In cybersecurity, many organisations learn their weaknesses by falling victim to attacks. The average cost of global data breaches in 2023 was USD 4.45 million, so those are expensive lessons.
However, cybercriminals are learning too — there is a cyberattack every 39 seconds, and each one is an opportunity for criminals to refine their methods.
As time goes on, more parts of your digital infrastructure can become security weaknesses, and once-impenetrable barriers can become trivial to breach. Learning from historical mistakes is always important, but you also have to anticipate emerging threats.
Here are three cybersecurity breaches, the lessons to take from each, the cybersecurity solutions that could have prevented the breaches, and the approaches and principles that can protect you now and in the future.
Lesson 1: Cybersecurity threats sometimes look like cybersecurity best practice
In 2020, a major US software provider was hacked, and through that business, cybercriminals were able to access the systems and data of over 30,000 customers, among which were state and federal agencies.
In a simple but devastatingly effective ‘supply chain attack’, they injected malicious code into the supplier’s software product and sent out that code to tens of thousands of customers in the guise of a software update, which appeared to be perfectly legitimate. Customers downloaded the ‘update’, only to have unwittingly granted the hackers access to their systems.
The sophistication of the attack and the effectiveness of its disguise meant it took well over a year to discover, during which time the hackers had unrestricted access to 18,000 customers’ databases, and were free to install additional malware into their systems.
How to prevent that from happening to you
It’s difficult to recognise threats when they look like things you’re expecting to see. Software updates from suppliers are commonplace, and (ironically in this case) installing them is part of cybersecurity best practice.
A trained eye...
A) knows to look out for cyber threats masquerading as legitimate downloads
B) can tell the real thing from an imposter, even when the disguise is convincing
Education is the best defence a lot of the time. However, this particular attack was more complex. The software update may have been fake, but it did come from a legitimate supplier (albeit sent from within by criminals).
What’s the cybersecurity strategy to deal with that?
It starts with expertise — you need cybersecurity leaders who are not only at the cutting edge of their field, but you need them to be able to educate, train, and advise the wider team on the tricks and techniques for recognising malware.
You also need a cybersecurity strategy that guards against supply chain attacks including defences that minimise the impact of anything that does get through.
- Conduct due diligence on all suppliers’ security measures, and have them agree to strict cybersecurity requirements.
- Firewalls are not just external. You should have firewalls between systems and devices, so that if anything infiltrates the business, it can’t easily spread throughout.
- Managed Detection and Response (MDR)is a third-party service that monitors your system for malware and shuts it down when it finds the threat.
- A zero-trust model demands that every request from every device is authenticated. Nothing is assumed to be safe or legitimate, and that makes intrusion much more difficult.
Lesson 2: If it seems too good to be true, it’s probably a cybersecurity threat
In 2022, hackers stole USD 600m worth of cryptocurrency through the crypto-gaming platform that the currency underpinned.
It emerged that the hackers had gained access to the crypto platform through a sophisticated phishing attack, in which they approached a senior gaming engineer on LinkedIn about a fictitious job opportunity. The engineer completed several rounds of fake interviews, at the end of which he was offered a very generous salary — the ‘offer letter’ was a pdf that he eagerly downloaded, unwittingly admitting spyware into the system.
The hackers then managed to gain control of several ‘validators’ which validate transactions and authenticate ownership in blockchain and cryptocurrency networks.
How to prevent it from happening to you
The brilliance of the attack is in its choice of disguise. Given that the exchange between the hackers and the victim was supposedly about a job at another company, the employee in question was extremely unlikely to discuss the messages with colleagues or bosses, and wouldn’t encounter a second opinion as to whether the exchange is legitimate.
There are two main ways to prevent this kind of breach.
On a first and very basic level, institute a policy about personal files on company computers, forbidding downloads of personal or non-business files. It’s by no means bulletproof, but stands a good chance of deterring many instances of risky actions.
Again, education forms a large part of the defence. It’s not enough to print a policy in a handbook or send out occasional reminders that employees should think carefully about who they might be talking to, or to be wary of suspiciously attractive propositions. Meaningful security education requires business leaders who can communicate a message in a way that will capture people’s imaginations and lead to behavioural changes.
Lesson 3: There are surprisingly soft targets for cybersecurity threats
In this case, there was no ‘attack’ — data was there for the taking, and as you can imagine, plenty got taken.
A major international provider of co-working spaces was discovered to have exposed data and documents from over 200 companies due to poor or absent Wi-Fi security. One user found that his fellow co-working customers’ financial records were on full display on the network.
The revelation led to a massive devaluation for the co-working company and a hugely delayed IPO.
How to prevent it from happening to you
The short answer is to have security measures.
In truth, things are far more complex than that. Some security is relatively weak or inappropriate for your company, so they might offer a false sense of security, or they might be as good as having no protection at all. It might cover some parts of the business very well, but not others. It might simply be outdated, so that hackers know or can find easy ways through it.
To remain truly protected (and indeed to protect your customers), you need security leaders who:
- are familiar with (or even driving) developments in cybersecurity
- understand your sector and organisation deeply, and understand fully the strength and types of measures required
- are commercially aware, so that they appreciate and communicate the impacts of security breaches in a way that will secure the buy-in of C-suite and departmental managers
One cybersecurity solution to prevent all attacks
Your business can’t rely on attacks happening to other organisations — you need experts who can anticipate threats, not learn about them after the fact, and hope your business doesn’t become a lesson to others.
Cybersecurity has to be part of the fabric of the business, not a bolt-on or an afterthought. Organisations need people who know how to keep a growing business safe, while keeping it commercially viable and appealing to work for.
RPI specialises in placing exactly those people. The breadth of our network and depth of our sector expertise means that we’re uniquely equipped to find the individuals to fit your business, and the talent to fill cyber security gaps in your leadership.
Email people@rpint.com.