain e.g. a partner organisation or software provider etc. These attacks have been increasing in recent years and are an important topic in security.

In 2020, we saw a massive supply chain attack occur when software provider Solarwinds was compromised, leading to numerous attacks on their customers. The attack will without doubt be considered a watershed moment in cyber security — for being the largest supply-chain breach of all time and also the moment that 3rd party cyber risk became front of mind for security professionals globally.

Solarwinds software is used by tens of thousands of organisations around the world, including governments, with Solarwinds Orion representing one of their leading products. In December 2020, it became known that malicious attackers had compromised the software build process of Orion and had implemented a backdoor to a legitimate DLL file earlier in the year. When Solarwinds pushed out their latest software, this backdoor was then distributed to Solarwinds customers globally in March 2020 as part of this seemingly normal software update.

This then allowed the hackers to gain access to the network of any company that had downloaded the software update — most likely sensitive parts of these company’s networks too. The attacker, now believed to be a nation-state sponsored group originating from Russia, are believed to have first tested code in September 2019. This demonstrates the long-term and highly strategic nature of the attack and shows a very high level of sophistication in being able to remain undetected for so long. For more detail, you can read Microsoft’s article on how the attack started.

It also transpires that the hackers had a targeted list of organisations that they wanted to access (e.g. US Government departments), allowing them to silently steal data and undertake other malicious activity. The attackers were able to cherry pick targets before human operated ‘hands-on-keyboard’ attacks took place from May. In June 2020, the backdoor was removed, although the hands-on-keyboard attacks continued. The hackers seemingly removed the backdoor to cover their tracks, although later in the year the breach became public (in December 2020) when compromised security company FireEye noticed they had been breached via Solarwinds. Forensic investigations are ongoing and the full extent of the attack may never be understood.

Quite simply, this was a supply chain attack on a level that the world has never seen before. Many companies may have been breached that don’t even know it yet. The attackers were able to compromise organisations for months on end whilst remaining undetected. What is certain is that supply chain attacks will now garner significantly more attention for both defenders and attackers. The Solarwinds attack has demonstrated how organisations can be compromised when they don’t even use the compromised product, due to the massive web of interconnectivity that is a global supply chain. No doubt we’ll see more vendor audits etc. in the coming years, but there are significant limitations to such processes. No one would have expected Solarwinds to be breached like that — until it happened.

Phishing and business email compromise

It’s no surprise that Covid-19 related attacks spiked in March 2020 as restrictions and lockdowns took place around the world. Phishing played a big part in this. As people clamoured for new information about the virus, during the initial absence or lack of scientific consensus around the virus, hackers used this opportunity for widespread phishing campaigns. This saw emails delivered asking for payments to fake charities, credential harvesting and malware delivery etc. The Anti-Phishing Working Group (APWG) found that the number of phishing sites doubled in 2020, growing throughout the year.

According to Microsoft’s Digital Defense Report (FY2020), the main types of phishing that enterprises faced included: credential phishing, business email compromise and a mix of both.

Credential phishing is an extremely common technique. Phishing kits are widely available and easy to use, ensuring a low barrier to entry for entry-level hackers. These attacks usually involve an email which has been adapted to look as if it belongs to a well-known household brand. A link will typically divert the unsuspecting victim to a malicious webpage where it will capture the user’s credentials via a fake webform or it might trigger malware automatically to steal credentials from the device or browser. Either way, the attackers can then use the compromised credentials to access the corporate network — allowing them to steal sensitive data or conduct further attacks throughout the organisation e.g. spear phishing or ransomware etc.

Business email compromise on the other hand is a form of social engineering which targets businesses and specific people in roles within that business. This technique involves the attacker sending emails to their victim which will appear to come from someone the victim would usually trust and expect to receive communications from. For example, attackers might impersonate a specific individual (e.g. the company CEO) or spoof a company domain that the victim often engages with (e.g. a partner company that the victim often financially contracts with). If the attacker has gained access to the corporate network via compromised credentials, they may be able to use compromised mailboxes to send emails using a legitimate email address from the company — requesting some sort of financial action to be taken by the victim.

Ransomware

Ransomware continued to prove extremely popular with cyber criminals in 2020, largely due to the profitability for financially motivated attackers. UK-based ransomware attacks jumped by 80% in the last quarter of 2020 compared to the first half. In 2020, we saw a host of high profile breaches which involved ransomware deployment and it continues to be one of the most common types of attack. For example, the well-publicised attack on Australian logistics company Toll Group saw them suffer two separate ransomware attacks in only three months, which caused them issues far beyond the costly ‘contain and remediate’ stages of their response including customer concerns and regulatory impacts.

