The cyber-threat landscape: The digital rush left many exposed

As companies rushed to adapt to pandemic-inspired changes in work and business models, many seem to have left security behind. Half or more of the CISOs and CIOs in our survey say they haven’t fully mitigated the risks associated with remote work (50%), digitization (53%) or cloud adoption (54%). 

Securing remote work is still in progress. Seventy percent of organizations relied on a password-centric authentication approach as of March 2020 — even with advances in biometrics, multi-factor authentication (MFA) and tokenization. Meanwhile, employees — especially those of the millennial generation (51%) and generation Z (45%) admit to using applications and programs on their work devices that their employer has expressly prohibited. Remote work has pushed the edge of the organization to common home devices that are not hardened to the same degree as corporate networks. 

Employees behind the keyboard can be unwitting participants to data breaches: 85% of breaches in 2020 involved a human element, according to Verizon’s 2021 Data Breach Investigations Report. Phishing accounts for the large majority of breaches via social engineering, with cloud-based email servers being a target of choice.    

Securing digitization has become a catch-up game, as the pace of development accelerates. Fifty-seven percent of 4,300 developers and managers told the open DevOps platform GitLab that they’re releasing code twice as fast as ever before. A year ago, only 35% said this. Nineteen percent said their code goes out ten times faster.

DevOps has clearly become more agile to support business needs. But where are the DevSecOps? Are companies striking the right balance between speed to market, agility in operations, and security and privacy? 

Cloud security is another major concern — and by failing to address it, businesses are hurting themselves. In PwC’s inaugural US Cloud Business Survey of 524 C-suite executives, 53% told us they aren’t getting the full value from the cloud. 

An important reason why: Companies don’t always take into account the unique security risks cloud adoption poses — or they don’t consider these risks early enough to reap the full benefits of cloud and avoid extra costs.

Hackers lost no time exploiting the veritable explosion in attack vectors that came with increased connections, devices, applications and data. At least half of organizations reported getting hit by malware via software update (54%), attacks on software supply chain (51%) and business email compromise (50%). 

How prepared were they for the incidents they experienced in the last 15 months? Only 55% or fewer of victims said they were “well prepared” to address the breaches — meaning 45% weren’t.

Software supply chain security is now getting CEO and board attention. Companies run on code developed in-house, taken from open source and/or bought from tech vendors — in an ecosystem that runs on trust. 

In late 2020, businesses became aware of an espionage campaign that successfully planted malware inside a software update months before activating the malware. In the second half of 2021, 64% of our survey respondents expect reportable software supply chain attacks to increase while 66% predict a rise in reportable malware-via-software-update incidents.

Ransomware is where CISOs and CIOs expect the biggest jump in reportable incidents — a prediction that has already been borne out within a month of our survey’s close. Ransomware criminals are multiplying, attracting new cyber talent, innovating malware, and acting with impunity.

Ransomware demands — and payments — are on the rise. Attackers now commonly charge one sum to provide a digital key to unlock files and servers they’ve encrypted, and a separate ransom to not release any data they’ve stolen. In the US, Canada and Europe, the highest ransom payment doubled to $10 million in 2020, a record quickly toppled in March 2021 with news of a $40 million payment.

Mobile and internet-of-things technologies along with the cloud are expected to be the fastest-growing threat vectors. Many CISOs and CIOs (29%) expect coordinated, organized nation-state attacks to surge this year. Cybercriminals edge out nation states as top threat actors among 31% of respondents. 

Nation-state sponsored cyber attacks have long been with us, and they’ve made for gripping stories in books like Countdown to Zero Day, The Cuckoo’s Egg, Sandworm and book-turned-to film The Perfect Weapon. But the scale and scope of these campaigns in 2020-2021 are commanding US business leaders’ attention as never before. 

Foreign adversaries attack not just our country’s military and federal government agencies but our banks, hospitals, gas pipelines, power plants, food supply and major businesses. The number of organizations successfully hit speaks volumes about how much work remains to be done to respond to these threats. 

Methods favored by nation-state adversaries vary depending on their geopolitical and financial objectives. Traditional espionage campaigns are after information and communications. One nation-state adversary aims to enhance its power by degrading that of the US. A few nation-state adversaries steal intellectual property for commercialization or to advance their national industry champions. Others seek to access operations and wreak havoc in critical systems. 

Sometimes the interests of cybercriminals intersect with nation states. Many ransomware criminal groups operate with at least tacit protection of their home government. It’s all too common for US law enforcement authorities to identify, sanction and indict ransomware criminals in other countries to little effect. Home countries rarely cooperate. They may even work against holding the criminals responsible, instead co-opting them into the state. And they would sometimes issue competing extradition rules to get their citizens back home.