Despite the benefits of governments’ imposing new legal, regulatory requirements for cybersecurity, these can pose counterproductive conditions such as hefty costs towards compliance efforts, overly rapid reporting of incidents, or conflicting requirements across agencies or geographies, says Andre Stivala, Technology Leader at Zampa Debattista as he reviews Microsoft’s fourth annual Digital Defence Report for 2023.
A quick look at human history, as with current international news, will immediately show us how war seems to be inevitable. But, as technology evolves, so does the method of warfare. This also applies in the tech industry where we have all been experiencing another sort of battle - the silent type - which does not take lives, but rather, identities.
Microsoft has just shared its fourth annual edition of the Digital Defence Report for 2023 (MDDR) along with six categories that merit attention. This, in a bid to strengthen a closer collaboration between the public and private sectors, with the power of multistakeholder partnerships, to formulate, enforce, and harmonise a crucial set of requirements to improve global cybersecurity and foster innovation, hailing this as a “force multiplier for everyone”.
The data, insights and events in the report span from July 2022 through June 2023 (Microsoft fiscal year), targeting cybercrime; nation-state activity; Internet of Things (IoT); critical infrastructure; supply chain resilience; and a drive to collective defence. It outlines a number of shortcomings and the efforts towards mitigating the ever evolving and constantly changing cyber threat landscape.
One aspect remains consistently evident and clear – cyber criminals continue to remain effective, creative and impactful. The same cannot be said for organisations trying to protect against attacks.
The report exposes a sad truth about the general population’s cyber hygiene across most industries as cybercriminals have broadly attacked all sectors, with education and manufacturing identified as key targets.
Resilience in cybercriminal syndicates continues to grow, leveraging cybercrime-as-a-service, ransomware-as-a-service, and phishing-as-a-service. Vendors and governments alike are taking steps to improve the cybersecurity posture in their products and services e.g., involving Artificial Intelligence (AI) to more effectively analyse 65 trillion signals synthesized daily (equating to over 750 billion signals per second) to understand and protect against digital threats and cybercriminal activity.
A quick look at human history, as with current international news, will immediately show us how war seems to be inevitable
Despite the benefits of governments’ imposing new legal and regulatory requirements for cybersecurity, these can pose significant counterproductive conditions e.g. hefty costs towards compliance efforts, overly rapid reporting of incidents, or even conflicting requirements across agencies or geographies.
However, as the defence teams leverage AI, so does the offence. During an interview, Tom Burt (Microsoft Corporate VP, Customer Security & Trust) who co-wrote and presented the report, raised a critical unanswerable question “What does AI mean for cybersecurity?”.
The following statistics on types and frequency of cyber-attacks, stemming from the report, are heavy to digest: “80-90 per cent of all successful ransomware compromises, originate through unmanaged devices and 70 per cent of organizations encountering human- operated ransomware had fewer than 500 employees means that all companies, no matter how small or big, are a target”, and most worryingly, considering the day and age we live in, “password-based attacks spiked in 2023”.
In short, this report shows that those at great risk are small-medium businesses.
It is also relatively clear that phishing is not going away, with “attackers using both malware phishing to compromise devices and (…) steal identities that can be used in further criminal activity such as business email compromise (BEC)”. The instances in data extortion have doubled since November 2022 where “13 per cent of human-operated ransomware attacks (…) included some form of data exfiltration”.
The frequency of BEC increased to over 156,000 daily attempts. Relevant data shows that “password attacks increased (…) to over 30 billion attempts per month (…) translating to an average of 4,000 blocked attacks per second”.
Most attack attempts are targeted towards unmanaged or bring-your-own devices that “lead to corporate compromise after an employee syncs their workplace credentials with infected home devices”, and “17 per cent of intrusions involved known remote monitoring and management tools (RMM)”. A particularly invisible-to-the-naked-eye attack is cryptojacking, using your devices to mine cryptocurrency, making up 4.2 per cent of cybercrime activity.
Microsoft’s recommendations reveal a certain consistency that resonated throughout the last five (or so) years of cyber experts’ repetitions. Despite the following not needing any introduction, it is with great heartache that the fundamentals of cyber hygiene must once again be illustrated: enable multifactor authentication (MFA); apply zero trust principles; use extended detection and response (XDR) and antimalware; keep systems up to date; and protect all data – what Microsoft calls the “Foundational Five”.
These basic security controls still protect against 99 per cent of attacks. “A recent study based on real-world attack data from Microsoft Entra found that MFA reduces the risk of compromise by 99.2 per cent.”
To those less inclined to technological jargon, the importance of digital transformation cannot be ignored. All industries are seeing economic growth and prosperity as a result of digital transformation, delivering better services at a lower cost. This also powers vital infrastructure like transportation, finance, and electricity. But as we have seen, as dangerous, sophisticated cybercriminals look to exploit crucial weaknesses, the digitalisation of our world has introduced new hazards.
It is, therefore, of paramount importance to strengthen one’s cybersecurity framework and drive growth to modernisation and transformation.