Microsoft: simple cyber hygiene can prevent trillions in cyber risk
This year, Microsoft's Digital Defenses Report focuses on the state of cybercrime, the threat posed by nation-state actors, supply chain security, and the challenges involved in securing a hybrid workforce.
At the backend of last year, analysis from Cybersecurity Ventures predicted that the cost of cybercrime would reach around $6 trillion during 2021, with this figure growing by around 15% per year in the next five years. If that growth curve is accurate, it would represent a tripling of the cost of cybercrime from the $3 trillion it was at in 2015. To put this into a degree of perspective, the Covid pandemic was estimated to have cost the global economy around $4 trillion.
Despite this, with the Securities and Exchange Commission becoming increasingly strict with financial firms that fail to enact sufficient cybersecurity procedures, it seems clear that organizations are still not doing enough to ensure both their own systems and those of their partners are secure.
As such, the 18th edition of Cybersecurity Awareness Month seems more pressing than ever before. This year, the event encourages organizations (and individuals) to be “cyber smart,” with perhaps the most important aspect being to ensure cybersecurity is considered from the very beginning of any digital project.
To coincide with the event, Microsoft have released their annual Digital Defenses Report, which this year focuses on the state of cybercrime, the threat posed by nation-state actors, supply chain security, and the challenges involved in securing a hybrid workforce.
“Over the past year the world has borne witness to a burgeoning cybercrime economy and the rapid rise of cybercrime services,” the authors write.
“We have watched this global market grow in both complexity and fervency. We’ve seen the cyberattack landscape becoming increasingly sophisticated as cybercriminals continue—and even escalate—their activity in times of crisis.”Microsoft
The report draws upon data from across the company's suite of products, including in the cloud and intelligent edge. It also received contributions from security experts from across the company. This helped the company to identify five key areas that they believe organizations, and indeed countries, should focus on:
- The state of cybercrime
- Nation state threats
- Supplier ecosystems, Internet of Things (IoT), and operational technology (OT) security
- The hybrid workforce
The state of cybercrime
Such has been the tremendous growth in cybercriminal activity in the past few years, the researchers now argue that it has become a national security issue. While most criminal activity to date is driven by financial goals, this should not be taken for granted, especially with state actors increasingly willing and able to get involved in cybercriminal activities.
This issue has been complicated by the difficulties in actually detecting nation state actors as their level of sophistication has risen. Nonetheless, the researchers believe that over half of all nation-state activity has emanated from Russia, with these attacks often targeting other government agencies in an attempt to elicit key information from them.
There have also been high-profile attacks on key infrastructure, however, which have capitalized on the tremendous growth in connected devices and the Internet of Things throughout the supply chain. The researchers argue that in the past we have tended to view this wider supply chain ecosystem in isolation, but this needs to change if we're to effectively counter the threats it faces, as our ecosystem is only as strong as its weakest node.
This is typified by even the simplest security measures being taken for granted in the supply chain.
For instance, the researchers found 20 million connected devices still using the default "admin" password, which creates a practically open door for cybercriminals to exploit.
A similar level of vulnerability exists among the newly hybrid workforce, with the researchers identifying phishing as the principal weapon for cybercriminals to exploit. That criminals are achieving the success they are again reminds us of the lack of even basic digital security hygiene, as the researchers found that simple steps are enough to rebuff around 98% of attacks.
Shutting the door
Digital technology is now fundamental to everything that we do, and as such, it's vital that cybersecurity is considered not as an afterthought, but as something that is fundamental to the safe and effective development and deployment of digital technology.
"We can’t afford to treat technology and cyber risk as something separate and contained that IT and security teams are left to manage on their own," the researchers write.
"The examples in this report show that criminals will seek to exploit whatever technology we develop and introduce; the challenge is in understanding what form that will take."Microsoft
The good news is that many of the cyberattacks we face today can be rebuffed by fairly straightforward digital hygiene, whether that's ensuring strong passwords are used, keeping software patches up to date, integrating cyber risk management throughout the business, and implementing architectures that support Zero Trust.
Pleasingly, achieving sufficient cyber hygiene to rebuff the overwhelming majority of cyberattacks doesn’t require sophisticated technology or a highly skilled security department. Instead, it just requires organizations to ensure the basics of cyber hygiene are adhered to. This includes:
- Multi-factor authentication. Multi-factor authentication (MFA or 2FA) prevents the majority of credential-based attacks. This is easier than ever with the kind of passwordless technology that is increasingly the norm in modern software. MFA should be enabled wherever possible.
- Least privilege access. As well as deploying MFA to protect login to key accounts, it's also important to ensure that each account only has access to the systems they really need. Indeed, the researchers argue that distinct accounts should be used when accessing privileged systems than when browsing the internet or using email.
- Keep devices up to date. A basic requirement for any device on the network is to ensure that it's both configured correctly and has the latest patches and updates from the manufacturer. Endpoint management software can be a useful aid in ensuring this happens across the network.
- Deploy anti-malware software. Another simple step to take is to ensure that malware protection software is installed and used in addition to more standard anti-virus software. This software can often not only provide protection against attacks but warnings that attacks are being attempted.
- Protect data. All of the aforementioned steps can prove highly effective at protecting key organizational data, but it's also highly important that organizations have a good understanding of the data they have, and its relative sensitivity and importance to the organization. Indeed, under regulations such as GDPR, this is often mandated and underpins a risk-based approach to data governance.
Microsoft believes that if these fairly straightforward steps are completed, then the overwhelming majority of cyberattacks can be prevented, which given the sheer scale of the financial risk from cybercrime in the years ahead, seems an investment well worth making.