Cyber Risk Trends From First Quarter: Insights for Security and Business Leaders

I was recently asked to share thoughts on cyber risk trends from the first quarter of this year. As we wrap up the first three months of 2021, security professionals and business leaders reach the anniversary of one of the most disruptive events in our lives: the COVID-19 pandemic. For the last 12 to 14 months, business, government, and other agencies have raced to keep customers supported, productivity steady, and employees safe as new technologies and work norms entered the mix. This makes a review of first-quarter security data particularly timely and enlightening, seeing which trends materialized as the most significant. Our team recently published some standout observations from the start of 2021 in a Q1 Security Operations Report, sourced from insights and data from our global threat intelligence and managed detection and response (MDR) operations. Here are five important takeaways on cyber risk trends from our analysis.

Phishing leads attack techniques.

Phishing remains the top attack vector, accounting for 33% of incidents our team identified. For comparison, malware incidents ranked second at 28%. The phishing statistic is an important reminder that familiar tradecraft in cybercrime, like sending phony emails or running stolen credentials against targets looking for a match, seldom changes. Criminals will not abandon timeless, productive techniques until they are forced to do so. What does change frequently are the social-engineering lures pegged to news, emergencies, and other topics of the day. For example, due to the pandemic, the FBI warns that the last year was full of phishing and fraud attacks linked to government lures, like phishing and fraud-evoking stimulus programs, unemployment scams, and tax issues. Last year, our team predicted this theme of attacks as the pandemic first set in. Because attackers are adaptive in phishing lures and use them through more commingled work/life emails, texts, social media, and other channels, this threat will remain active, and something organizations must counter through both awareness and security controls.

Organizations can be their own worst enemy — particularly in highly disrupted times.

In developing defense strategies, it is easy to overfocus on “what-if” attack scenarios based around external actors trying to break in. However, our team saw cloud and other system misconfigurations — occurring at scale — becoming a major breach vector and incident magnet. Human error is inevitable, and this is not a new problem. However, when you consider how many new cloud, collaboration, automation, and remote work IT shifts organizations have been taking during the pandemic, it is easy to see why oversharing files or mistakenly leaving data or devices poorly protected is an acute problem. We concur with experts at IBM who attributed 19% of breaches to compromised credentials and another 19% to misconfigurations. In other words, in almost half of given cases, an attacker did not need to invent or break anything; they could simply discover an exposed entryway or recycle a set of stolen or discovered passwords. 

Ransomware battles come down to who keeps (domain) control.

High-profile ransomware attacks are detrimental for boards, C-suite leaders, cybersecurity professionals, and each of us as individuals — especially if we are suddenly unable to access a given store, school, hospital, or government agency due to an attack. Ransomware is intended to paralyze all operations until the ransom is paid out. 

Massive attention is placed on how ransomware enters a network, such as via malicious attachments or third-party partners — and that rightfully pushes for tougher cybersecurity policy enforcement and tools. However, we see too little attention paid to the state of organizations’ domain controllers where the IT component acts as the central nervous system for management of an organization’s networks and devices. Once ransomware operators capture your domain controller, recovery becomes extremely difficult, leading executives to begin having to at least entertain the scenario of paying a ransom. 

Conversely, organizations focusing ransomware preparedness on their domain controllers and how they will protect them at all costs have better outcomes in the event of an attack because they maintain the ability to isolate and restore affected systems.

The takeaway here is to invest in comprehensive 24/7 monitoring of all endpoints, networks, and logs for devices and applications and minimize third-party access to your systems and data. But assuming that you will not be able to block 100% of ransomware at these entry points, proficient alert management is critical for an organization’s domain controller to survive.

New privacy laws are putting the pressure on organizations.

Passed by state voters in November 2020, the California Privacy Rights Act will replace and expand upon the California Consumer Privacy Act by adding a layer of complexity that aims to strengthen consumer privacy requirements. Companies will need to give individuals special notice if they plan to collect or use any sensitive personal information, while individuals will be able to request that these companies stop selling, sharing, and using their information.

As the old adage states, “As California goes, so goes the nation.” Privacy laws are expected to surface in other states. In Virginia, for example, lawmakers have passed the Consumer Data Protection Act, which will enforce similar measures as related to the minimization of personal data collection, the processing and oversight of personal data, and the implementation of security controls.

The net takeaway for security teams and risk managers is that incident response and breach notifications are increasingly high-stakes games. It used to be that health care, financial services, and other specific, heavily regulated industries had the most to lose. Yet, today most companies that do business with California and Virginia are likely to fall under the jurisdiction of these privacy laws governing how data can and cannot be used and, in some cases, what must happen in the event of a breach. This needs to be more than just a caveat in security briefings and should ultimately help shape more unified and strategic decisions about how businesses use our information and secure our data.

MDR accelerates anticipation and defense capabilities.

Organizations are struggling to keep up with costly cybersecurity tools and processes, as a lack of talent and an increasingly complex threat environment continues to negatively impact an organization’s cybersecurity defenses. To offload these burdens to an outside security-as-a-service team, they are turning to partnerships with MDR providers. A strong MDR partner will monitor networks around the clock and launch mitigation/prevention measures when detecting nefarious activity. The more advanced providers will offer threat hunting and response services, which combine the latest technologies, machine/human intelligence (or authentic intelligence), and expertise to stay one step ahead of attackers.

For many companies, MDR simply makes good business sense, which is why one-half of organizations are expected to use MDR services to contain threats by 2025, according to Gartner. 

Tapping outside firms for security defenses is not a new concept. However, the major shift in recent years — and underscored in Q1 this year — is that companies need additional assistance to fill the much-needed gap and outsource security management. Cyber risk is too intrinsic to every business and every manager’s, executive’s, and investor’s respective role today. An MDR partner is invaluable in times of crisis, but between incidents, its further value comes from bringing advanced cyber skills, objective eyes to data, and decision-making, so that relentless change factors like new technologies, hybrid workforces, and business transformation do not sway companies off their risk tolerance footing.

It’s understandable if organizations feel overwhelmed in keeping up with the wealth of phishing attacks, domain controller incidents, and human errors that could compromise their networks and data. That’s why they shouldn’t feel obligated to go it alone. By partnering with an MDR service, CISOs can more effectively navigate these choppy waters and stay ahead of the latest threat methods and trends of today and tomorrow.