Cyber attacks are happening more frequently and will become increasingly sophisticated thanks to new technologies– organisations need to react accordingly.
This was the message from the ICO in their report entitled “Learning from the mistakes of others” published earlier this month. The report examined current trends and future developments for five different types of cyber attack – phishing, brute force attacks, denial of service attacks, human error and supply chain attacks. For each the conclusion was clear: organisations need to ensure their cyber security measures are sufficient to meet the increasing threat posed by these forms of attack.
Phishing
In the report the ICO illustrates that phishing attacks are on the rise, with 91% of surveyed UK companies surveyed by Proofpoint reporting a phishing attack in 2022.
The ICO is concerned that generative AI could increase the prevalence and severity of phishing attacks. Criminals could use generative AI programs to efficiently produce high-quality, tailored phishing messages which are indistinguishable from genuine communications. Consequently, the ICO recommends organisations implement and continuously review layered controls and mitigations to protect against this growing danger.
Brute force attacks
In a similar vein, the ICO highlighted the increased prevalence of brute force attacks, where criminals run high volumes of potential passwords to guess the actual combination. Research from Microsoft cited in the report suggests that there were 11,000 brute force attacks per second in April 2023, and a ten-fold increase in attacks from 2022 to 2023. The ICO is concerned that quantum computers could be leveraged by criminals to carry out even more, and more effective, brute force attacks. Quantum computers can theoretically run a range of potential password combinations much quicker than a conventional computer, and the fear is they will be able to “crack most current cryptographic methods” (see our recent blog for more information on the quantum risk). As such, it is imperative that organisations keep track of technological developments and ensure that their cyber security procedures are sufficient in light of such advances.
Denial of service
The report also focused on the growing frequency of ‘denial of service’ (DoS) attacks, and distributed denial of service (DDOS) attacks (where a network of connected devices are used to direct large amounts of traffic through a website or network to overwhelm it). It notes that an average of 1,700 DDoS attacks per day were reported in 2023.
While these attacks have been prevalent for many years now, the ICO anticipates that machine learning technologies will help cyber criminals deploy more sophisticated attacks. Thankfully, such technologies will also enhance defences against such attacks, and the ICO therefore suggests that organisations consider investing in novel DoS prevention technologies.
Human error
Human error – specifically the misconfiguration of security settings – was highlighted as “one of the most significant risks” which can contribute to a cyber attack. A Verizon report quoted by the ICO identified 74% of cyber breaches in 2023 were caused by a human element, with 21% of these breaches due to misconfiguration errors.
As organisations continue to expand their digital estates, they will face more points of potential vulnerability and an increasing chance of error or misconfiguration. The adoption of AI only compounds this issue. It is therefore more important than ever for organisations to implement ‘security by design’ principles when they are developing or purchasing software. Developments around streamlining and automating development approaches (where security controls are often embedded from the start) and human centric security design should also be monitored.
Supply chain attacks
Finally, the ICO suggests that criminals are increasingly seeking to exploit vulnerabilities in the technology provided to businesses by third parties. Argon Security reported that supply chain attacks increased by more than 300% following COVID-19 and Gartner suggests that 45% of organisations worldwide will have suffered an attack on their software supply chain by 2025.
Interestingly, while we often hear about service providers being the weak link in the supply chains, the ICO’s report also focuses on digital supply chain attacks (where malicious code is inserted into a programming library used by software developers) and hardware supply chain attacks – for example compromised chips or circuit boards.
The ICO stresses that conventional mitigations against such attacks – such as maintaining a robust supply chain risk management programme and testing any third party developed systems – remain essential. Moving forward however, it again emphasised the importance of organisations adopting a ‘security by design’ approach to software development, suggesting that a DevSecOps model should become the norm.
Conclusion
The ICO is clear that criminals will use new technologies to develop more dangerous and sophisticated cyber threats, but also that those same technologies can be leveraged to combat the increased risk. It is imperative therefore that organisations continue to review their cyber security measures and ensure that they evolve to meet the novel threats which new technologies will create.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-24-12-34-05-907-66a0f4bdee1a649f3a66a72e.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-24-08-52-54-610-66a0c0e6137180fc02901892.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-23-13-23-27-360-669faecf137180fc028dd803.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-18-13-42-40-167-66991bd05538a3820933fc5a.jpg)