[Podcast] Cyber security challenges and trends E&U leaders should be focusing on in the year ahead

Cybercrime goes mainstream

Among Chris’s most startling revelations is a sharp increase in smaller-scale attacks by less sophisticated actors in recent years. While these amateur hackers typically lack the scope and skill of criminal enterprises or state-sponsored groups, he cautions that they’re far from harmless.

Not only are these actors unpredictable — motives can range from boredom, malice, curiosity, and greed — but they can also expose security vulnerabilities and sensitive information. Failing to take this threat seriously could, therefore, lead to more brazen attacks and even bigger issues down the road.

He also highlights a growing concern around insider threats. While employees/vendors have always had privileged access to systems and information, their means and opportunity have evolved as subscription-based software and remote work become more commonplace. Leaders need to understand the motives for employees and vendors to commit fraud and cybercrime, how a perceived lack of oversight could embolden them, and best practices to prevent insider attacks.

Chris points to the rapidly growing dark web marketplace for hackers and products of cybercrime as an area where E&U organizations should be especially vigilant. An estimated 80 percent of attacks originate on the dark web. Users require little advance knowledge to access it. And, once on, they can anonymously browse unindexed websites and message boards for stolen login information, intellectual proprietary and personal data, along with cyber criminals for hire and how-to guides for aspiring hackers.

While unsettling, it’s not all bad news. Chris says E&U organizations can also use the dark web to their advantage by proactively crawling these sites to discover what hackers know about them. This information can help find, report, and recover from previously undetected attacks. It can also help organizations adjust cyber security priorities if they discover a potential vulnerability.

Keeping up with the rapid pace of change

The pandemic-driven trend toward remote work has introduced numerous benefits, including more flexibility and autonomy for employees and a larger pool of talent for employers. Chris acknowledges there are numerous to hybrid work and that these models seem to be here to stay. Still, he cautions E&U organizations to be realistic about the ongoing challenges, including:

• Fewer opportunities to socialize: Remote employees may feel less connected to the organization than their in-person counterparts and more likely to pursue new opportunities. This can affect adherence to cyber security best practices by the disengaged team member and their replacement, who will be less familiar with the necessary procedures and controls.
• More technical vulnerabilities: Technologies to support remote collaboration can introduce inherent and user-driven security vulnerabilities that need to be factored into its adoption.
• Increased opportunities for fraud and intellectual property theft: Less direct oversight of employees can allow unscrupulous team members to steal sensitive information. Leaders can mitigate this risk by keeping close contact with remote team members and monitoring activity on company servers.

He also points to the recent excitement around ChatGPT and other generative artificial intelligence (AI) tools, with many E&U leaders seeing opportunities to augment or even replace areas of their workforce. While exciting and ripe with potential, Chris cautions against entrusting these tools with too much too soon:

• Leaking of proprietary secrets and intellectual property: Many generative AI tools retain a record of all inputs and use that information to train the technology and generate responses. Users should be cautious not to input sensitive information they would not want to be leaked to a competitor or other unauthorized user.
• Opportunities for plagiarism and intellectual fraud: Over-relying on generative AI in the workplace can also make it harder for employers to discern what work was performed by computers and what insights their employees created. While not explicitly a cybersecurity concern, this can form the basis for intellectual property theft and other technology-mediated fraud.

Action items

Given these trends, employers must be more vigilant about protecting intellectual property and sensitive data, including conducting regular risk assessments, complying with relevant legislation, keeping policies and procedures up to date — and providing training on the use of technology.

Following are some key action items and takeaways based on Chris’s conversation with the Flux Capacitor Podcast and cyber security best practices:

1. Conduct regular cybersecurity risk assessments to identify critical assets and potential vulnerabilities, including insider threats.
2. Review cyber security fundamentals, including firewalls, antivirus software, and regular software updates.
3. Provide cybersecurity awareness training to educate employees about spotting and reporting threats.
4. Use multi-factor authentication to enhance password security.
5. Back up critical data offline to prevent unauthorized access and alteration.
6. Consider real-time dark web monitoring to detect and prevent cyber threats.
7. Review cyber security insurance policies to ensure these reflect your current risk profile and coverage requirements.
8. Reassess hybrid and flexible work policies and whether they effectively mitigate cyber concerns.
9. Enforce privacy regulations, leveraging best practices from Europe’s GDPR, Canada’s Law 25, and California's privacy bills to safeguard sensitive data.
10. Monitor for conventional fraud and social engineering attacks in addition to ransomware.

You can listen to the full episode here.