2019 has been a pivotal year in cyber security.
Multi-factor authentication has seen an increased uptake, with over 50% of businesses adopting a more layered approach to their cyber security. Cloud computing also surged in use, especially in the UK, as concerns over cloud security have relaxed over time.
In other news, the effects of GDPR on the sector became very clear, very quickly. Data breaches, for example, now carry far larger financial consequences. British Airways was one of the first businesses to feel the sting earlier this year, having been hit by a £183m fine following a data breach.
We sat down and spoke to Neuways Managing Director, Martin Roberts, and Chief Technology Officer, Toby Stephenson, to get their points of view on the key developments in the sector in 2019.
The Democratisation of Cyber Crime
Over time, we’ve observed a ‘democratisation’ of cyber criminality.
What I mean by this is that even somebody with limited IT skills, and very little wherewithal, can go on to the dark web and buy a phishing kit, or crypto-locking tools, for only a few pounds. With these, they have the ability to ransom victims for their important files.
As Martin mentioned, phishing is one of the most common ways of stealing this data and it’s a modern-day arms race.
No sooner do email filtering systems (the ‘good guys’) detect and prevent one style of phishing, the phishing actors (the ‘bad guys’) evolve and switch it up to use a new phishing style in an attempt to evade the filtering.
It’s an increasingly popular method of stealing credentials, which can then be used to extort money (through blackmail, ransom, impersonation, etc.) or steal data/intellectual property. The actual harvesting and selling of this account data can also be quite lucrative.
The Year of MFA
Multi-factor authentication (MFA) is the layering of security through two or more methods. In short, your password is one factor of authentication. Other factors might include: an authentication token sent to your email address; a push notification to your mobile device; or even biometric authenticator such as a fingerprint.
Fortunately, we have seen increased adoption rates of MFA over the past year. This can be attributed to the rise in credential-based attacks, such as phishing, but also a wider cyber security awareness.
This development is greatly encouraging. Implementing MFA is a fairly simple procedure that blocks 99.9% of automated cyber attacks, according to Microsoft. The reason for this is simple. Passwords can be guessed, no matter how complex they are.
The reason that we always advocate a “Defence in Depth” methodology to security systems is simple – no single solution is 100% effective 100% of the time, no matter how much it costs to buy/run or how much a supplier advises to the contrary, so you need to layer them to give yourself the best chance against the “bad guys”.
I fully expect the uptake in MFA to continue through 2020 as more and more companies begin to realise how this simple addition to their daily workflow can make a cyber criminal’s life so much more difficult.
The principle behind MFA is that it’s possible to guess a password, but it’s far more difficult to guess a password, gain access to an authentication token from someone’s email address or personal device, and have access to a copy of their fingerprint.
Acceptance of Cloud Computing
More businesses are embracing cloud computing, especially in the UK, where it’s estimated that 42% of organisations use the cloud (versus an EU average of 26%).
Part of the reason is that prior concerns about cloud security have relaxed over the years. However, there is also a strong business case for moving to the cloud – or, at the very least, a hybrid cloud approach.
Most cloud software programs bring your data processes together, unifying and consolidating your data into a single place. Microsoft’s offering is just one example of this. With Office 365, your emails, documents, digital media, invoicing software, and business intelligence tools are able to communicate with one another.
Businesses are finding that this level of integration offers significant competitive advantages. Especially when the alternative is siloed data and processes.
It’s not that long ago that cloud computing was viewed with suspicion. There were concerns about security, ownership of the data and the cost model. However, it seems that people have become more comfortable with the security aspects and the data ownership issues.
What is still to become clear over time, is the comfort with the pricing and costs. In the traditional on-premise model, a business was used to the idea that every three to five years there would be a large capital project to buy and install new servers, and associated peripherals. This would be the IT spend for the next period.
Now, the majority of businesses appear to be content for a monthly subscription for the software they use and where it is used. It’s turned CAPEX to OPEX, and it seems acceptable to many. For a while many businesses thought that the move to the cloud would cut out the need to pay MSPs, like Neuways, to look after their systems – believing the cloud provider would make this part of the service. However, the reality is that this model is sometimes more complicated to manage and make work, particularly where some legacy system is involved (typically a business software system) than the ‘traditional model. This may have a bearing on future trends.
Toby’s Top 5 Predictions for 2020
Phishing/Vishing (Voice/Video Phishing) attacks will continue to rise and will become more sophisticated and convincing, especially as deepfakeaudio & video technology becomes more accessible and affordable.
Organised cyber criminal gangs will drive “professionalisation” of phishing campaigns, making them even harder to spot and detect. Continued security awareness training will be a key element in this battle in addition to developments within the detection layers.
Password management software will be adopted by mainstream IT users. Humans are rubbish at remembering passwords – fact. This is why passwords are often so weak and guessed so easily. This is also why passwords are reused multiple times across different services.
Password management software can help with both facets but has traditionally been aimed at individuals or the more technically minded. A new generation of business-orientated password management software is aiming to change both of these perceptions, simplifying usage, and granting robust controls for the organisation whilst maintaining privacy for the end user.
Multi-factor authentication systems will increase in popularity and scope as a proven mature mechanism for increasing authentication security over passwords alone. Organisations will look to adopt Single Sign On (SSO) capabilities to further simplify their login processes and increase security.
Cloud adoption (Software-as-a-Service in particular) will continue as many organisations look to the cloud for new and replacement applications and systems. Some businesses that need to retain on-premise systems will continue to do so but in a hybrid model, migrating and extending into cloud services where connectivity and use case permits.
Reports from the US suggest that managed service providers in that region are under attack as part of elaborate “supply chain attacks”. Cyber criminals are actively targeting the organisations that support the IT of regular businesses to leverage the powerful tools and access rights that are used to provide support.
There have been numerous reported occurrences within the US in 2019 and I predict that there will be at least one significant breach of this nature within the UK during 2020.
Martin’s Final Words
Well, there may well be a small move back to on-premise computing and this may be driven by a price shock and the inability to control costs. Maybe.
More cyber criminality? You bet!
For us as a business, we’ll see a continued dedication to keeping our customers safe whilst striving to always improve the way we serve them. An important part of this will be the delivery of Microsoft Dynamics 365 Business Central – the ERP for SME’s – which will mean our customers and business partners will be able to rely on us to provide and support all of the systems they need to have a thriving business.