Why a whole-of-society approach is needed to fight cyberthreats

For a large part of the 21st century, we’ve been on the back foot against threat actors. So, when law enforcers announce major “takedowns,” “disruptions,” and arrests, it’s easy to get carried away. Interpol recently hailed the capture of a suspected key figure in the OPERA1ER gang, for example. However, the truth is these are usually isolated successes in an otherwise unchanged landscape. Our adversaries still have the upper hand.

Yet this doesn’t need to be the story of the next decade. With a bigger government commitment, a stronger focus on cyber hygiene, and more public-private partnerships, there’s a great opportunity to wrest back the initiative.

The new frontier of cybercrime

The cloud is the direction of travel for most businesses. Gartner estimates that global spend on public cloud services will grow by nearly 21% to reach $592 billion this year. Separate data from Flexera reveals that 72% of global organizations have a hybrid strategy, and 87% are investing in multicloud environments. But where data and users go, threat actors are sure to follow.

That’s evidenced by a recent survey of 3,000 IT and security professionals in 18 countries, which finds a dramatic increase in the volume of sensitive data stored in the cloud last year. Specifically, 75% of respondents say more than 40% of data stored in these environments is “sensitive” versus 39% the year previous. At the same time, the share who admit experiencing a cloud data breach in 2022 is 39%, up from 35% in 2021.

The challenge is both human and technical. The leading cause of these data breaches is human error (55%), followed in second place by vulnerability exploitation (21%).

Making an impact

Threat actors targeting these and on-premises environments have the advantage of surprise. And they’re increasingly well resourced, making use of service-based offerings freely available on the dark web that lower the barrier to entry for many attacks. But some organizations still make life too easy for their online adversaries.

There are several basic cyber-hygiene measures that, if adopted en masse, could have a significant impact on security posture. Things like multifactor authentication (MFA), sensitive data encryption, regular security awareness training featuring phishing simulations, continuous vulnerability and patch management programs, and more could all count as quick wins. The UK’s National Cyber Security Centre (NCSC) has listed them in this handy “10 steps” document, while in the U.S. there are CISA’s Cyber Essentials guides.

If every organization took the time to follow at least some of the steps, it would make monetization of attacks much harder for many cybercriminals at the lower end of the sophistication scale. Add extra controls like web application firewalls (WAFs) and Zero Trust Network Access (ZTNA), and there’s a solid base for mitigating many of the cloud risks outlined in the above report.

A role for government

But there’s still more we can do. It’s not just network defenders who should have to take the strain. Those in SMBs particularly are often under-resourced and over-stretched. This is where government can play a role. One of the few areas where the UK is genuinely world-leading in this regard is the NCSC’s Active Cyber Defence (ACD) initiative. Now in its sixth year, the program has expanded from its initial focus on public sector security to protect the wider community of the country’s businesses and consumers. It’s about using the state’s cyber expertise and applying automation to achieve more of those quick wins. It includes things like:

• A suspicious email reporting service (SERS), which has helped the NCSC remove nearly a quarter of a million malicious website links from the internet since April 2020
• A mail check service designed to improve compliance with DMARC and other email anti-spoofing/privacy controls
• A web check service that automatically scans participants’ sites for known vulnerabilities and misconfigurations
• A protective domain name service (PDNS) that blocks DNS queries for suspicious domains
• An early warning service that scans organizations’ networks for signs of malware, vulnerabilities, and suspicious hosts

A matter of national security

Cybercrime losses in crimes reported to the FBI stood at over $10 billion last year. The scale of these losses, and the risk to critical infrastructure services from ransomware, has made this an urgent matter of national and economic security. So, it makes sense that governments should be leveraging more of their expertise in threat defense, like the NCSC, to improve baseline security. Where there are gaps, such as in law enforcement knowledge and capability, the private sector should be welcomed as a willing and able partner. Europol already teams up with several security vendors, including Barracuda, on such things as its No More Ransom initiative. We need more of this.

Threat actors are in the ascendancy. But it doesn’t need to be this way forever. With a whole-of-society approach from law enforcement, security vendors, security teams, and consumers, we can make a positive difference. It will be an ongoing journey, but the potential payoff is too great to ignore.