Whilst many think of ransomware as simply being malware which infects and spreads across devices, encrypting the data and systems it touches like the infamous Wannacry ransomware did in 2017, human-operated ransomware is now a critical threat to organisations and growing in popularity. This type of threat involves cyber criminals gaining access to corporate networks via a variety of entry vectors, before moving laterally across the network using compromised high-privileged account credentials to access various systems. As the attackers move, they are able to deploy dormant ransomware (for activation and file encryption later) and also exfiltrate sensitive data. By stealing company data, the attackers can threaten to leak this data if the ransom isn’t paid – threatening further reputational damage and regulatory penalties which provides another incentive for the victims to pay the ransom.

These techniques being used by financially motivated hacking groups are more similar to the types of advanced techniques often used by state-sponsored hacks. By also planting backdoors in the systems they attack, they also leave vulnerabilities which they can exploit again in future attacks.

DDoS

DDoS attacks involve cyber criminals directing a huge amount of web traffic as a specific website, overloading it to the point where the website is unusable for legitimate users of the business. The financial implications of not being able to transact online can be huge for many organisations. DDoS attacks reached record levels in 2020, increasing by over 20% from the previous year. The shift to ‘remote everything’ meant we found ourselves with a greater reliance on online services as well as greater volumes of internet traffic. This was significant for DDoS attacks, as the financial implications for businesses was often even greater.

DDoS attacks are also becoming more popular due to the rise of crypto currency as a form of payment. In the past, hackers often targeted sites for non-financial reasons, whereas now it’s becoming a very lucrative form of attack for financially-motivated cyber criminals. Attackers can simply contact a company and tell them that their website will be taken down unless they make a crypto payment to the attackers.

What we are also seeing is a continued rise in cheap unsecured Internet of Things (IoT) devices which aren’t properly secured or patched. Thousands of IoT devices are often compromised with malware and then connected to form a Botnet which provides a platform used to launch massive DDoS attacks. Until there’s more regulation of the IoT device industry, these attacks are likely to continue increasing.

What’s the outlook for cyber-attacks and cyber security going forward?

Gartner forecasted that the global infosec market would continue to grow and reach $128.3 billion by the end of 2020. This is a reflection of the fact that cybercrime is a reality of doing business today and the number of attacks continue to rise year on year. Every company, regardless of size, needs to ensure they have a modern cyber security posture — capable of securing the dynamics of modern remote working and a shift to the cloud. Businesses that don’t think they are likely to be attacked are gambling in a high-stakes game; modern attack methods often fail to discriminate between start-ups, SMEs or enterprises and any business can fall victim to cybercrime. Given the huge financial and reputational costs of a successful cyber-attack — investing in cyber security must no longer be viewed as optional.

There is a growing consensus that the pandemic has changed the workplace permanently. If you subscribe to this view too, then you’ll likely agree that the future of work will be based around a hybrid workplace for many companies — mixing remote work and time spent in the office. This digital shift to a modern workplace provides considerable flexibility to organisations and for many will lead to a reduction in OPEX budgets with savings on costs such as office space and business travel. But with this digital flexibility comes an increase in the attack surface (as companies are experiencing now). Therefore, potential cost savings may well be reallocated to support the digital transformations that organisations are now embarking on, underpinned by transformative security technologies.

Next steps

If your organisation experienced security challenges as a result of the shift to remote working, you aren’t alone. There are some next steps which we would recommend considering going forward with remote and hybrid working seemingly here to stay.

Adopt Zero Trust

If your organisation hasn’t started moving to a Zero Trust cyber security model yet, we strongly recommend that you consider doing so. Zero Trust is a ‘boundaryless’ modern security approach designed for modern working (where people, devices and data often sit outside the corporate network perimeter).

A Zero Trust approach deems all users and devices to be ‘untrusted’ and the core principle is simply “never trust, always verify”. Zero Trust also uses a ‘least privileged access’ approach and also works on the principle of ‘assume breach’. By assuming that you will incur a breach eventually, you can put in place measures to prevent lateral movement by attackers.

With the right cloud-based security architecture and telemetry, you can gain visibility across your networks, endpoints, identities, applications and data — regardless of whether your workforce is remote or in the offices — allowing you to identify and stop these attacks before they take hold. An example of this is Microsoft Threat Protection which helps identify and combat lateral movement.

Strategy and simplification

If your organisation is working with a range of disparate security solutions as a result of the pandemic, you probably know how this can add further complexity when trying to secure a distributed workforce. This complexity is something you can reduce going forward.

If you’re already using Microsoft solutions, we recommend adopting Microsoft 365 which provides holistic and powerful security capabilities, designed with Zero Trust in mind. With Microsoft 365, you benefit from a tightly integrated suite of security solutions which can help you simplify your security management and reduce costs by consolidating many of your 3rd party solutions.

We recommend investing in a properly architected security vision and technology roadmap, which aligns with your organisation’s wider digital transformation and business strategies.