Marsh's well-regarded Cyber Catalyst group recently released their Top 5 cyber threats for 2020. (Read their report, Cyber Catalyst 2020 Risk Outlook here.)
The Top 5 risks are familiar to all of us, but their inclusion emphasizes that they represent the greatest risks today. One clear take away from the list is that some of the biggest threats we face are extremely simple for cybercriminals to execute.
Ransomware. Ransomware attacks will continue given the commoditization of tools and knowledge required, and increasingly large sums demanded. Organizations that offer Ransomware as a Service (RaaS) are proliferating and are driving the increasing frequency of attacks.
Privacy Regulation/Data Collection. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. Like GDPR before it, entities that collect data on covered residents are still figuring out how it impacts them and how they are allowed to collect and use the data.
Supply Chain/Vendor Management. The risk posture of a company’s vendors and suppliers is as critical to its security as its own defenses. Hackers are increasingly exploiting the opportunity for multiple points of access to penetrate high value targets. In addition to attacks on vendors, bad actors are increasingly imitating vendors or intercepting and amending vendor invoices in payment fraud scenarios.
Cloud Migration. More organizations are moving to the cloud to decrease their use of costly on-premise infrastructure and maximize efficiencies. The migration process, and the effort to integrate cloud services with systems and data present risks. Most integration-oriented breach events can be ascribed to failure to secure to the cloud environment.
Social Engineering. Social engineering attacks are projected to continue increasing in frequency, sophistication and cost of damage. Social engineering emails on the whole are increasingly cunning, with attackers routing emails from seemingly legitimate senders that feature equally believable design and content to obtain PII and sensitive credentials, such as passwords or access to financial accounts.
The cost of cybercrime is massive. According to the Marsh report, cybersecurity spending in the U.S. alone is forecast to top $160 billion in 2020, and reach $230 billion in 2025. Global spending is a multiple of that. Despite these investments around the world, the impact of cybercrime on the economy is soaring. Marsh notes that Oliver Wyman’s estimate of worldwide losses from cybercrime is $1 trillion.
The FBI reports annually on US internet crime, which is categorized into over 30 crime types including: ransomware; malware; denial of service; phishing (more widely, social engineering); and forms of payment fraud such as business email compromise (BEC).
The 2019 FBI Internet Crime Report indicates BEC frauds are the costliest internet crime events they track. BEC impacted some 24,000 entities in the U.S. during 2019, causing a staggering $1.8B of total losses. Allianz estimates worldwide losses since 2016 from BEC is $26 billion.
A New Model
There is a clear need for new approaches to prevent and remediate cyberattacks. We would like to propose an innovative new model that addresses three of Marsh’s Top 5 risks.
In the realm of privacy regulation and data collection, a central tenet is to give data owners an easy way to control the use of their data. Therefore, consider an approach where the data owner controls access to and processing of their data -- not the data holder. Data owners can grant third parties restricted access by issuing them a simple code which imbeds the parties’ IDs, the data permitted to be accessed, and any desired time or location restrictions on use of the data; the code can be validated by the data holder, who can then release the data to the third party with confidence.
Supply chains and vendors create substantial risks of indirect system controls, data leakage and payment fraud. Marsh focuses on systems and data loss. The data privacy solution outlined above is applicable when a company needs to authorize a party holding the company’s sensitive product information to share it with a new vendor. Beyond data control, vendors can be required to provide a similar code on any invoice or request to change standing payment instructions. By adding the content-rich code, such transaction requests can be definitively validated as coming from the vendor with unaltered details.
The increasingly sophisticated landscape of social engineering is still a quite simple but very effective form of fraud, and is often an early step in larger more complex cybercrime events. Many forms of social engineering can be prevented by requiring the party requesting the data to provide the above referenced code.
With continuously escalating threats, and new regulations coming into effect to address those risks, we need to continue to innovate in our fight against cybercrime.
At Authoriti, we address all three of these risks with one platform. Our mobile-first Permission Code® service enables users to easily originate secure content-rich codes which are highly flexible. To discuss solutions to your cyber risks in a confidential conversation, please reach out to us at firstname.lastname@example.org.