According to a Tuesday report by Forrester, increasing B2B fraud, complacency in cyber insurance, and governance gaps in the work-from-anywhere model are among the top cybersecurity threats facing businesses. businesses face in 2022.
On the B2B fraud front, the company noted that fraudsters are no longer simply impersonating people, but creating fictitious organizations and businesses to defraud financial institutions, insurers, e-commerce retailers, automakers, healthcare providers and others.
These shell organizations then “employ” fraudsters who mainly defraud victim financial institutions, he continues. This scheme is not only relevant to fraud but also money laundering, making life for investigators and compliance departments even more difficult.
“While these schemes have been around for at least a decade,” he explained, “we are seeing fraudsters shift to B2B modes of operation on a much larger scale than before, as businesses improve their protections against B2C fraud”.
“The shift from identity theft to creating fake organizations is an evolutionary step in this type of fraud,” said Tim Erlin, vice president of product management and strategy at Tripwire, a technology company. Cybersecurity Threat Detection and Prevention, in Portland, Oregon, at TechNewsWorld. . “It will also require evolutionary changes in security controls to mitigate the threat.”
The rise in B2B fraud is tied to the way companies do business with each other, added Bojan Simic, CEO of Hypr, a passwordless solutions company in New York. “Traditionally,” he told TechNewsWorld, “there hasn’t been as much emphasis, in terms of cybersecurity, between companies to make sure the companies they’re dealing with have put in place appropriate checks.”
No substitute for security checks
In the area of insurance, Forrester explained that the growth of ransomware attacks from 2019 and a series of supply chain incidents in 2021 led companies to buy or increase their cybersecurity coverage.
As policy losses mounted, carriers rushed to tighten underwriting policies, as well as raise premiums by an average of 25% and, in some cases, remove coverage for certain types of attacks. . This has led to a revival in conference rooms.
“What security leaders have known for a long time, but senior executives and boards have just learned, is that without a risk mitigation strategy and investment in security program maturity, relying solely on cyber insurance is a threat to the organization,” Forrester noted.
“Cyber insurance is a tool for protection, but organizations often think of it as their get-out-of-jail card,” observed James McQuiggan, security awareness advocate at KnowBe4, a cybersecurity training provider. safety awareness in Clearwater, Florida.
“Being involved in a cyberattack that results in a data breach or leak can damage an organization’s brand and reputation, leading to lost profits and possibly job loss,” he told TechNewsWorld.
Chris Hills, chief security strategist for BeyondTrust, a maker of privileged account management and vulnerability management solutions, said there was a time before Covid when cyber insurance was used as a palliative for lack of controls. appropriate security. But today, with the adoption of the Ransomware Supplemental Addendum/Application (RSA), brokers are holding companies accountable for their security checks.
“If companies can’t provide and prove positive responses in the nine categories outlined in the RSA, brokers won’t even respond with a quote,” he told TechNewsWorld. “Companies now have to prove more today than two years ago what they are doing in terms of security controls to even keep their current cyber insurance or obtain new coverage.”
Vintage drawing to close
Garret Grajek, CEO of YouAttest, an identity audit company, in Irvine, Calif., agreed that cyber insurance is not an alternative to good IT security practices.
“In fact,” he told TechNewsWorld, “insurance is moving in the direction of an enforcer of improved identity and network security practices and procedures. Companies either need to improve their governance over their IT assets and data, or expect to walk on their own in the event of a hack.The days of cyber insurance covering mismanaged IT security practices are rapidly coming to an end.
“Insurers are taking a much more active role in determining a potential customer’s true cyber risk quality,” added Shawn Melito, chief revenue officer at BreachQuest, an incident response company in Augusta, Georgia.
“Those without MFA, segmented backups, employee training, IRP, endpoint monitoring, or any number of other cybersecurity controls will have a hard time securing coverage,” said he continued, “and that’s if you haven’t had a claim”.
“I’ve heard that organizations that have had issues in a previous year find renewal very difficult, which is unfortunate as most are in a better position to deal with cyber risk after the incident,” did he declare.
Threat of work from anywhere
Forrester also called the work-from-anywhere trend a major threat in 2022. He explained that a work-anywhere model provides an opportunity to create new types of sensitive data. This includes data that employees create and store in cloud services and applications that are both sanctioned and unsanctioned by the company.
It includes data in various formats, from files to communications to collaboration and messaging apps, the report continues. These digital conversations include chats, video and audio calls. Nor are they necessarily ephemeral. It’s never been easier for employees to record a virtual meeting, transcribe its content, and access messages containing regulated data or sensitive company information.
“Organizations typically struggle to track their data, and this is compounded in a work-from-home environment where corporate data could leak across the home network, making it very difficult to assess the risk of data leakage. data,” explained Snehal Antani. , co-founder and CEO of Horizon3, a standalone SaaS penetration testing company, in San Francisco.
“Additionally,” he told TechNewsWorld, “threat actors are targeting not only corporate VPNs, but also poorly secured home network equipment and family members’ social engineering to get initial access”.
“There is also an increased likelihood of home network credentials being reused on their Netflix or gaming accounts, leading to a much higher likelihood of credential attacks,” he said. added.
In its report, Forrester informed security professionals that the days of using a cybersecurity breach or threat to gain the attention of management and the board are over. On the contrary, security teams are distracted by focusing on breaking news. He recommended CISOs consider the biggest cybersecurity threats to their organizations based on strategy, infrastructure, and key business decisions.